Jim: I think that the advocates for SIV need to show how to apply it to multiple recipients and produce the same ciphertext. Otherwise, it is equivalent to a separate message per recipient. This is worse that the S/MIME solution for BCC recipients.
Russ On Apr 25, 2013, at 5:03 PM, Jim Schaad wrote: > First, I am not advocating that we should add SIV mode as a standard > encryption algorithm to the JOSE specifications. However SIV mode has some > interesting properties and has been publicly declared as being IP free so I > want to make sure that we do not preclude the use of SIV mode if somebody > else wants to play with it. > > A quick primer on how SIV mode works: > > 1. Compute the IV to be used for the message. IV = F(Authenticated > Data, Plain Text, Encryption Key) > 2. Encrypt the Plain Text CipherText = AES-CTR(Plain Text, IV, > Encryption Key) > Note that I have not looked it up and it has been a while, but I am pretty > sure that it does use CTR mode. > 3. Compute the authentication Tag AT = IV > > > There are no problems with doing the encoding in that one can present the IV > as both the IV and the AT in the encoding so it is not as if one of these > fields becomes implicit. However it does mean that the current encoding > format for multiple recipients is completely un-usable. One could use the > format but it would need to be in a single recipient mode only. This is > because the IV and the encrypted text would, of necessity, be unique for each > recipient. > > Jim >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
