Re: [openpgp] AEAD Chunk Size

"Neal H. Walfield" <> Sat, 30 March 2019 21:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B1361202A7 for <>; Sat, 30 Mar 2019 14:16:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OG1X8Q74JcUL for <>; Sat, 30 Mar 2019 14:16:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4537412027B for <>; Sat, 30 Mar 2019 14:16:57 -0700 (PDT)
Received: from ([] by with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <>) id 1hALLL-0004UA-CS; Sat, 30 Mar 2019 21:16:47 +0000
Date: Sat, 30 Mar 2019 22:16:46 +0100
Message-ID: <>
From: "Neal H. Walfield" <>
To: Benjamin Kaduk <>
Cc: Bart Butler <>, "" <>, Peter Gutmann <>, Justus Winter <>, Jon Callas <>, Jon Callas <>
In-Reply-To: <>
References: <> <> <> <> <> <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.5 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 30 Mar 2019 21:16:59 -0000

Hi Ben,

Thanks for your note.

At Sat, 30 Mar 2019 10:04:38 -0500,
Benjamin Kaduk wrote:
> I also have a use case for authentication of large chunks of data at rest:
> they allow me to use a cheap bulk storage service that provides
> (best-effort) replication and archiving but has poor physical security.  So
> I encrypt my data to myself and put it in storage, but when I get it  back
> I need to know that it's valid.  I can imagine at least one case where
> knowing exactly which chunk was corrupted would save effort; it may be a
> toy example but perhaps it is illustrative of a broader case.  Note that
> there are algorithms to compute pi to arbitrary precision, and even to
> compute the Nth digit thereof without coputing the previous digits.  If I
> need to have random-access inquiries into the value of pi, I could
> precompute using softare I trust and do this self-encryption thing, and
> when a chunk is bad I can recompute only that chunk and still trust that I
> only ever use values generated by my trusted implementation.

Just to be clear: when you say "large chunks of data at rest," you're
not arguing that large AEAD chunks are better, are you?  It seems to
me that if you use small chunks, at least in your example, you have
less work to do when you discover a corrupted chunk.


:) Neal