Re: [openpgp] AEAD Chunk Size

Peter Gutmann <> Fri, 29 March 2019 03:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C23812016F for <>; Thu, 28 Mar 2019 20:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6kZhovazLFED for <>; Thu, 28 Mar 2019 20:17:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 71C2F120161 for <>; Thu, 28 Mar 2019 20:17:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1553829426; x=1585365426; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=IOlZmt17cvlZl9ChYtgsHW5upPNNGljv0h65JrSotNQ=; b=PKAsVdYyVk9pGsWpJV7ElHUyLDUx9m8F5453Yhy13QD7b9FKH1p7ZGZd p22lABTnVhHvN25dbsbs9uiFCs/AdR4yCOfaQuccqqvpgdneAxRMLtjJr THrsNtr2qr+K/cpj2IBKxk6Tbv37g57A4BclrEUn2yMeFBU+wAL0Jf47a EaC2tHI4VF6fenq/8CGFSVK9+CnDtYQzmPr/WHXNl+SwjLYTY3rKoypQ+ VOm1d5xGeeitC0QUU6MUxCyNmBOUsFMmkwJCJET1P+wfzNQZ4GJYWuhth Ao03bf48XIF3UqgwNUqk1CXiWLTm7RuYduNf+jDLuEuT3rGduGvmBM0jz g==;
X-IronPort-AV: E=Sophos;i="5.60,283,1549882800"; d="scan'208";a="53616315"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 29 Mar 2019 16:17:04 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 29 Mar 2019 16:17:04 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Fri, 29 Mar 2019 16:17:04 +1300
From: Peter Gutmann <>
To: "Neal H. Walfield" <>, Jon Callas <>
CC: "" <>, Justus Winter <>, Jon Callas <>
Thread-Topic: [openpgp] AEAD Chunk Size
Date: Fri, 29 Mar 2019 03:17:03 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Mar 2019 03:17:09 -0000

Neal H. Walfield <> writes:

>Until now, OpenPGP didn't require buffering data.  A decrypted AEAD chunk
>MUST only be released when it has been authenticated.  In the current
>proposal, AEAD chunks are potentially unbounded (well, up to 4 exabytes...)
>in size.  No one can decrypt such chunks without cheating, i.e., releasing
>unauthenticated plaintext.

This has been considered before, e.g. with S/MIME's authenticated encryption:

and so far doesn't seem to have caused any major problems.  That is, it's not
that there's a perfect solution, it's that actual problem situations seem to
be pretty rare.

If you want to do it right, you'd really want some formal academic treatment
rather than guessing at chunk sizes and what may or may not be needed, i.e.
typical message size X, typical chunk size Y gives these security bounds.  PGP
is typically used to encrypt data at rest (make the chunk size the file size)
or short email messages (chunk size doesn't matter, it's short).  That leaves
a remainder of large emails, which we know exist but don't know how frequent
they are or how often they're sent or from what sorts of systems.

Without hard data on what's actually needed, we're just bikeshedding... while