Hello Dmytro, as you're probably aware, It Is Done[1].
The final specification does heed the previously cited recommendations, so I think there are now *3* options to allocate identifiers for: * Ascon-AEAD128. unmodified, with its 128bit tag. * Ascon-AEAD128/64. Tag truncated to 𝜆=64bit. While the old section 4.3 had harsh limits on decryption failures on that mode (just 1 failure), that was relaxed to 2^(𝜆-32), which puts it in a similar league as the corresponding 64-bit tag variant of AES. * Ascon-AEAD128/32. Tag truncated to 𝜆=32bit. This is now where the stern wording previously applied to 𝜆=64 is at. I suggest still assignging numbers for it, for there are use cases[2] -- but it may be prudent to place a "No" (or "Filter only"?) in the COSE Algorithms "Recommended" column for this one to discourage unreflected use. (Or 4, given that Ascon-Hash256 is unmodified on my wishlist). Thanks Christian [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf [2]: https://www.ietf.org/archive/id/draft-ietf-core-oscore-groupcomm-26.html#name-group-encryption-algorithm -- Yesterday is history, tomorrow is a mystery, and today is a gift. That is why it is called the present. -- ancient saying
signature.asc
Description: PGP signature
_______________________________________________ COSE mailing list -- cose@ietf.org To unsubscribe send an email to cose-le...@ietf.org
