“CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) will identify a portfolio of authenticated ciphers that offer advantages over AES-GCM and that are suitable for widespread adoption.” http://competitions.cr.yp.to/caesar-call-3.html
CAESAR should be of interest to JOSE for its *model* of AEAD algorithms. Slotting any CAESAR algorithm into JOSE (eg mapping JOSE fields to crypto_aead_decrypt() arguments) should be trivial once a “alg” string is picked. CAESAR says an AEAD algorithm has 5 inputs (plaintext, associated data, secret message number, public message number, and a key) and 1 output (ciphertext). “Message number” is unusual terminology for a nonce, but reflect the fact that only part of the nonce might be in a message (ie only the public message number). This mainly corresponds to ‘iv’ in JOSE, which is sometime a dot-separated B64 segment, and sometimes a header parameter. A more important clash between CAESAR and JOSE is JOSE’s ‘tag’ field that does not exist as a distinct item in the CAESAR model. [One more reason to fix issue #11 properly.] P.S. While I’m talking about AEAD tags, the latest change to A128GCMKW moves the key wrap tag from outside the AAD to inside the AAD of the subsequent content encryption. Are they any implications for this change to the security properties? -- James Manger
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
