On Thu, Jun 13, 2024 at 01:40:44PM +0100, Neil Madden wrote: > > > > On 13 Jun 2024, at 13:27, Ilari Liusvaara <[email protected]> wrote: > > > > If there are multiple recipients, then "epk" is *required* to be > > unprotected. > > Is this true? One of the advantages of ECIES for multiple recipients > is that you can safely reuse a single ephemeral keypair for all > recipients [1]. This is another case in which HPKE is a bad fit for > JOSE, as it forces a fresh ephemeral keypair for each recipient. > > [1]: https://faculty.cc.gatech.edu/~aboldyre/papers/bbks.pdf
JWA requires fresh ephemeral keypair for each key agreement operation, which AFAICT prohibits doing that. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
