Why is Blowfish's key size limited to 128 bits in RFC 4880?

Dieter Frye includestdioh at secmail.pro
Tue Oct 13 16:46:02 CEST 2020

> On Sat, 10 Oct 2020 03:00, Dieter Frye said:
>> I've been using Blowfish on older machines for years now without issue
>> and
>> I always wondered if this is one of those things that could possibly
>> benefit from an update.
> Nope.  I used Blowfish back then because it was the only free and modern
> algorithm.  PGP didn't support it.  Later, in 1998 we added Twofish and
> had to do a clean room implementation (kudos to Matthew Skala) because
> it was not clear whether the implementaion was in the PD or compatible
> with the GPL.  I asked Bruce Schneier during this period several times
> on whether he would suggest to use Twofish for OpenPGP and his answer
> depended a bit on his current mood.
> Anyway, all these cipher algorithm competition is mood since everyone
> has agreed to use AES; formerly known Rijndael which may have even been
> preferred over Twofish because of its non-US origin.
> Salam-Shalom,
>    Werner
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

My current understanding of the situation is that there are no known
effective attacks against Blowfish so long as it's adequately implemented
according to the suggested specifications and it's relatively limited
block size accounted for, and I naturally tend to gravitate towards
tested-and-tried, reliable things with a more or less impeccable record.

Now if any of this remains true today, I cannot tell (I did the research a
number of years ago so it's possible something changed along the way), but
even if not, it would still make sense to me to allow for greater (or
better yet, full) key size to be utilized specially for situations when
performance is extremely critical and something like Twofish just won't

Personally I use Twofish on my P4 and Blowfish on all of my P3's.

As for AES, while there doesn't seem to be anything fundamentally wrong
with it, the fact that it was pushed so extensively by the powers that be
and the fact that it's considerably easier on the hardware (as compared to
say, Twofish), makes it a candidate for large-scale, targeted
cryptanalysis, so I wouldn't put it past me that the NSA's onto something

Best regards.

More information about the Gnupg-users mailing list