AES-GCM and AEAD Protected Data Packet (IETF draft)

Werner Koch wk at
Thu Mar 24 10:51:08 CET 2016

On Wed, 23 Mar 2016 17:04, mail at said:

> Could you kindly point me to the discussion on the WG list? I’m new to
> the IETF world. Thanks.

They now have a strange mail archive but here is my last message
regrading this topic (also copied below):


BTW, there will be a WG session at IETF-95 on April 6, 11:00 - 12:30.
You may participate remotely:


> I have no objections against supporting multiple authenticated modes,
> including OCB. Like I said, the reason I would advocate for GCM is

That is not going to work.  I am pretty sure that there is already a
rough concensus in the WG that we will add only one new encryption
format which will eventually replace the MDC format.  The current
discussion is around the idea to detecta corrupt large message early and
not only after the full message has been processed.

> channel attacks. WebCrypto is now widely supported [2] and browsers
> also offer hardware acceleration for GCM [3].

GCM has only be developed to avoid the OCB patent which in fact is
irrelevant these days.  And frankly it will take at least 5 years before
a new AE mode in OpenPGP will be widely deployed - by then the patent
has expired.

OCB is way easier than GCM and thus also easier to implement in JS



From: Werner Koch <wk at>
Subject: Re: [openpgp] OpenPGP SEIP downgrade attack

On Thu,  8 Oct 2015 16:59, pgut001 at said:

> (It's also not clear whether someone encrypting a 10k email message with PGP
> is going to notice it being processed at 100MB/s or 150MB/s).

I heard of backups somewhat larger than that.  For mail it is anyway not a
problem - you sign and encrypt and you are done.  Not even a need for an

> (I actually really like OCB and don't like GCM much, but the patent situation
> makes it pretty problematic).

Well, for the majority of uses cases there is a gratis license grant
from Phil Rogaway for his patents.
Further daft-zauner-tls-aes-ocb-03.txt states:

   6.  Intellectual Propery Rights Issues

   Historically OCB Mode has seen difficulty with deployment and
   standardization because of pending patents and intellectual rights
   claims on OCB itself.  In preparation of this document all interested
   parties have declared they will issue IPR statements exempting use of
   OCB Mode in TLS from these claims.  Specifically - OCB Mode as
   described in this document for use in TLS - is based, and strongly
   influenced, by earlier work from Charanjit Jutla on [IAPM].

At IETF-93 this case was mentioned and it was suggested to ask for a
similar licenses exception [1,2] if we consider to use OCB for OpenPGP.




Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list