Why is Blowfish's key size limited to 128 bits in RFC 4880?

Dieter Frye includestdioh at secmail.pro
Sat Oct 17 04:18:10 CEST 2020

>> My current understanding of the situation is that there are no known
>>  effective attacks against Blowfish so long as it's adequately
>> implemented according to the suggested specifications and it's
>> relatively limited block size accounted for, and I naturally tend to
>> gravitate towards tested-and-tried, reliable things with a more or
>> less impeccable record.
> Then you really ought be using 3DES, which is the most heavily
> scrutinized symmetric algorithm in OpenPGP.  AES is a close second.
Unfortunately 3DES did not survive said scrutiny in the end, thus it's
being phased out as we speak, and while far from broken, it could
theoretically be weakened to such an extent it would not longer be safe in
the foreseeable future.

>> even if not, it would still make sense to me to allow for greater (or
>> better yet, full) key size to be utilized specially for situations
>> when performance is extremely critical and something like Twofish
>> just won't do.
> Which situations are those?
My P3 class-powered servers performing a variety of cryptographic
operations on relatively large files (we get anything from 30 to 60 MiB
pdf's on a regular basis and if I were to use Twofish for any of it... not

>> As for AES, while there doesn't seem to be anything fundamentally
>> wrong with it, the fact that it was pushed so extensively by the
>> powers that be and the fact that it's considerably easier on the
>> hardware (as compared to say, Twofish), makes it a candidate for
>> large-scale, targeted cryptanalysis, so I wouldn't put it past me
>> that the NSA's onto something already.
> In a word, 'no'.  In three, 'oh *hell* no'.
> The best attack on 3DES, after more than 40 years of academic research,
> requires ~10^17 bytes of RAM and ~10^34 encryptions.  That's 100
> petabytes of RAM, which is silly enough already.  10^34 encryptions,
> each of which requires a minimum of erasing ~10^3 bits of data during
> its evolution through S- and P-boxes, and the laws of physics flat
> *require* losing about 10**-22 joules per erasure... you're talking
> about liberating 10**15 joules as heat.  That's about what a nuclear
> bomb puts out.
> And that's for 3DES, which is generally believed to be by far the
> *worst* cipher in OpenPGP.
Sooner or later something's bound to happen that could render current
technology obsolete, so it's better to err on the safer side.

> Why would anybody break ciphers the hard way with cryptanalysis, when
> real-world systems are so easily exploitable and the human beings behind
> them even moreso?
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
Convenience. If you break one, you've broken them all.

More information about the Gnupg-users mailing list