Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Daniel Kahn Gillmor <> Fri, 30 October 2015 14:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F3FE61A1A3D for <>; Fri, 30 Oct 2015 07:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xtcdQaEHAhry for <>; Fri, 30 Oct 2015 07:11:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 57BCB1A1A1C for <>; Fri, 30 Oct 2015 07:11:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPSA id 9710BF984; Fri, 30 Oct 2015 10:11:24 -0400 (EDT)
Received: by (Postfix, from userid 1000) id 377CA1FFD3; Fri, 30 Oct 2015 23:11:23 +0900 (JST)
From: Daniel Kahn Gillmor <>
To: Watson Ladd <>, Natanael <>
In-Reply-To: <>
References: <> <> <>
User-Agent: Notmuch/0.20.2 ( Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Fri, 30 Oct 2015 23:11:23 +0900
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Cc: IETF OpenPGP <>,
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Oct 2015 14:11:35 -0000

On Fri 2015-10-30 21:30:44 +0900, Watson Ladd wrote:
>> >  b) it doesn't seem to compose as well with asymmetric signatures as one
>> >     might like: a signature over the whole material can't itself be
>> >     verified until one full pass through the data; and a signature over
>> >     just the symmetric key would prove nothing, since anyone getting the
>> >     symmetric key could forge an arbitrary valid, decryptable stream.
>> >     Is there an intermediate approach that would combine an asymmetric
>> >     signature with a chunkable authenticated encryption such that a
>> >     decryptor could stream one pass and be certain of its origin (at
>> >     least up until truncation, if (a) can't be resolved)?
>> >
>> > Thoughts, pointers, or suggestions would be much appreciated.
> Use authenticated encryption so no signatures are required. Detached
> signature verification is used for large public messages already: no
> streaming needed.

OK, i am worried that i might have sidetracked the dicsussion with this
side-note here.  We don't have a solution for (b) above today, and as
Watson notes, there are use patterns that suggest people might be OK
with doing two-pass signature verification before processing large

So i'd like to ask folks to put this side-note aside, please, and try to
re-focus on the main original question:

> AGL describes this problem here:
> and he roughly outlines a generic construction of a composable/chunkable
> approach using AEAD:
>> Ideally such a scheme would take an AEAD and produce something very
>> like an AEAD in that it takes a key, nonce and additional data, but
>> can safely work in a streaming fashion. I don't think it need be very
>> complex: take 64 bits of the nonce from the underlying AEAD as the
>> chunk number, always start with chunk number zero and feed the
>> additional data into chunk zero with a zero byte prefix. Prefix each
>> chunk ciphertext with a 16 bit length and set the MSB to indicate the
>> last chunk and authenticate that indication by setting the additional
>> data to a single, 1 byte. The major worry might be that for many
>> underlying AEADs, taking 64 bits of the nonce for the chunk counter
>> leaves one with very little (or none!) left.
> Two examples of projects that take something like this approach are
> miniLock and Tahoe-LAFS:
> I'm unaware of any formalization of this approach, though.  Does anyone
> know of one?  If OpenPGP were to adopt AGL's construct, are there
> specific risks to be aware of?