Werner Koch, <wk(_at_)isil(_dot_)d(_dot_)shuttle(_dot_)de>, writes:
hal(_at_)rain(_dot_)org writes:
Note also that the special CFB "sync" operation (after processing these 10
bytes) is not to be done with block ciphers whose block size is greater
than 8 bytes, hence is not done for Twofish.
Hmmm, section 5.7 states that encryption is done in PGP's special CFB
mode and there is no exception mentioned.
If I remember correct, we discussed this 128 bit block cipher issue
last year and changed the draft accordingly.
The relevant paragraph from section 5.7 is:
The data is encrypted in CFB mode, with a CFB shift size equal to the
cipher's block size. The Initial Vector (IV) is specified as all
zeros. Instead of using an IV, OpenPGP prefixes a 10-octet string to
the data before it is encrypted. The first eight octets are random,
and the 9th and 10th octets are copies of the 7th and 8th octets,
respectively. After encrypting the first 10 octets, the CFB state is
resynchronized if the cipher block size is 8 octets or less. The
last 8 octets of ciphertext are passed through the cipher and the
block boundary is reset.
It only resynchronizes the CFB state if the cipher block size is 8
octets or less. Twofish has a block size of 16 octets, hence the CFB
state does not get resynchronized.
Hal