Re: [openpgp] Backwards compatibility

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 25 October 2023 11:39 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83188C151099 for <openpgp@ietfa.amsl.com>; Wed, 25 Oct 2023 04:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICFwiCWhRchN for <openpgp@ietfa.amsl.com>; Wed, 25 Oct 2023 04:39:04 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E803C151532 for <openpgp@ietf.org>; Wed, 25 Oct 2023 04:39:03 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2233.outbound.protection.outlook.com [104.47.71.233]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-10-Appx7-b0NcO19bgG1xM29g-1; Wed, 25 Oct 2023 22:38:59 +1100
X-MC-Unique: Appx7-b0NcO19bgG1xM29g-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYZPR01MB7346.ausprd01.prod.outlook.com (2603:10c6:10:177::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.33; Wed, 25 Oct 2023 11:38:58 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::8b37:6300:4865:c88a]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::8b37:6300:4865:c88a%4]) with mapi id 15.20.6907.032; Wed, 25 Oct 2023 11:38:58 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>
CC: IETF OpenPGP WG <openpgp@ietf.org>
Thread-Topic: [openpgp] Backwards compatibility
Thread-Index: AQHaAcNWce1bknBNTECRs8OPPkd0a7BPx+cQgAATqYCAANi29oAALZaAgABQspKACS/yEYAABJ2AgAAEsZA=
Date: Wed, 25 Oct 2023 11:38:57 +0000
Message-ID: <SY4PR01MB6251E97FF31597D15D76FB01EEDEA@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <CBAF59DC-8F4E-4E1B-979B-6838D4F662E0@nohats.ca> <87jzrjx3jc.fsf@jacob.g10code.de> <774b9eea-1d06-c957-dc21-4457989c896d@nohats.ca> <87r0lrulsw.fsf@jacob.g10code.de> <999A1C80-4DF7-4E6D-BBCC-B17E4A9C60F8@andrewg.com> <87il72vfgz.fsf@jacob.g10code.de> <SY4PR01MB62510E0FC5A6306A861AD0E0EEDEA@SY4PR01MB6251.ausprd01.prod.outlook.com> <347ad1a6-3108-4842-b635-9e2683884b51@metacode.biz>
In-Reply-To: <347ad1a6-3108-4842-b635-9e2683884b51@metacode.biz>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|SYZPR01MB7346:EE_
x-ms-office365-filtering-correlation-id: 29f303c8-da89-4181-135b-08dbd54ef9e2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: thI9feW0k1sCqFB9svc+NhQKuCGB2LSbCcgP4dLlzjdyVRrzBZYOCyrrp1/cvo0lNDpC+74CqhbYCGyFvcffN3BwqCZhO/d7zJgAAqu+cjpW4YRNe3OKphrrTtq0RLcqTxHCHdOv9LkeucPb3pCMRFfwmspEDpdHr/pJQ01rwsy66SYTeqfigOAUgK0QbD0GDTwZLGYwJKa28ZrobX+AVKP6mtahzbp6AXIs506c6iTd8o2yBvsr1Iw1uMMn/68EkpriQ+qNF7zWI3PkSJUQLhQj3frmd2ysaKXYnulMa0Hhuuu6+jOlpSxY/TJtH4PiPE5+jBJU4DIsbA+lX8ecHESW89b5fA7ClqPaRU4YVOGODRYfyrS7a1sj7dzf/SxotMuz+hDtYB3FlqNzwRsrc/Mr823DB7kT7pnopZnpUZEqE8kZCUMJ0+T6iYx4nK/ZibCkwjpBiT5jnIMeySG8kIJ8SGNPnhgtftCad+yC+WLxuYFBdC1A6mbVyPgL4fYolQ4x2wq2YTRiw6tKe/Me9NoZNQbGNp8KrKbv8+XgV65vgn/bu/mjyAntvSVkms5g9CMIfZgqg0fog+lwG8S0qPDPt8MgLsLEPPijRwdgJIOSUgOq8m0iWtq+6NhhCekI
