On Wed, Jan 18, 2023 at 11:15:10AM -0700, Laurence Lundblade wrote: > HPKE integrates into COSE in two ways: > 1) As a COSE_Recipient where it encrypts the CEK — two-layer mode > 2) As the content encryption “algorithm” — one-layer mode > > A more detailed description is here > <https://mailarchive.ietf.org/arch/msg/cose/8Ga_-k_whir8Z4lzdpmPG6KDav4/>. > > draft-ietf-cose-aes-ctr-and-cbc works it for two-layer mode, but not > for one-layer mode. > > To use non-AEAD for one-layer mode, it seems like HPKE will have to > be modified. There will have to be a definition of algorithm IDs for > non-AEAD algorithms in the HPKE algorithm ID space and such.
I do not think such modifications are acceptable. One technically could use HPKE in exporter-only to derive an encryption key and then use that. Another way would be to use split tag with detached data to push the limits with true AEAD algorithms, which would require a new header parameter, and pretty horrible layering violations in the code. But at least there is nothing cryptographically bad about it. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
