Re: [openpgp] AEAD Chunk Size

Benjamin Kaduk <kaduk@mit.edu> Mon, 01 April 2019 16:10 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D07D31202CB for <openpgp@ietfa.amsl.com>; Mon, 1 Apr 2019 09:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPz5LGxjLfdS for <openpgp@ietfa.amsl.com>; Mon, 1 Apr 2019 09:10:39 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE20A1202D3 for <openpgp@ietf.org>; Mon, 1 Apr 2019 09:10:38 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x31GANqt031972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 Apr 2019 12:10:26 -0400
Date: Mon, 1 Apr 2019 11:10:23 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: Bart Butler <bartbutler@protonmail.com>, "openpgp@ietf.org" <openpgp@ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Justus Winter <justuswinter@gmail.com>, Jon Callas <joncallas@icloud.com>, Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>
Message-ID: <20190401161023.GG84783@kduck.mit.edu>
References: <87mumh33nc.wl-neal@walfield.org> <878swzp4fb.fsf@europa.jade-hamburg.de> <E65F6E9D-8B0B-466D-936B-E8852F26E1FF@icloud.com> <87d0m9hl62.wl-neal@walfield.org> <FEE9711C-3C64-493C-8125-89696B882E0A@icloud.com> <2di2bK8m-7HtDeoUEH9oPqs-bL-IKSE0CjkgFShPMLOlUyeDBVkVGApdjnIpS6YRAeKU3ibGCZCtwLden-N6zK5W4fqIghRGDa5dU720nEs=@protonmail.com> <20190330150438.GS35679@kduck.mit.edu> <87k1gg12rl.wl-neal@walfield.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87k1gg12rl.wl-neal@walfield.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yHzJq1CDPINGtxxliS5JRm1zlzo>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 16:10:40 -0000

On Sat, Mar 30, 2019 at 10:16:46PM +0100, Neal H. Walfield wrote:
> Hi Ben,
> 
> Thanks for your note.
> 
> At Sat, 30 Mar 2019 10:04:38 -0500,
> Benjamin Kaduk wrote:
> > I also have a use case for authentication of large chunks of data at rest:
> > they allow me to use a cheap bulk storage service that provides
> > (best-effort) replication and archiving but has poor physical security.  So
> > I encrypt my data to myself and put it in storage, but when I get it  back
> > I need to know that it's valid.  I can imagine at least one case where
> > knowing exactly which chunk was corrupted would save effort; it may be a
> > toy example but perhaps it is illustrative of a broader case.  Note that
> > there are algorithms to compute pi to arbitrary precision, and even to
> > compute the Nth digit thereof without coputing the previous digits.  If I
> > need to have random-access inquiries into the value of pi, I could
> > precompute using softare I trust and do this self-encryption thing, and
> > when a chunk is bad I can recompute only that chunk and still trust that I
> > only ever use values generated by my trusted implementation.
> 
> Just to be clear: when you say "large chunks of data at rest," you're
> not arguing that large AEAD chunks are better, are you?  It seems to
> me that if you use small chunks, at least in your example, you have
> less work to do when you discover a corrupted chunk.

Thanks for spotting that; my "large chunks of data at rest" was meant to
just be large quantities of data (e.g., TB or more), with no relationship
to the chunk size used in the encryption thereof.

-Ben