Default hash

Robert J. Hansen rjh at
Sat Feb 26 04:46:30 CET 2011

On 2/25/11 10:27 PM, Aaron Toponce wrote:
> On 02/25/2011 07:39 PM, Robert J. Hansen wrote:
>> Bruce himself recommends AES over TWOFISH.
> [citation needed]

_Practical Cryptography_.  Read it.  Other people on this list can
provide a page ref: I'm at a funeral in the middle of nowhere and don't
have my books handy.

> I know that he's recommended AES-128 over AES-256, but I've not read
> where he's recommended AES over TWOFISH.

Many times.  It's not hard to find these recommendations: Google is your

> Again, [citation needed]. 3DES has an effective security of only 80 bits
> due to the meet-in-the-middle attack and known- or chosen-plaintext
> attacks

I don't have the exact quote from sci.crypt handy (as mentioned, I'm in
the middle of nowhere).  I'll look for it once I'm back on the East
Coast.  I'm sure there are many people here who could provide it for
you, though.

Regardless, you really need to pay attention to the fine print.  First,
the numbers you cite are for *two*-key 3DES, and OpenPGP specifies
*three*-key 3DES be used.  3DES's meet-in-the-middle is at 112 bits of
security -- plenty enough for almost any purpose.

Second, that meet-in-the-middle on 3DES requires 2**32 known plaintexts,
2**113 operations, 2**90 encryptions and 2**88 memory.  This is so
unrealistic it deserves to be called fantasy.  Miss any of those and
you're up to a work factor of 2**168.

So, yeah.  3DES's effective security is 168 bits, unless you're up
against the space aliens from Zarbnulax, in which case you're SOL no
matter what algorithm you use.

> and NIST is only willing to back the algo through 2030.

3DES's history is instructive.  NIST has declared it "dead in 20 years"
more often than Netcraft has declared BSD to be dying.[*]  At this
point, I'm unaware of anyone who seriously believes 3DES will be gone in
20 years.  Most people seem to be of the belief that in about fifteen
years NIST will say, "and 3DES is believed strong through 2050."

[*] A humorous reference to a Slashdot meme.  BSD partisans, relax, I'm
not seriously suggesting this...

More information about the Gnupg-users mailing list