[openpgp] Additional AEAD key separation needed?

Hi all,

At IETF-113 I took an action to start a thread on whether or
not we need additional key separation for all AEAD ciphers as
specified in draft-05 [1] or whether we ought omit that on
the basis that it's not needed for OCB mode and breaks
interop for deployed code (and ciphertexts) that implemented
the spec as it was before the WG got rechartered (that was
the pre-WG "draft-10" [2] with the confusing file-name).

The additional key separation is described in 5.14.2 [3]
where it says "The KDF mechanism provides key separation
between cipher and AEAD algorithms." The merge requests that
lead to that (and a similar change in 5.5.3) are [2,3,4]
and the paper on which this is based is [5]. The basic
justification is for better safety in case a key is used
with a different AEAD mode ƒrom that intended.

The counter-argument is that such separation isn't needed
for OCB (it was added for GCM) and that OCB code has been
deployed with existing ciphertexts out there already so
this change breaks interop for no real benefit.

So we're looking for opinions as to whether we ought revert
these changes from -05 or not. If we can decide that in the
next week or so, that'd be timely.

Thanks,
S.

[1] 
https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-05
[2] https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-rfc4880bis-10
[1] 
https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-05#section-5.14.2
[2] https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/138
[3] https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/132
[4] https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/122
[5] https://www.ndss-symposium.org/wp-content/uploads/2017/09/10_4_0.pdf

OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp