weird behavior of symmetrically encrypted file

David Shaw dshaw at
Tue Jan 19 23:18:55 CET 2010

On Jan 18, 2010, at 1:35 PM, Daniel Kahn Gillmor wrote:

> so basically, what i'm saying is that the speedup is that you get to
> throw away (2^16-1) of every 2^16 possible passphrases, but you still
> need to do a signficant amount of work to figure out if you can throw
> them away.

Exactly.  The big speedup you get by using the quick check is that you don't discover that the key you have is wrong after you've gone and decrypted gigabytes of garbage.  It does not improve your s2k performance at all, since as you point out, that would render the s2k count sort of meaningless.

Incidentally, a few years ago there was an interesting attack against OpenPGP that used the quick check bytes as an oracle.  See for the paper.  This is why the quick check isn't done for public key encryption (only conventional passphrase encryption).


More information about the Gnupg-users mailing list