Why is Blowfish's key size limited to 128 bits in RFC 4880?

[Robert J. Hansen]

> My current understanding of the situation is that there are no known
>  effective attacks against Blowfish so long as it's adequately 
> implemented according to the suggested specifications and it's 
> relatively limited block size accounted for, and I naturally tend to 
> gravitate towards tested-and-tried, reliable things with a more or 
> less impeccable record.

Then you really ought be using 3DES, which is the most heavily
scrutinized symmetric algorithm in OpenPGP.  AES is a close second.

> even if not, it would still make sense to me to allow for greater (or
> better yet, full) key size to be utilized specially for situations
> when performance is extremely critical and something like Twofish
> just won't do.

Which situations are those?

> As for AES, while there doesn't seem to be anything fundamentally 
> wrong with it, the fact that it was pushed so extensively by the 
> powers that be and the fact that it's considerably easier on the 
> hardware (as compared to say, Twofish), makes it a candidate for 
> large-scale, targeted cryptanalysis, so I wouldn't put it past me 
> that the NSA's onto something already.

In a word, 'no'.  In three, 'oh *hell* no'.

The best attack on 3DES, after more than 40 years of academic research,
requires ~10^17 bytes of RAM and ~10^34 encryptions.  That's 100
petabytes of RAM, which is silly enough already.  10^34 encryptions,
each of which requires a minimum of erasing ~10^3 bits of data during
its evolution through S- and P-boxes, and the laws of physics flat
*require* losing about 10**-22 joules per erasure... you're talking
about liberating 10**15 joules as heat.  That's about what a nuclear
bomb puts out.

And that's for 3DES, which is generally believed to be by far the
*worst* cipher in OpenPGP.

Why would anybody break ciphers the hard way with cryptanalysis, when
real-world systems are so easily exploitable and the human beings behind
them even moreso?