s2k-cipher-mode default

Werner Koch wk at gnupg.org
Tue Jun 2 18:31:24 CEST 2015

On Tue,  2 Jun 2015 17:33, dkg at fifthhorseman.net said:

> I think it should change to AES256, with explanation below.

I am fine to switch to AES-128 for 2.0 too.

> secret key, it should be the strongest symmetric cipher known to the
> running system.  This is probably AES256, not CAST5 or AES128.

Whether AES-256 is stronger than AES-128 in the real world is a pretty
good bike shedding topic.  Changing the default cipher to AES-256 should
be the least problem for those who need such a kind of protection.

Here is my reason why AES-128 is a better *default*:

 AES-128        |  nanosecs/byte   mebibytes/sec   cycles/byte
        CFB enc |      1.77 ns/B     537.9 MiB/s      4.08 c/B
        CFB dec |     0.374 ns/B    2548.9 MiB/s     0.861 c/B
        OCB enc |     0.527 ns/B    1810.8 MiB/s      1.21 c/B
        OCB dec |     0.546 ns/B    1746.0 MiB/s      1.26 c/B

 AES-256        |  nanosecs/byte   mebibytes/sec   cycles/byte
        CFB enc |      2.42 ns/B     393.6 MiB/s      5.57 c/B
        CFB dec |     0.543 ns/B    1755.1 MiB/s      1.25 c/B
        OCB enc |     0.695 ns/B    1372.9 MiB/s      1.60 c/B
        OCB dec |     0.728 ns/B    1310.2 MiB/s      1.67 c/B

OpenPGP uses CFB mode.  I listed OCB in case rfc4880bis will switch to
that mode.

Encrypting with AES-128 is 35% faster than with AES-256.
Decrypting with AES-128 is 45% faster than with AES-256.

It makes a difference whether you need 32 or 45 minutes to encrypt 1TiB.
Yeah, I know this is theoretical because a backup is I/O bounded but
nevertheless AES-256 takes up more CPU resources than AES-128.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list