---
middle.mkd | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
template.xml | 11 ++++++++
2 files changed, 97 insertions(+)

diff --git a/middle.mkd b/middle.mkd
index c2447d5..b240a5e 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -2550,6 +2550,78 @@ packet length. The reason for this is that the hashing rules for
modification detection include a one-octet tag and one-octet length in
the data hash. While this is a bit restrictive, it reduces complexity.

+## {5.14} AEAD Encrypted Data Packet (Tag 18)
+
+This packet contains data encrypted with an authenticated encryption and
+additional data (AEAD) construction. When it has been decrypted, it
+will typically contain other packets (often a Literal Data packet or
+Compressed Data packet).
+
+The body of this packet consists of:
+
+ * A one-octet version number. The only currently defined value
+ is 1.
+
+ * A one-octet cipher algorithm.
+
+ * A one-octet AEAD algorithm.
+
+ * A one-octet chunk size.
+
+ * A starting initialization vector of size specified by the AEAD
+ algorithm. This value MUST be unique and it MUST be unpredictable.
+
+ * Encrypted data, the output of the selected symmetric-key cipher
+ operating in the given AEAD mode.
+
+ * A final, summary authentication tag for the AEAD mode.
+
+An AEAD encrypted data packet consists of one or more chunks of data.
+The plaintext of each chunk is of a size specified using the chunk size
+octet using the method specified below.
+
+The encrypted data consists of the encryption of each chunk of
+plaintext, followed immediately by the relevant authentication tag. If
+the last chunk of plaintext is smaller than the chunk size, the
+ciphertext for that data may be shorter; it is nevertheless followed by
+a full authentication tag.
+
+For each chunk, the AEAD construction is given the packet header,
+version number, cipher algorithm octet, AEAD algorithm octet, chunk size
+octet, and an eight-octet, big-endian chunk index as additional
+data. The index of the first chunk is zero.
+
+After the final chunk, the AEAD algorithm is used to produce a final
+authentication tag encrypting the empty string. This AEAD instance is
+given the additional data specified above, plus an eight-octet,
+big-endian values specifying the total number of plaintext octets
+encrypted. This allows detection of a truncated ciphertext.
+
+The chunk size octet specifies the size of chunks using the following
+formula (in C), where c is the chunk size octet:
+
+ chunk_size = ((uint64_t)1 << (c + 6))
+
+An implementation MUST support chunk size octets with values from 0
+to 10. An implementation MAY support other chunk sizes. Chunk size
+octets with values larger than 127 are reserved for future extensions.
+
+A new random initialization vector MUST be used for each message.
+
+### {5.14.1} EAX Mode
+
+The only currently defined AEAD algorithm is EAX Mode
+[](#EAX). This algorithm can only use block ciphers with 16-octet
+blocks. The starting initialization vector and authentication tag are
+both 16 octets long.
+
+The nonce for EAX mode is computed by treating the starting
+initialization vector as a 16-octet, big-endian value and
+exclusive-oring the low eight octets of it with the chunk index.
+
+The security of EAX requires that the nonce is never reused, hence the
+requirement that the starting initialization vector be unique.
+
# {6} Radix-64 Conversions

As stated in the introduction, OpenPGP's underlying native
@@ -3087,6 +3159,16 @@ require the use of SHA-1 with the exception of computing version 4 key
fingerprints and for purposes of the MDC packet. Implementations
SHOULD NOT use MD5 or RIPE-MD/160.

+## {9.5} AEAD Algorithms
+
+ ID Algorithm
+ -------- ---------
+ 1 EAX [](#EAX)
+ 100--110 Private/Experimental algorithm
+
+Implementations MUST implement EAX. Implementations MAY implement
+other algorithms.
+
# {10} IANA Considerations

OpenPGP is highly parameterized, and consequently there are a number
@@ -4485,6 +4567,10 @@ SHOULD be rejected.
- Although technically possible, the EdDSA algorithm MUST NOT be
used with a digest algorithms weaker than SHA2-256.

+ - Implementations should consider limiting chunk sizes for AEAD
+ algorithms to avoid denial-of-service attacks when decrypting
+ messages.
+

OpenPGP was designed with security in mind, with many smart,
intelligent people spending a lot of time thinking about the
diff --git a/template.xml b/template.xml
index 68651ba..85782ce 100644
--- a/template.xml
+++ b/template.xml
@@ -91,6 +91,17 @@
<date></date>
</front>
</reference>
+
+ <reference anchor='EAX'>
+ <front>
+ <title>A Conventional Authenticated-Encryption Mode</title>
+ <author surname="Bellare" initials="M." />
+ <author surname="Rogaway" initials="P." />
+ <author surname="Wagner" initials="D." />
+ <date year="2003" month="April" />
+ </front>
+ </reference>
+
<reference anchor='ELGAMAL'>
<front>
<title>A Public-Key Cryptosystem and a

Were there opinions on this proposal? Do people like it, dislike it,
not care, etc? I'm happy to try to revise or let the editors do that,
but it would be useful to get some feedback on it at all, even if it's
that people hate it and want something else.

I've updated my proposal and will be sending out a series of three
patches shortly. As Werner suggested, I've moved the IV requirements to
the mode specification and I've expanded the possible values of the
cipher type octet.

New in this proposal are patches for proposed text for a v5 SKESK packet
with AEAD and a secret key packet with AEAD. These packets use a fixed
value of 10 for the chunk size octet (a chunk of 65536 bytes), which
essentially means that the entire encrypted data will be in one chunk,
even if we adopt post-quantum algorithms in the future. This simplifies
implementation with a unified code path.

I welcome comments on this proposal with the goal of trying to get
consensus.