Should one really disable AEAD for recent GnuPG created PGP keys?

Bruce Walzer bwalzer at
Mon Mar 4 21:53:26 CET 2024

On Mon, Mar 04, 2024 at 12:03:41PM +0100, Tobias Leupold via Gnupg-users wrote:
> After some research, I found
> ,
> describing this exact issue.

That would be the cipher block mode proliferation issue.

> As a possible fix, disabling the unsupported AEAD 
> mechanism in the key itself was mentioned, the Arch folks write:

Thank you for this. Up to now I did not know how to do this for GnuPG.

> They also claim that "many downstreams attempt to remove this new default by 
> patching the GnuPG sources".

I don't know if this is true, but I would not be surprised. It turns
out that the current existing cipher block mode (OCFB-MDC, SEIP) is
cryptographically secure, even though there are lot of misleading
legends that insist that it is not. So as a user, I have no incentive
to use another block mode unless I want higher encryption performance
or different error handling. Few users actually want or need those
features. All users want interoperability. That, after all, is why the
OpenPGP standard exists. People with special needs normally use
dedicated encryption utilities with no interoperability with anything

> I'm not that deep into cryptography. I'm not sure I completely grasp what AEAD 
> and OCB mean.

Just different terms for the same new and incompatible cipher block
mode for the purposes of this discussion.

> So: Is it wise and/or necessary to disable that for new GnuPG generated keys, 
> for the sake of interoperability?

Ah... That question leads to an awkward discussion these days. There
was a IETF standards process that led to the OCB mode now supported by
GnuPG and others. GnuPG (and others) implemented it before the new
standard was officially released (there seemed to be consensus). That
standards process then dropped the GnuPG OCB mode and created 3 new
modes. So currently, there are the two modes that the OpenPGP standard
currently specifies and four proposed modes for a total of 6 modes,
each completely incompatible with any other mode. So there is a
potential for a interoperability disaster here.

> Or will the others catch up and implement it?

Which mode(s) should they implement? There are at least two
factions. It seems unlikely that any faction will implement the other
faction's modes.

> Or is there a good reason not to do so?

At this point I personally believe that everyone should step back from
this potential war and stop generating new modes by default. As a user
I can happily wait until an actual consensus is reached. Heck, I can
happily wait past that. There is no hurry here.

The big usability problem now is that the implementations are not
making all this clear. GnuPG for instance doesn't even have an entry
in the FAQ about this problem. Most users will not be able to overcome
this sort of issue and will have to just give up.

Anyway, I wrote a whole rant about this:


I have added your Openkeychain references to my list of problems
caused by new OpenPGP cipher block modes. Thanks.



More information about the Gnupg-users mailing list