Hiya,
(Mostly triggered by the word "infamous":-) I wondered... On 24/06/2022 19:32, Ilari Liusvaara wrote:
And then one thing to beware when signing/MACing HPKE ciphertexts is that none of the HPKE encryption algorithms are committing (GCM and Poly1305 are infamous for being non-committing). Which means that HPKE ciphertexts may decrypt with multiple keys to different plaintexts.
To what extent is that a practical issue/vuln or one that's really only so far theoretic? Ta, S.
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
