On Thu, Nov 10, 2022 at 12:39:38PM +0000, Laurence Lundblade wrote: > Hi Ilari, > > If you look at Appendix Example C.3.1 in RFC 9052 > <https://www.rfc-editor.org/rfc/rfc9052.html#name-direct-ecdh> > (and pasted below) you can see what I’m talking about in when I say > that the AEAD algorithm is identified in the body header parameter > and that it is separate from the recipient algorithm ID. In this > example, there are two algorithm IDs, one in the body for AES-GCM > 128 and one in the COSE_Recipient for ECDH-ES + HKDF-256.
I see only one layer of encryption in the example, and since HPKE combines key derivation and one layer of encryption, that would translate into one-layer structure with HPKE. In HPKE, would translate into single structure with alg=HPKE, aead=1 and kdf=1. > I believe this is really useful when you want to bulk encrypt the > payload (which might be large) once for multiple recipients. With > multiple recipients the key agreement algorithm could be different > for each recipient even thought the bulk algorithm is the same. > Perhaps two are HPKE and two are Key Wrap from 6.2 > <https://www.rfc-editor.org/rfc/rfc9053.html#name-key-wrap>? Direct ECDH is not for encrypting to multiple recipients. For multiple recipients, you want intermediate key wrap. In two-layer HPKE, this gets folded into HPKE, and the top level (bulk) encryption will be left alone. > Might be good to have one PQ and one non-PQ too. That is up to HPKE itself. > Note that to actually do this we have to define an HPKE variant where > what is output from Encap() is used with key wrap similar to section > 6.4 in RFC 9053 > <https://www.rfc-editor.org/rfc/rfc9053.html#name-key-agreement-with-key-wrap>. HPKE does not allow that. If one wanted three-layer structure that worked like the present multi-recipient ECDH, one would have to use HPKE key exporter with export-only AEAD (identifier 0xFFFF). And this also wastes bytes on the wire... > I also believe having two algorithm IDs like this makes more sense > because the bulk AEAD ID for the body payload is associated with the > body header parameters and this makes the processing of the body more > straight forward. If you have HPKE code available, the alg/aead split in PR9/10 is actually more straightforward, as examining the alg tells you the thing is passed to HPKE, and then aead is passed to that code as-is. HPKE can then do one layer of key wrapping or encryption for you. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
