On Wed, Mar 06, 2024 at 05:21:02PM +0530, tirumal reddy wrote: > > HPKE already specifies the combination of KEM, KDF, and AEAD. The need for > specifying the AEAD is two-fold: to restrict the number of combinations and > to address the threat to symmetric cryptography from quantum computers (see > https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-03.html#section-7.1 > for details).
HPKE does that because it also does bulk encryption. Direct Key Agreement does not use AEAD anywhere. And JWE fundamentally assumes that any supported alg and enc can be combined. Then draft-ietf-jose-fully-specified-algorithms-02 makes that an explicit requirement on any alg/enc registration, with no exceptions. And COSE fundamentally assumes similar things, being based on composition of algorithms in any way that makes sense[1]. The reason both do that is that coupling the two would make complexity absolutely explode. [1] E.g., have Direct Key Agreement drive Key Wrap drive bulk encryption (can't do that in JWE). And why not mix-and-match that with Key Wrap or Key Transport? Or whatever HPKE is. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
