Hi Ilari,
Thanks for your review. I am focusing on the most important aspect here first.
> [Hannes] We are adding another layer to allow for additional use cases.
> The use case is to encrypt a payload once for different recipients.
With HPKE, one could do that with two-layer structure (and even mix it with
other modes):
- Layer 0: Message
- Layer 1: HPKE (CEK for recipient1)
- Layer 1: HPKE (CEK for recipient2)
- Layer 1: AES-KW (CEK)
- Layer 2: ECDH-ES (KEK for recipient3)
- Layer 1: AES-KW (CEK for recipient4)
That encrypts the message only once, for four recipients:
- recipient1 and recipient2 use HPKE (asymmetric).
- recipient3 uses ECDH-ES (asymmetric)
- recipient4 uses AES (symmetric).
[Hannes] I think you are suggesting to do this:
96(
[
// protected field with alg=AES-GCM-128
h'A10101',
{ // unprotected field with iv
5: h'26682306D4FB28CA01B43B80'
},
// null because of detached ciphertext
null,
[ // COSE_recipient_outer
/ protected / h'a1013818' / {
\ hpke-alg \ 1:16 \ HPKE/P-256+HKDF-256 \
hpke-aead-id: 1 // AES-128-GCM
} / ,
/ unprotected / {
// HPKE encapsulated key
/ ephemeral / -1:{
/ kty / 1:2,
/ crv / -1:1,
/ x / -2:h'98f50a4ff6c05861c8...90bbf91d6280',
/ y / -3:true
},
// kid for recipient static ECDH public key
/ kid / 4:'[email protected]'
},
// Encrypted CEK
h'FA55A50CF110908DA6443149F2C2062011A7D8333A72721A',
]
]
]
)
Instead of this:
96(
[
// protected field with alg=AES-GCM-128
h'A10101',
{ // unprotected field with iv
5: h'26682306D4FB28CA01B43B80'
},
// null because of detached ciphertext
null,
[ // COSE_recipient_outer
h'', // empty protected field
{ // unprotected field with ...
1: 1 // alg=A128GCM
},
// Encrypted CEK
h'FA55A50CF110908DA6443149F2C2062011A7D8333A72721A',
/ recipients / [ // COSE_recipient_inner
[
/ protected / h'a1013818' / {
\ hpke-alg \ 1:16 \ HPKE/P-256+HKDF-256 \
} / ,
/ unprotected / {
// HPKE encapsulated key
/ ephemeral / -1:{
/ kty / 1:2,
/ crv / -1:1,
/ x / -2:h'98f50a4ff6c05861c8...90bbf91d6280',
/ y / -3:true
},
// kid for recipient static ECDH public key
/ kid / 4:'[email protected]'
},
// empty ciphertext
/ ciphertext / h''
]
]
]
]
)
I constructed the variant in the draft based on my understanding of how the
COSE author wants to use layering. If we can use a more optimized version, I am
all for it.
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
