Re: [Cfrg] streamable AEAD construct for stored data?

[Alex Elsayed <eternaleye@gmail.com>]

On Fri, 30 Oct 2015 08:11:48 +0900, Daniel Kahn Gillmor wrote:

> Hi CFRG folks--
> 
> We're looking into fixing the OpenPGP symmetrically-encrypted data
> formats for RFC4880bis.  The structures are used for mail messages but
> also for large file encryption.  It's clear that the OpenPGP CFB mode
> isn't designed to modern symmetric encryption standards, so we're hoping
> to introduce a better approach.
> 
> We need, among other things to address integrity protection in a more
> meaningful way than the current OpenPGP MDC (modification detection
> code), which is basically a SHA-1 hash of the cleartext.  This was never
> much better than a band-aid.  And as discussed in the recent "OpenPGP
> SEIP downgrade attack" thread, an "integrity-protected" packet with an
> MDC can be stripped down to produce a syntactically-valid packet without
> integrity protection.
> 
> But one of our constraints is the OpenPGP use case that streams
> decrypted data, like this:
> 
>  pgp --decrypt <backup.pgp | tar x
> 
> It's unlikely that this use case will go away.

<snip>

> Thoughts, pointers, or suggestions would be much appreciated.

Rogaway et. al. have a pair of constructions that come with very good 
security reductions, named CHAIN (requires strongly nonse-misuse-
resistant underlying AEAD, which is hard to come by) and STREAM (only 
requires nonce-based AEAD).

https://eprint.iacr.org/2015/189

If you want to forbid out-of-order decryption, you can also use each 
packet (or a hash thereof) as AD to the next.