Why is Blowfish's key size limited to 128 bits in RFC 4880?
Robert J. Hansen
rjh at sixdemonbag.org
Wed Oct 14 09:20:56 CEST 2020
> My current understanding of the situation is that there are no known
> effective attacks against Blowfish so long as it's adequately
> implemented according to the suggested specifications and it's
> relatively limited block size accounted for, and I naturally tend to
> gravitate towards tested-and-tried, reliable things with a more or
> less impeccable record.
Then you really ought be using 3DES, which is the most heavily
scrutinized symmetric algorithm in OpenPGP. AES is a close second.
> even if not, it would still make sense to me to allow for greater (or
> better yet, full) key size to be utilized specially for situations
> when performance is extremely critical and something like Twofish
> just won't do.
Which situations are those?
> As for AES, while there doesn't seem to be anything fundamentally
> wrong with it, the fact that it was pushed so extensively by the
> powers that be and the fact that it's considerably easier on the
> hardware (as compared to say, Twofish), makes it a candidate for
> large-scale, targeted cryptanalysis, so I wouldn't put it past me
> that the NSA's onto something already.
In a word, 'no'. In three, 'oh *hell* no'.
The best attack on 3DES, after more than 40 years of academic research,
requires ~10^17 bytes of RAM and ~10^34 encryptions. That's 100
petabytes of RAM, which is silly enough already. 10^34 encryptions,
each of which requires a minimum of erasing ~10^3 bits of data during
its evolution through S- and P-boxes, and the laws of physics flat
*require* losing about 10**-22 joules per erasure... you're talking
about liberating 10**15 joules as heat. That's about what a nuclear
bomb puts out.
And that's for 3DES, which is generally believed to be by far the
*worst* cipher in OpenPGP.
Why would anybody break ciphers the hard way with cryptanalysis, when
real-world systems are so easily exploitable and the human beings behind
them even moreso?
More information about the Gnupg-users
mailing list