Re: [openpgp] AEAD Chunk Size

Sebastian Schinzel <> Mon, 04 March 2019 08:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 093CC131031 for <>; Mon, 4 Mar 2019 00:50:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WyzT3dqKhNqM for <>; Mon, 4 Mar 2019 00:50:00 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D11661200D7 for <>; Mon, 4 Mar 2019 00:49:59 -0800 (PST)
Received: from [] (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ss560221) by (Postfix) with ESMTPSA id EF03A284D36 for <>; Mon, 4 Mar 2019 09:49:56 +0100 (CET)
References: <> <> <> <> <> <> <> <>
From: Sebastian Schinzel <>
Message-ID: <>
Date: Mon, 4 Mar 2019 09:49:54 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/mixed; boundary="------------6A6A0ABFA2CF68525A608F56"
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Mar 2019 08:50:02 -0000

Am 03.03.2019 um 19:36 schrieb Tobias Mueller:
> Having said that, I understand the desire for fixing a chunk size to
> reduce complexity for implementers.  My desire as a user is to have a
> strong and resilient protocol.  As such I prefer producing messages that
> enjoy strong protection against modification.  That includes my emails
> or backups larger than 16kB, 256kB, or whatever size you come up with.

Chunking breaks plaintexts of arbitrary size into many smaller "chunks"
and adds an authentication tag to each chunk. The advantage of smaller
chunks is that the plaintext can be cached until the chunk's auth tag is
validated. That's to guarantee that no unauthenticated plaintext is
released. (Leaving truncation aside.)

Your reasoning regarding proper AE is correct, but you are drawing the
wrong conclusions. You want small chunks to do proper AE! This implies
no limit to the overall size of the plaintext.

I also don't see any reason to keep the variable chunk size. We should
fix it to something between 16kB and 64kB.