Tobias Mueller <muelli(_at_)cryptobitch(_dot_)de> writes:
[snip]
Note that there is *a single output* rather than multiple and that it
doesn't allow for releasing partial plaintexts or authenticated
prefixes.
Do you see that any chunking protocol on top of that which is allowed
for releasing plaintext early is not immediately covered by this
definition?
In my mind, each chunk is its own AEAD ciphertext. So the chunking is
happening *during* AEAD encryption, and not after encryption. I.e., the
chunking and AEAD encryption should be tied together such that the chunk
header is part of the AEAD protection and the chunk data is the AEAD
encrypted data.
This approach does, IMHO, map directly into the RFC definition.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp