Why is Blowfish's key size limited to 128 bits in RFC 4880?

Robert J. Hansen rjh at sixdemonbag.org
Sat Oct 10 11:42:17 CEST 2020

> What's the rationale behind not going full 448 or at least 256 like 
> AES and Twofish?

Age.  At the time Blowfish was adopted there were literally no 256-bit
ciphers in the RFC2440 suite.  Symmetric ciphers were all 128-bit
(except arguably for 3DES, where the size is wonky[*]).  The first
256-bit cipher to be added was Twofish in mid-2000 in PGP 7, followed
soon by AES in PGP 7.1.

[*] 3DES can credibly be claimed to have a 192-bit key, a 168-bit key, 
or a 112-bit key, depending on how the speaker defines "key".

More information about the Gnupg-users mailing list