Re: [openpgp] AEAD Chunk Size

Conrado P. L. Gouvêa <> Tue, 02 April 2019 13:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 63DA512011F for <>; Tue, 2 Apr 2019 06:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rq2cs83VDb8t for <>; Tue, 2 Apr 2019 06:12:42 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::c36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC48012011A for <>; Tue, 2 Apr 2019 06:12:41 -0700 (PDT)
Received: by with SMTP id l5so4560821ywa.0 for <>; Tue, 02 Apr 2019 06:12:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PWJJ8V34nuI+PuBZGN/qSgLlJI4FB4OzwnXSZjy4wlk=; b=JquBqZ/daBaXmJSHPm0rjHKOcG/ehT34rsNRw869v8PHCX97VULewj3vMrfiVhxqrW 7GDaD52rTUjUDPAz7+TySvJmLqIPuCGlU52UZ8evL9oxvMVmDlxb0VVmzESGznm71Kj8 ia3m1O3Q9ynd9f1ne2q4WNKNl+L1U2RIubCDgDcrps7GmMimXQd37OJK4Uojj5JqzM8W ygd7tMBuZkkvJwuPHtVyFK/UX7UoH6faMbkgdBltiky+1Yl2ge5a2LvGBzKJWLMO3eOq BvsKna0RN3N/M5vR9FmFJXwy26VSbosFysqfoOkbqCgJTcj/6mXUVJjsWWodpmIT/hQf NoDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PWJJ8V34nuI+PuBZGN/qSgLlJI4FB4OzwnXSZjy4wlk=; b=YKTFmGaSfjzjDmSrvcrhTFDUZJ/Cyf/jQPBYn8dWNBUV3nUpwow9cnGMX4btdJzhTh za/PgVOHCJVB1r3Svt7La3aaJtTz+HrKNfHo1KGlqa9OGisH98bh/bgxGcuuqO01CiDI vHfjdg+aN7Rsc+EkA/Lb2DkyBPUNQ4xmJBV7isR8xBBAu6DmR8hDjgJj6RyCH7fSWAoo C9ikPAOmSE9OM1TryrLaQ5y5Zx1aZfMYHrx2raGmYODHEzvB9lCnnvMXyxwRO+NuswBv F9FbCVKl9cumKbQb/5HXJtGsSAxieIXZ613UkhO5aEeJ56R+mXbhaIDrOSpe6u2STUlG dSSA==
X-Gm-Message-State: APjAAAXKuKC7P6RdAH+0bGlPCUPvThiErDBHctn7ENWyRFucDJveKfzi McUskdBAb3deLsacIctqJ3IOqZgqVwUmI/ZT3xg=
X-Google-Smtp-Source: APXvYqwoJzjjievLgPfeCgmcj0KbReBPSh14AoXmlv80dVHIIBfwxWypgS8OEx8l+YfrglQYDKJIt6y0R+9tCBJ3zuQ=
X-Received: by 2002:a0d:e403:: with SMTP id n3mr34002559ywe.408.1554210760922; Tue, 02 Apr 2019 06:12:40 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: =?UTF-8?B?Q29ucmFkbyBQLiBMLiBHb3V2w6ph?= <>
Date: Tue, 2 Apr 2019 10:12:29 -0300
Message-ID: <>
To: Peter Gutmann <>
Cc: Jon Callas <>, "Neal H. Walfield" <>, "" <>, Justus Winter <>, Jon Callas <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [openpgp] AEAD Chunk Size
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Apr 2019 13:12:45 -0000

On Sat, Mar 30, 2019 at 11:59 PM Peter Gutmann
<> wrote:
> I'm not saying remove it, just get some data to support making a decision in
> some way.  In particular, AEAD is a good thing, but there's no evidence that
> chunking with AEAD, which complicates things greatly, is useful or necessary.

I know you're tired of hearing about it... but EFail.
Even if PGP used AEAD, but without chunks, EFail would probably still
happen. If the AEAD data is arbitrarly large, then implementations
would be forced to provide a streaming API that discloses
unauthenticated plaintext, and the same thing would happen.

Unfortunately I'm not aware of other examples, though I'm pretty sure
they must exist... But why should we wait for more of this issues to
happen before fixing the underlying cause, if we can fix it now? (And
"now" meaning many years hence, since the standard will take a while
to be adopted).

Adam Langley has a good post about it:
And many examples of cryptographers claiming releasing unauthenticated
plaintext is dangerous: