Re: [openpgp] First remarks on the last I-D

[Daniel Huigens <d.huigens@protonmail.com>]

> Sooner or later, someone has to implement this. (...)
> Talk about the various efficiencies of CCM mode versus OCB mode, etc.,
> bores the heck out of me. I want to know which one is going to be simpler.

As one data point, we have experimental implementations of AEAD using
OCB, EAX and GCM in OpenPGP.js and GopenPGP. In both cases, we had to
implement OCB and EAX ourselves, due to lack of library support
(well - we implemented EAX on top of CTR so that was arguably a bit
simpler). GCM was already implemented so that was much simpler, and
also more performant due to having native / assembly implementations.


(Jon Callas wrote:)

> (...) my advice on this issue is merely to be careful, especially with GCM. GHASH is brittle as all heck; someone's going to get it wrong and it will be a brouhaha we don't need. (...)
> There are plenty of other options: OCB if we need the speed, I don't think we do; CCM is safe and boring and explicitly on lots of lists; EAX is just fine it's just a spite mode; rolling one's own check with CMAC/OMAC or HMAC is also totally fine; SIV is also nice. Pick two.

I agree we should be careful, but for any of these other options, we
would have (had) to roll our own implementation. I'm not sure whether
that's safer than relying on an existing implementation from a crypto
library. And in both Web Crypto and Go's built-in crypto library, GCM
is the only AEAD mode available, unfortunately. Of course I hope that
will change, and that we can add OCB, for example, but for now that's
the way it is. So I think that while it's not ideal, having GCM
(in addition to OCB) in the standard is better than not having it.

Best,
Daniel