Thanks Matt, That's also how my implementations work as well (for both JOSE and COSE HPKE):
The general interface I am using is here: https://github.com/dajiaji/hpke-js const suite = new CipherSuite({ kem: KemId.DhkemP256HkdfSha256, kdf: KdfId.HkdfSha256, aead: AeadId.Aes128Gcm, }); // A recipient generates a key pair. const rkp = await suite.kem.generateKeyPair(); // A sender encrypts a message with the recipient public key. const sender = await suite.createSenderContext({ recipientPublicKey: rkp.publicKey, }); // sender.enc is available here... // protected header is constructed here... const ct = await sender.seal(new TextEncoder().encode("Hello world!"), /* aad goes here */ ); Regards, OS On Wed, Jun 12, 2024 at 12:22 PM Matt Chanda <chanda= [email protected]> wrote: > > > > On Jun 12, 2024, at 7:02 AM, Ilari Liusvaara <[email protected]> > wrote: > > > > On Wed, Jun 12, 2024 at 06:31:23PM +0530, tirumal reddy wrote: > >> On Wed, 12 Jun 2024 at 13:14, Ilari Liusvaara <[email protected] > > > >> wrote: > >> > >>> When working on figuring out how to patch the encryption and decryption > >>> procedures for this mode, I noticed that if the direct encryption > >>> operation step produces headers, the resulting JWE can not be > serialized > >>> with compact encoding. RFC7516 prohibits bulk encryption stop from > >>> producing headers (only allowing it to produce JWE Ciphertext and > >>> Authentication Tag outputs). > >>> > >>> This arises because the produced headers must be unprotected (due to > >>> hard cyclic dependency), and compact serialization not allowing > >>> unprotected headers. The RFC7516 prohibition on headers means all > >>> bulk encryption algorithms can work in compact serialization. > >>> > >> > >> The cyclic dependency can be prevented by invoking the SetupBaseS to get > >> the HPKE context and HPKE enc. The HPKE context is then used to invoke > the > >> Seal function with "aad" and "pt" as parameters. The "ek'' parameter > can be > >> within the JWE protected header. > > > > The aad is input to the algorithm direct encryption operation used by > > the mode, so this does not break the cycle. > > > > Hello, if I understand the cycle correctly, the problem is that the ek is > in the header which is also encrypted. If so, in my setup the ek is > accessible after setting up the context and it can be added to the header > before calling seal (which used the aad). This is not the single shot api > though, so I may have missed that in the original cycle message. > > I also do not think that the single shot should be a requirement. It > doesnt matter to me if I have 2 lines of code or 6 to encrypt and decrypt. > > -matt > > > > > > > > > -Ilari > > > > _______________________________________________ > > jose mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
