From: Michael Young [mailto:mwy-opgp97(_at_)the-youngs(_dot_)org]
But if this is the scenario, then two facts complicate the attack:
M and M' must be formatted as OpenPGP packets; and,
you're right, this does complicate the attack - it means that in the simple
truncation attack (where the evil message ciphertext is just a truncation of
the innocuous message ciphertext) the decrypted literal packet data length
will be wrong.
Unless there's a way to get around that, the only attack I see, then,
requires the attacker to inject make-believe check bytes and OpenPGP packet
formatting, and thus will succeed with probability only 2^-16 cause the
check bytes will probably turn out wrong.
Trevor