Re: [openpgp] AEAD Chunk Size

Tobias Mueller <> Sun, 03 March 2019 18:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9BD14128CF3 for <>; Sun, 3 Mar 2019 10:36:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MUd5mhy86_m4 for <>; Sun, 3 Mar 2019 10:36:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 57E5F130DE7 for <>; Sun, 3 Mar 2019 10:36:12 -0800 (PST)
Received: from unibox ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 44CBgX5W03z12jXm; Sun, 3 Mar 2019 19:36:08 +0100 (CET)
Message-ID: <>
From: Tobias Mueller <>
To: "Neal H. Walfield" <>, Jon Callas <>
Cc: Bart Butler <>, "" <>, Vincent Breitmoser <>
Date: Sun, 03 Mar 2019 19:36:08 +0100
In-Reply-To: <>
References: <> <> <> <> <> <> <>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Mar 2019 18:36:15 -0000


On Fri, 2019-03-01 at 09:45 +0100, Neal H. Walfield wrote:
> I think that security concerns should be our first priority.  And, any
> flexibility increases our bug potential.  As such, I'm not convinced
> that we shouldn't use a fixed chunk size.

Note that introducing "chunks" diverts from authenticated encryption and
increases the bug potential.  That is, an implementation may more easily
release plaintext although the ciphertext has been modified.
The AE mode is OpenPGP's chance to become a protocol which enjoys the
strong security guarantees of AE and catch up with S/MIME.

By fixing a "chunk size" you take away the ability to benefit from AE
for messages bigger than that size.
Implementations could easily collect all chunks and only release the
plaintext once all chunks check out successfully. But that could go
wrong. And depending on implementations to get things right and clients
to use those implementations correctly is exactly what enabled Efail to
become an issue. I think it'd be much nicer if the protocol already
ensures that my emails do indeed enjoy protection against modification
rather than me having to rely too much on clients getting it right.

Having said that, I understand the desire for fixing a chunk size to
reduce complexity for implementers.  My desire as a user is to have a
strong and resilient protocol.  As such I prefer producing messages that
enjoy strong protection against modification.  That includes my emails
or backups larger than 16kB, 256kB, or whatever size you come up with.

Is there another way to do real AE?