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(396003)(346002)(376002)(39860400002)(136003)(230922051799003)(1800799009)(451199024)(64100799003)(186009)(55016003)(4744005)(2906002)(38100700002)(316002)(122000001)(66556008)(66476007)(786003)(76116006)(66446008)(66946007)(64756008)(71200400001)(6506007)(7696005)(9686003)(478600001)(26005)(4326008)(86362001)(5660300002)(41300700001)(52536014)(33656002)(8676002)(8936002)(38070700009)(66899024); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VWKHZ5FC2fTYAfCYTJ70lgVpVW7OPxw8YHbaqWyXEGm2jwGGMeizVeNfRBqDfojCrhrgbuq+1YcALgZ7QXwBz4xOjUivvOl6e2YpufQownwg0oGsVuHchyhdqY3IUAZg65/E/u/ukIUmeX84kdiDWJ93UCbKmOlHBdQhsxrM/DpjhGrFhqgQAMs1d5DPtiHvy9tQwSspGgHI7Bb8hLl6HqCWq2e0AQLWF6FBzaW2kfqF2boRvw9ifE3LBSutYu33q+V4xraBW6VFAs+r279aPjSUI6uzEWsxBJi63e6E5FTIHeuB2GHajRU8vbLUwPANvbu3IM9f7+3MmVE9WTYBaAhWIEjvnb+M6k7YHd8PKrGaSpHq0/Lg4Itj01tPD7nhqv+zXJN4ac06eTJmRb/A2FaOoN+YktUnsMCiXmDl9Eb6cTrexIsz/xLKNDXQhlw66HwGUvmmlF3tQaX+y+K4r9+bMQPfCnhPDxSszsrhoBsJmhuR7Mk5RrrYmyYnnkVfK1NDJBoAStqg/hOXmMs4VU54PJX7WfiI0nCTKyJ/ksWhiekQWeDkRNKJIm/BUcaxSZdq01FDZZEVS6ur2eBLzClL+9rXfBzlI4b9Ddx7fRBctEi49OTuRUJMELjxlg/rZzcKYu1xsWfvUyUZkybSjbFyfNt3o0Ez6ts515aGn4f85tPQqc0XI0aUG7R8HvYI7CS003EfipRzDpf1HJBuJy26OT5mxCJIk9JEbCpHKEuQzDYIUXQeFbQ8xBFIicV41ifWvmrv8dIBUaynjfL7xhU5RSBfMpBGI6fsNzv4TrEWG412ux8GRqVSdCpHmrwtqZF8HavMeole9qT5T6WvhYoT2PStXR6O0tUqqFR5H/GeVOwCOMBq/N1VaELz95b1JU6eDGQdGOJ+5diJLn7qwRVvbfmg73ozyQsLOgRiIDA9fQrMXbjz7qHEInvB+nSAC/oO0+nO4s+ec7AZ6RYpUjc3RBUaGX6dtEHT379JUxHu0OrXXzfC4Xo/2Me++y86UloNxMnWZFCm21N8844xW5kWfWN5a5LVl5w6kCJkPL3BBQwreq9LOWq436g+RPbY1H5+BUaGr+ebLB/gkSjF1l2NosOOcZTzV09P1rG+KspaCehVPcwL6Cm87oLR2YaTZBHP6Wv0gKkZSUEAEwAgIGKa6UYZofT9b3xvycU/uZTXg7Qpi0+0d21PQrRSPzo98oYd07eWDmSMeepdqenJZ+RzNcqLB/4cfBNR891Jsq5RE5JUVul330HkmFTVDK5w7dLKqOkUWZtJRdsgHyvDamK+WgWJ08+YHwd+4nc3B1aN/4MermPcUSwkxty/CkVSgoUUO15Thog8DAK6PTahuQYw7qVDJ4FEaBl6o5UoB9ZZ0NmCqo0qblng8A2qNF3d8massDW0NjMHcY4RXr+NwsLIOMd61cOG9O0C2VbJrreKIhTc8gJMSlbxzZ+edeWHKSBL7Jr0XC6G5BIDegstlnEnPk2HGc7aTNnDorHKRBDxwIIGJ8CPVMNpWfqHdRez7xrb9DEc2p4BaoXn9V6CxV4xZtTtj9J/HHVQzlggBztIMbk8QCj1ryx7TbpJlohG
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 29f303c8-da89-4181-135b-08dbd54ef9e2
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2023 11:38:57.9491 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7DwFh3Wc/e3nm+N3JUFI4v1/K1zfY3CWoqe4BrK2DtVcJmLu/OCScl9oLwI6tyS2PgNuKcC6WcV/RECpuDa3yilFRM323PS4adzO7fzSeBU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYZPR01MB7346
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SJWmJA4YUpevYI0dbdOtzAC8xRY>
Subject: Re: [openpgp] Backwards compatibility
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 11:39:06 -0000

Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org> writes:

>What's your opinion on the AES-GCM-SIV variant, Peter?

It requires two passes over the data so you can't do streaming with it, and
it's not supported in any hardware I know of and presumably few crypto
libraries either.  A standard EtM construct allows single-pass operation,
isn't affected much by nonce reuse, and is supported by pretty much
everything.

For two-pass encryption, once you're allowed to make two passes over the data
there are endless ways to deal with nonce reuse.  For example the two-pass
CBC-MAC mechanism that Colin Plumb invented thirty years ago for disk sector
encryption is an SIV mode, he just came up with it about 20 years too early
and didn't give it a fancy name.

Peter.