twofish keysize

Per Tunedal Casual pt at radvis.nu
Thu Apr 22 09:01:38 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 11:05 2004-04-21, Werner Koch wrote:
 >On Tue, 20 Apr 2004 15:02:45 +0200, Per Tunedal Casual said:
 >
 >> How large files where used in this performance test? I recently
 >> read a
 >> NIST evaluation: For 256-bit keys TWOFISH was slightly faster than
 >> AES
 >
 >That are not files but benchmarks of the actual encryption
 >function. IIRC, a million bytes for each test are used.
 >
 >> on (very) large files.
 >
 >That depends on the key setup which is only done once per encryption.
 >For most applications this is irrelevant.  Furthermore OpenPGP does
 >use CFB mode and thus the more expensive AES key setup for
 >_decrytion_
 >is not required.

I was more concerned about encryption. What about the performance
AES-256 compared to TWOFISH for very large files with GPG? AES makes
more rounds for larger keys, TWOFISH does the same number of rounds
for all key lengths. That might make TWOFISH attractive for large
files.

 >
 >> BTW I've been told it isn't wise to encrypt files larger than a few
 >> MB
 >> using a block size of 64 bits. What's the limit for the block size
 >> 128
 >
 >Not a few MB but several GB: Due to the birthday paradoxon you will
 >notice on average identical blocks after 2^32 blocks (32 GB).  This
 >yields patterns which help in cryptanalysis.  It is also the reason
 >why ssh re-negotiates a new key after 1 gig.
 >
 >For a 128 bit block cipher (AES or Twofish) this limit is a pretty
 >reasonable value (2^64 blocks).
 >
A Swedish cryptographer explained the issue to me yesterday. Further
he told me that the recommendation "not more than a few hundred
Megabytes" for was to have marginal against "bad luck".

On average 32 GB is the limit i.e. the probability is 50 % that an
adversary finds two identical blocks. But you might have bad luck and
he might find two identical blocks in somewhat smaller files.

He didn't tell me how to calculate the risk:
a) What is the risk (probability) if I encrypt a file of the size S
with the blocksize B?
and reversed:
b) If I want to set the risk to P and use the block size S, how large
files can I encrypt?

Per Tunedal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAh22PaDDfzFT+2PIRAj5CAJ0Vi9O5Us6QYczof1h97FsVN/qjlgCfRtEb
HuqdUMXv8MUz/0HkbMLR6gs=
=OGlE
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list