First, I am not advocating that we should add SIV mode as a standard encryption algorithm to the JOSE specifications. However SIV mode has some interesting properties and has been publicly declared as being IP free so I want to make sure that we do not preclude the use of SIV mode if somebody else wants to play with it.
A quick primer on how SIV mode works: 1. Compute the IV to be used for the message. IV = F(Authenticated Data, Plain Text, Encryption Key) 2. Encrypt the Plain Text CipherText = AES-CTR(Plain Text, IV, Encryption Key) Note that I have not looked it up and it has been a while, but I am pretty sure that it does use CTR mode. 3. Compute the authentication Tag AT = IV There are no problems with doing the encoding in that one can present the IV as both the IV and the AT in the encoding so it is not as if one of these fields becomes implicit. However it does mean that the current encoding format for multiple recipients is completely un-usable. One could use the format but it would need to be in a single recipient mode only. This is because the IV and the encrypted text would, of necessity, be unique for each recipient. Jim
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
