On Mar 22, 2024, at 6:44 AM, AJITOMI Daisuke <[email protected]> wrote:
Unfortunately, currently no algorithm that takes a key (as opposed to giving a key) can protect the algorithm at next layer. Ilari is talking about algorithms like AES Key Wrap, not what HPKE Seal() provides and not ECDSA. I agree. The content_encryption_alg (next_alg) cannot be a countermeasure to the lamps attack on KAwKW(-29, etc.) and two-layer COSE-HPKE. next_alg (or better content_encryption_algorithm can be used to protect COSE-HPKE and probably also protect -29 if applied correctly. Of course, it is effective against the attack on direct KeyAgreement (-25, etc.) and I think it's much better than COSE_KDF_Context. I believe what we should consider is only whether non-AEAD algs should be prohibited at layer0 or not. I think it would be better to be prohibited if possible. Daisuke, it looks to me that you are the only one that continues to argue this. Also, nothing you’ve said has created any doubts for me. Respectfully, I’m not going to respond to your arguments any more unless something very substantially changes. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
