Re: [openpgp] AEAD Chunk Size

Tobias Mueller <> Sun, 17 March 2019 19:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A0AF12E036 for <>; Sun, 17 Mar 2019 12:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v-TjL4xXoLWc for <>; Sun, 17 Mar 2019 12:35:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E1C4112B001 for <>; Sun, 17 Mar 2019 12:35:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 44MqKN160cz13BZg; Sun, 17 Mar 2019 20:35:20 +0100 (CET)
Message-ID: <>
From: Tobias Mueller <>
To: Sebastian Schinzel <>,
Date: Sun, 17 Mar 2019 20:35:19 +0100
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 17 Mar 2019 19:35:23 -0000

Hi Sebastian,

On Mon, 2019-03-04 at 09:49 +0100, Sebastian Schinzel wrote:
> Your reasoning regarding proper AE is correct, but you are drawing the
> wrong conclusions. You want small chunks to do proper AE!
Can you mention what definition of AE you are referring to?
I guess you meant to add that you will need to come up with a secure
scheme to identify the last chunk and implement that properly. And that
you then you will need to buffer all the plaintext until the final chunk
has successfully checked out. Because otherwise you wouldn't get
"proper" AE as in either releasing plaintext or an error.

> The advantage of smaller
> chunks is that the plaintext can be cached until the chunk's auth tag
> is validated. That's to guarantee that no unauthenticated plaintext is
> released. (Leaving truncation aside.)

Two things: Firstly, you write "can be cached" rather than "must be
Unless you relax the security goals of the AEAD protected message.
Secondly, you can release unauthenticated plaintext of an AEAD protected
message of arbitrary size if you don't want to hold all the plaintext of
a decrypted ciphertext. Regardless of the size of the message or chunk.
Hence, there is no advantage of using a small chunk size if you want to
have an AEAD protected message. As in, if you intend to have proper AE
which only releases the full plaintext or an error.

Unless you need the concept of partially authenticated plaintext, the
only reason for using chunks is to detect failures early in the
decryption process rather than at the end. Again, if don't you want your
full message to enjoy the protections AE gives you, then you may be able
to afford partially authenticated messages. I haven't seen anybody
presenting a use-case for those. And even then it seems far fetched to
impose that concept onto each and every OpenPGP user as the current
proposal does.