HPKE integrates into COSE in two ways: 1) As a COSE_Recipient where it encrypts the CEK — two-layer mode 2) As the content encryption “algorithm” — one-layer mode
A more detailed description is here <https://mailarchive.ietf.org/arch/msg/cose/8Ga_-k_whir8Z4lzdpmPG6KDav4/>. draft-ietf-cose-aes-ctr-and-cbc works it for two-layer mode, but not for one-layer mode. To use non-AEAD for one-layer mode, it seems like HPKE will have to be modified. There will have to be a definition of algorithm IDs for non-AEAD algorithms in the HPKE algorithm ID space and such. Personally, I think it’s fine that HPKE firmware encryption always use the two-layer mode with a single COSE_Recipient, but note that it is more bytes on the wire. I also like HPKE in two-layer mode because it lines up better with the COSE system architecture. In my COSE implementation, HPKE in one-layer mode is going to end up a special case (more code) compared to two-layer mode. But the main point, is that draft-ietf-cose-aes-ctr-and-cbc doesn’t support non-AEAD in one-layer COSE+HPKE. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
