Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

Hi!

[I am only wearing my GnuPG maintainer's hat right now.]

On Fri, 27 Oct 2017 12:12, tse(_at_)ribose(_dot_)com said:

> Again, OCB is proposed to be a MAY algorithm, not a MUST or even a SHOULD — 
> if someone doesn't like it, there is no need to prevent others from using it.
Well, I would like to implement OCB in GnuPG at least to be prepared for
the time after the patent(s) expiration.  It will not be the default any
time soon.

I already remarked that I expect that it will take a couple of years
before gpg with _any_ AEAD mode will be widely enough deployed so that
an AEAD mode can actually be used.  We have seen that it took many years
before we could enforce the MDC mode despite that there is a key flag
announcing it.  It is unfortunate that we need to implement EAX for the
very same reason that PGP5 had to use DSA/Elgamal instead of RSA.  But
delaying an AEAD mode even further would be worse.

The patent situation is actually different between RSA+IDEA and OCB.
For the former the holders of the patent went aggressively against
everyone using them.  For the latter the patent holder(s) gave explicit
royalty free grants for almost all use cases.  And the patents will
expire in a few years - modulo the usual uncertainty with the patent
system.

Peter suggested to use encrypt-then-MAC to avoid all problems.  This
would require an entire different structure of the symmetric encryption
code and thus adds complexity for a theoretical benefit over the MDC
approach.  We would still need to double process the data.

Having an option to allowing switch the AEAD mode will be easier than to
implement both, encrypt-then-MAC and one AEAD mode.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

pgpmLMp0PiYhX.pgp
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp