Re: [openpgp] Pull request for AEAD encrypted data packet with GCM

Jon Callas <> Tue, 14 February 2017 02:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DB8071294BA for <>; Mon, 13 Feb 2017 18:05:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tx19KJgYLovZ for <>; Mon, 13 Feb 2017 18:05:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DF26A1293FF for <>; Mon, 13 Feb 2017 18:05:38 -0800 (PST)
Received: from by (Oracle Communications Messaging Server 64bit (built Feb 26 2016)) id <> for; Tue, 14 Feb 2017 02:05:38 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=4d515a; t=1487037938; bh=+W2ozbKKDQMy85QQTZZseVQGOJm4FnCM+9nBHwJWr58=; h=Content-type:MIME-version:Subject:From:Date:Message-id:To; b=LhaS3vCWA9aYVKuDmrybez1m+3wtQtuwV7NTpVYQZ2CPJx2oviUuWNWVBlW7RfR0l YcJbmauBX5Pza1unJoMTcrzwV/NIiKnZiWdl3mhXTtq0CIkgKBAzCMRu0Q6Ec6cxLr 93aSc/eePlRjopEQUkAvJYdxZQ5ochukzbhHO531DkGdQsCCMBH5H0JYZIl0XvUlKF cpTS69FxoM/RDkg32B6uCswue6N+msmNzO/VWk+S1inlLPltU6gvfKXFB/ddb3xg3N tkjxWwHWkw5hzwah/TKkduKTftjMcnV24SnVSviGLC4fq4WoXGOi0HmygVIO1GKQ8K 388k54/rXK6pA==
Received: from ([]) by (Oracle Communications Messaging Server 64bit (built Feb 26 2016)) with ESMTPSA id <>; Tue, 14 Feb 2017 02:05:38 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-02-14_01:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1034 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1702140021
Content-type: text/plain; charset=us-ascii
MIME-version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Jon Callas <>
In-reply-to: <>
Date: Mon, 13 Feb 2017 18:05:34 -0800
Content-transfer-encoding: quoted-printable
Message-id: <>
References: <> <> <>
To: "brian m. carlson" <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Cc:, Jon Callas <>
Subject: Re: [openpgp] Pull request for AEAD encrypted data packet with GCM
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Feb 2017 02:05:40 -0000

> On Feb 13, 2017, at 5:28 PM, brian m. carlson <> wrote:

[OCB discussion removed because we're all in violent agreement.]

>> * ChaCha20+Poly1305. Many of the cool kids are using it. It's fast, reasonably okay to implement, it's in TLS 1.3, and wouldn't be a bad choice. The major criticism I can see is that ChaCha20 is a stream cipher not a streaming mode on a block cipher (like AES or Twofish or whatever). I think most of the legitimate criticisms of it are blunted by its being used a lot in the TLS world.
> That's why my proposal (which I will send a patch to the list for
> shortly) proposed an octet for AEAD algorithm.  We can implement
> ChaCha20 as a cipher and Poly1305 as an AEAD algorithm.  I support doing
> this, but doing just ChaCha20-Poly1305 excludes a secure implementation
> of all the block ciphers that we currently have.  We need something that
> works with AES.

Forgive my being out of the loop on this and behind in document reading.

4880 uses CFB implicitly with two flavors (regular and with MDC). Historically, OpenPGP leaves lots of parameterization around which is great for experimentation, but hell on test matrixes. One could parameterize a new packet in which there was a cipher parameter and an integrity parameter. Thus, one could have a the matrix [AES(key size), Twofish(key size), ...., whatever; CCM, SIV, HMAC, ...]. (The clever reader might note that HMAC leads to its own parameter.) Or one could have a parameter for a full thing like AES128-SIV, or AES256-HMAC-SHA512. I recommend the latter, myself. 

In that case, just pick decent parameters on ChaCha20+Poly1305 and be done. This is slightly important because this would be the first time OpenPGP used a stream cipher per se.

Historic note: OpenPGP dates from a time when there were a lot of good arguments for a lot of options. Okay, there were better arguments than there are now. :) You know, should we use IDEA, CAST5, or Blowfish? Should we allow DSA to be used RIPEMD-160 because SHA-1 was created by the NSA and some people think it's backdoored. We also in those days wanted maximum consensus on getting 2440 done as fast as possible. That led to a lot of parameters and then contraction of those parameters later when people never implemented the algorithm they really wanted. I think this is an opportunity to collapse option explosion by just having AE suite parameters. This would allow some generosity in parameters without total option explosion.

>> * CTR+HMAC. Like you, I mention it for completeness. But while I think that any of the above would be better, I think it is again better than GCM. It's not sexy but it works, and it's harder to screw up than many things.
> That's why I like it.  Assuming you have a constant time AES
> implementation, you can implement CTR and HMAC in constant time in
> almost any language.  Those algorithms are also implemented in most
> libraries.

This is also an argument in favor of CCM, SIV, and perhaps others.

One final thing that just occurred to me. If we really, really want this to preserve some OpenPGP goodness, there would also be a preference packet to allow someone to state what they do and don't speak.