Beyond Curve25519

[Peter Gutmann]

"Robert J. Hansen" <rjh at sixdemonbag.org> writes:

>OpenPGP's CFB mode was basically a tweaked CFB64.  Now that most of the
>ciphers in OpenPGP support 128-bit blocks, what's the current mode? Still
>tweaked CFB64, or tweaked CFB128?  Or does it keep CFB64 for 64-bit ciphers,
>and CFB128 for 128-bit ciphers?

The "tweaked CFB" used in PGP doesn't follow any known standard, it could well 
be an implementation error that was codified in the spec (or at least it looks 
a lot like an implementation error, I can't imagine why you'd do things that 
way deliberately).  Having it fixed at some point if the spec is revised would 
be good, it'd be nice to be able to support a standard mode without having to 
add all sorts of ad-hoc handling for what PGP does.

(Phil Rogaway has offered to make OCB mode freely usable for TLS, if he would 
allow it for PGP as well that would kill two birds with one stone since we 
could get rid of the MDC hack as well).

Peter.