The FAQ's 4GiB recommendation

Robert J. Hansen rjh at
Thu Aug 27 23:11:13 CEST 2015

I had someone wonder why the FAQ recommends avoiding CAST, BLOWFISH,
IDEA, or 3DES for bulk encryption.  It occurs to me that this is a
pretty reasonable question and probably should get placed in the FAQ.
So, here's proposed new content -- please feel free to chime in with
thoughts or criticism.

For the technically inclined, yes, this explanation simplifies things an
awful lot -- maybe too far, I don't know.  If you can come up with
better phrasings *that are still understandable to non-technical users*,
I'd love to hear them.  :)


Q:  Why should some ciphers be avoided for bulk encryption?

A:  Ciphers are deterministic.  This means that for the same inputs, you
get the same outputs.

The OpenPGP standard requires that ciphers run in what's called a
"feedback mode," where the ciphertext of one block becomes an input to
the next block.

But what happens if two identical ciphertext blocks are found?  Since
the cipher is deterministic, the cipher will begin repeating its output.
This creates a distinctive pattern which a cryptanalyst can exploit.

For a 64-bit cipher, you'll probably wind up repeating a block after
about 32 gigabytes.  In order to reduce the risk of this happening, we
recommend that if you use a 64-bit cipher  you don't use it to encrypt
more than a single DVD's worth of data -- about four gigabytes.

A 128-bit cipher will begin to repeat after about 100 exabytes.  This is
a number so mind-bogglingly large it's unlikely to ever become a problem
for even the most demanding of users.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150827/0cc38032/attachment.sig>

More information about the Gnupg-users mailing list