Re: [openpgp] AEAD Chunk Size

Marcus Brinkmann <> Fri, 29 March 2019 09:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B624A1200FB for <>; Fri, 29 Mar 2019 02:52:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Bpi87SVh59FI for <>; Fri, 29 Mar 2019 02:52:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1FEFD120074 for <>; Fri, 29 Mar 2019 02:52:52 -0700 (PDT)
Received: from (localhost []) by (Postfix mo-ext) with ESMTP id 44Vxqh0JRFz8SXX for <>; Fri, 29 Mar 2019 10:52:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail-2017; t=1553853168; bh=zkClrZF4xYhzotee4PHrEBU8mYwtu97p8n52UjOxC6Y=; h=Subject:To:References:From:Date:In-Reply-To:From; b=SxwHHYB4xnmrYBjeHm9PzGw1p4Rvh7LcCNTdqGh4PLarNMG7nhLJXgPjs5Fe6u3rO R/QVD+pIlE7Onm4jAfWEn2Yep4iFOtJUYXk9tFoLo7x9yfoWb1zwQ80w/mUwelZ2BA UxibW1QcBLsxFBlMOi9iHW+QRxH5H5pxG+h0AILY=
Received: from (localhost []) by (Postfix idis) with ESMTP id 44Vxqg57Lrz8SRP for <>; Fri, 29 Mar 2019 10:52:47 +0100 (CET)
X-Envelope-Sender: <>
X-RUB-Notes: Internal origin=
Received: from ( []) by (Postfix mi-int) with ESMTP id 44Vxqg3Ndpz8Scq for <>; Fri, 29 Mar 2019 10:52:47 +0100 (CET)
Received: from [] ( []) by (Postfix) with ESMTPSA id 44Vxqg0g8Zzyty for <>; Fri, 29 Mar 2019 10:52:47 +0100 (CET)
References: <> <> <> <> <>
From: Marcus Brinkmann <>
Openpgp: preference=signencrypt
Message-ID: <>
Date: Fri, 29 Mar 2019 10:52:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.4 at
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Mar 2019 09:52:56 -0000


Just to set the record straight: I made two very specific actionable
proposal on this very list 9 months ago.

* Limit the maximum chunk size to a small value:

* Forbid outputting unauthenticated plaintext:

Also, I think it is instructive to look at the history of the chunk size
and how we got here in the first place. This is the original proposed
text by Brian M. Carlson:

> An implementation MUST support chunk size octets with values from 0 to
10.  An implementation MAY support other chunk sizes.  Chunk size
octets with values larger than 127 are reserved for future extensions.

This is what the editor put into the draft standard without discussion:

> An implementation MUST support chunk size octets with values from 0 to
56.  Chunk size octets with other values are reserved for future

His reasoning was this: "Given that larger values are optional,
implementations will need limit C to 10.  I consider this too low for
practical purposes.  We should require all implementations to support
the same range. Given that we have a 64 bit counter the maximum value
for C should be 57 - I would even say 56 so that we avoid signed and
signed problems in the number of octets."

So, here is an actionable item: Go back to the original proposal by
Brian M. Carlson. It gives implementations a reasonable limit to stick
to, while it allows for larger chunks for special use cases.