> On Apr 18, 2023, at 6:45 AM, AJITOMI Daisuke <[email protected]> wrote: > > Hi folks, > > I would like to address the following issue created by Hannes: > https://github.com/cose-wg/HPKE/issues/25 > <https://github.com/cose-wg/HPKE/issues/25> > > Previously, I made a post as follows: > > At the very least, until now, I believed that the info value for HPKE should > be an empty string. The reason is that HPKE interface used in COSE is > essentially the Single-shot API, and a single HPKE encryption context is not > used across multiple encryption/decryption processes. In other words, aad > alone is sufficient. As I mentioned before, RFC9180 Section 8.1 also says > "Implementations which only expose single-shot APIs should not allow > applications to use both Setup info and Context aad or exporter_context > auxiliary information parameters". I will also give it some more > consideration though. > > Whether it is a Single-shot API or not is not important. What is important > is that in COSE-HPKE, there is always only one encryption/decryption process > performed on a single encryption context. > This fact does not change whether or not the Single-Shot API is used. > Therefore, there is absolutely no benefit in using both "info" and "aad" > simultaneously. Using both does not improve security, so it's sufficient to > use just one of them. That's why I argued that "info" should be an empty > string, but honestly, I'm not very confident that this argument is correct. I > would like to hear the opinions of Ilari, Laurence and others as well.
As much as I’d like less complexity (and a simpler t_cose API), I think you are right about this, Ajitomi. I think it should be based on the Context Information Structure in RFC 9053 <https://www.rfc-editor.org/rfc/rfc9053.html#name-context-information-structu>. That will result in common code, designs and APIs for all the COSE key agreement methods that use an HKDF. (I also think there would be a lot of benefit if Context Info Structure were explained a lot better, there were realistic examples, there were description of the threats it mitigates and the consequences of not filling in one of the data items in a meaningful way. For people used to CMS, this is a big new thing.) LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
