Why is Blowfish's key size limited to 128 bits in RFC 4880?

Robert J. Hansen rjh at sixdemonbag.org
Sat Oct 17 18:36:49 CEST 2020

> Unfortunately 3DES did not survive said scrutiny in the end...

It absolutely *has* survived scrutiny.  I don't know where you're 
getting your information.  3DES is being phased out because its 64-bit 
block size makes it dicey for modern bulk encryption, and because its 
spectacular overdesign makes it very slow.

That's it.  Nobody has come up with any kind of meaningful cryptanalytic 
attack against it.  It simply doesn't exist.

> My P3 class-powered servers performing a variety of cryptographic
> operations on relatively large files (we get anything from 30 to 60 MiB
> pdf's on a regular basis and if I were to use Twofish for any of it... not
> practical)

Very practical.  You could practically use 3DES on these files.  60MB is 
nothing: you're going to experience more slowdown writing to disk.

> Sooner or later something's bound to happen that could render current
> technology obsolete, so it's better to err on the safer side.

In that case, why not also work on defending against time travel, 
psychic phenomena, or aliens from Zarbnulax?

The moment you say "it doesn't matter what the science says," you open 
the door to some very reasonable questions about why you're defending 
against one not-rooted-in-science attack and not others.

>> Why would anybody break ciphers the hard way with cryptanalysis, when
>> real-world systems are so easily exploitable and the human beings behind
>> them even moreso?
> Convenience. If you break one, you've broken them all.

No, that's not how cryptanalysis works, either.  Cryptanalysis works by 
reducing the amount of work to be done: only in rare cases will it 
totally erase the work factor.  A massively profound cryptanalytic 
attack on AES128 would reduce the work factor to, oh, call it 2**80; 
that result would be *seismic*.

But 2**80 ain't easy, either.  You still have to do an awful lot of hard 
work and pay a really huge utility bill.

Why do it this way?  Why not go after the data in a non-cryptanalytic 
way, where the work factor is so much less?

More information about the Gnupg-users mailing list