Has anyone considered how to encode the recipient info for ML-KEM?
RFC 7518 specifies a different key blob 'JWE Encrypted Key' per algorithm
and ML-KEM doesn't look like either RSA or DH and its variations.
RSA has key recovery, DH uses an ephemeral key and fills the epk slot.
ML-KEM does not create an ephemeral, it looks more like RSA except that it
doesn't provide key recovery.
And that means that if there are multiple recipient blobs on a message, we
need to extend the definition because we are going to need to encrypt the
content under the content-shared secret and then wrap that in the shared
secret from ML-KEM. Which means we are going to need two slots for data, a
wrapped key slot and an ML-KEM ciphertext slot.
(Because the content has to be encrypted under the same key for each
recipient...)
So I am thinking of something like this:
"recipients":[{
"kid":"MBUX-V4NE-VRJS-6NT7-6QKR-DE2W-QQBG",
"ct": "OYT5iH4doxVrj90NRowmffE20OOPLl....RGqaCav6b-Xw4",
"wmk":"N3KQ0jcCztbOMSOwcvy_UdGNsLL-PMtd9_ZMuWqT4GzEIXj33a
HlKQ"}
Comments?
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
