Rfc4880bis Alternatives

rfc4880bis reviews and mentions

• NIST Retires SHA-1 Cryptographic Algorithm
  3 projects | news.ycombinator.com | 15 Dec 2022

  > The thing is, there doesn't seem to be any security weaknesses with the existing AE method. I have looked hard.

  Even if nobody found any concrete security issues, there might be compliance reasons not to use SHA-1, as indicated by the OP. It's easier to switch to something new than to endlessly explain to auditors that actually in this particular case the use of SHA-1 is probably fine. Also note that there's no security proof for the MDC, making it harder to convince such auditors.

  > There also doesn't seem to be any need for the AD (associated data) part.

  I personally disagree: https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/145. The linked paper explains why having AD would be useful. But I'll grant you that the crypto refresh doesn't make significant use of it yet, so it can't really be counted as an advantage for AEAD yet.

  > OCB seems to be the fastest out of all of them. If the proposal was just to add on OCB as an enhanced performance mode then I might be OK with that. Why make the people encrypting multi-TB files wait? I am mostly grumpy with the idea that we have to drop an existing well established standard for stuff like messaging and less extreme file sizes.

  I'm not sure I understand what the concrete difference would be between what you're proposing and what the crypto refresh does? It introduces a new mode and encourages its use, but doesn't disallow the use of the current mode. Also, once OCB is widely deployed, why would you want to use CFB instead of OCB?