twofish keysize

Werner Koch wk at
Wed Apr 21 11:05:15 CEST 2004

On Tue, 20 Apr 2004 15:02:45 +0200, Per Tunedal Casual said:

> How large files where used in this performance test? I recently read a
> NIST evaluation: For 256-bit keys TWOFISH was slightly faster than AES

That are not files but benchmarks of the actual encryption
function. IIRC, a million bytes for each test are used.

> on (very) large files.

That depends on the key setup which is only done once per encryption.
For most applications this is irrelevant.  Furthermore OpenPGP does
use CFB mode and thus the more expensive AES key setup for _decrytion_
is not required.

> BTW I've been told it isn't wise to encrypt files larger than a few MB
> using a block size of 64 bits. What's the limit for the block size
> 128

Not a few MB but several GB: Due to the birthday paradoxon you will
notice on average identical blocks after 2^32 blocks (32 GB).  This
yields patterns which help in cryptanalysis.  It is also the reason
why ssh re-negotiates a new key after 1 gig.

For a 128 bit block cipher (AES or Twofish) this limit is a pretty
reasonable value (2^64 blocks).



More information about the Gnupg-users mailing list