[Top] [All Lists]

Re: Twofish

1999-01-12 18:15:33
One question is key size.  PGP key algorithm values have defined key
sizes.  Twofish, like the other AES candidates, can be used with key
sizes of 128, 192, or 256 bits.  (Actually the cipher allows use of any
smaller size key as well.)

In some contexts where symmetric key algorithm values are used, the
key size can be determined from the message format.  For example,
Public-Key Encrypted Session Key Packets use PKCS-1 encoding for the
encrypted session key, and that encoding implicitly determines the
key size (at least to a multiple of eight bytes).

However, this is not always the case.  Symmetric-Key ESK packets
encrypt one key with another, and the two keys' lengths are allowed
to be different.  Only the encrypted key has its length determined by
context, not the encrypting key.  Symmetric key algorithm values are
also used in secret key packets, and there, too, the key lengths cannot
be determined from context.

To deal with this, we have always defined symmetric key algorithm
values to represent both a cipher and a key length.  Blowfish was a
variable-key-length algorithm, but the Blowfish cipher algorithm byte
was defined to represent a 128-bit key version.

In adding Twofish, we should probably either add three values, for
128-, 192-, and 256-bit versions, or we should settle on a single

If we choose a single size, it would probably make sense to have the
Twofish key size be bigger than the 128 bits used by most of our current
keys.  Unlike the other ciphers, Twofish has a 128 bit block size.
(Keep in mind that the block size bears no necessary relation to the
key size, except that bigger is better in both cases.)  All our other
ciphers use a 64 bit block size.  Given this increase in size, we should
probably consider 192 or 256 bits as the Twofish key size.

Either one of these would probably be OK.  Personally, I feel that 256
bits is awfully big for a key.  There is some speculation that the AES
required such a large key to protect against exotic advances in quantum
computing which nobody really expects to happen.  192 bits is more
than enough strength for any reasonable cryptographic attack.  128 bits
is really very strong still, but if we do want to go up, 192 seems more
reasonable to me than 256.  That would be my recommendation.


<Prev in Thread] Current Thread [Next in Thread>