[Top] [All Lists]

Re: Twofish

1999-01-13 06:40:32

On Tue, 12 Jan 1999 hal(_at_)rain(_dot_)org wrote:

One question is key size.  PGP key algorithm values have defined key
sizes.  Twofish, like the other AES candidates, can be used with key
sizes of 128, 192, or 256 bits.  (Actually the cipher allows use of any
smaller size key as well.)

In some contexts where symmetric key algorithm values are used, the
key size can be determined from the message format.  For example,
Public-Key Encrypted Session Key Packets use PKCS-1 encoding for the
encrypted session key, and that encoding implicitly determines the
key size (at least to a multiple of eight bytes).

However, this is not always the case.  Symmetric-Key ESK packets
encrypt one key with another, and the two keys' lengths are allowed
to be different.  Only the encrypted key has its length determined by
context, not the encrypting key.  Symmetric key algorithm values are
also used in secret key packets, and there, too, the key lengths cannot
be determined from context.

I think we should deal with this issue reasonably soon. We probably cannot
deal with it until the v1.1 spec. However, with the number of symmetric key
algorithms that are being designed with variable key lengths and other
parameters, it will become prohibitive to assign identifiers for
each. Picking a specific key length may be too limiting (a user may WANT
256 bit keys) and this does not handle other variables of the
algorithm. Take, for instance rc6 (another AES candidate) which allows
variable rounds and blocksizes as well. rc6 as specified for the AES the
way I read it will be RC6-32/20/{16,24,32}. The first number is the number
of bits in a block. The second is the number of rounds. The third is the
key size in bytes (it will handle 128,192,and 256 bit keys). Just because
this is the definition for AES does not mean that we should not allow it to
be run with alternate word sizes or rounds.

I would like to (if it is agreeable) add the concept of parameters for
symmetric algorithms to my v1.1 laundry list. It should probably be handled
in a similar fashion to the public-key parameters (for DSA, etc). This
would probably mean specifying an 'Enhanced symmetric-key encrypted
session-key packet' to replace the existing one but I will leave that up to
the group to hash out.

Does this sound reasonable to people?

To deal with this, we have always defined symmetric key algorithm
values to represent both a cipher and a key length.  Blowfish was a
variable-key-length algorithm, but the Blowfish cipher algorithm byte
was defined to represent a 128-bit key version.

computing which nobody really expects to happen.  192 bits is more
than enough strength for any reasonable cryptographic attack.  128 bits
is really very strong still, but if we do want to go up, 192 seems more
reasonable to me than 256.  That would be my recommendation.

We should probably choose a single size for the time being. Later, if the
above recommendation gets implemented in the v1.1 OpenPGP spec, we would
define newer algorithm identifiers with variable parameters.


Tony Mione, RUCS/NS, Rutgers University, Hill 055, Piscataway,NJ - 732-445-0650
mione(_at_)nbcs-ns(_dot_)rutgers(_dot_)edu                 W3:
PGPFP:E2252CCD28733C5B  0B918A4E22BAFA9F     ***** Important: Rom 10:9-11 *****
Author of 'CDE and Motif : A Practical Primer', Prentice-Hall PTR

Version: 2.6.2


<Prev in Thread] Current Thread [Next in Thread>