On Mon, Jan 22, 2024 at 09:27:31AM -0600, Orie Steele wrote: > Thank you for these comments! > > Would you mind filling in the HPKE Operations for this part of your > proposal: > > HPKE ciphertext = Seal(key, nonce, aad, pt) > HPKE plaintext = Open(key, nonce, aad, ct) > > But using the variables you defined below:
The HPKE variables are obtained/transported as follows, in compact/JSON serialization: pkR: The public key, converted to kem indicated by alg used skR: The private key, converted to kem indicated by alg used kdf: Determined by alg used aead: Determined by alg used info: Empty octet string aad: * Compact: BASE64URL(UTF8(JWE Protected Header)) (Note: This is the 1st part of compact serialization as-is) * JSON: Empty octet string pt: * Compact: message (if "zip" is present, compressed) * JSON: CEK enc: * Compact: Transported as JWE Encrypted Key (Note: implicit base64url by JWE) * JSON: Base64url encoding transported as per-recipient encapsulated_key header. ct: * Compact: Transported as JWE Ciphertext (Note: implicit base64url by JWE) * JSON: Transported as per-recipient JWE Encrypted Key. (Note: implicit base64url by JWE) The compact serialization does not use the 3rd and 5th parts (JWE Initialization Vector and JWE Authentication Tag) of the serialization. Both are set to empty octet strings. One can compare to COSE-HPKE: (pkR, skR, kdf, aead and info are the same) aad: CDE(Enc_structure) pt: * Layer0: message * Layer1: CEK enc: Transported as layer unprotected encapsulated_key. ct: Transported as layer ciphertext. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
