Re: [Cfrg] Multi-recipient public key authenticated encryption

Peter Gutmann <> Thu, 30 April 2020 02:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 805273A0F04 for <>; Wed, 29 Apr 2020 19:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vb567EVfL8vl for <>; Wed, 29 Apr 2020 19:56:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C9D403A0E57 for <>; Wed, 29 Apr 2020 19:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1588215389; x=1619751389; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ZLyKLnDt3lNL6hDzRprGiaurnjGbU2fKhliVcBZTLeI=; b=vT0YqSA9cEqxr3lfYpoXIBHW5PXXlJJOohXe6zaAs2JT5NXYqCigI5C1 6gc/RNfHvFPfT6xTGmhyV5cHI9K7fQGH+r6bsO1OL+ImhuhM45PUwIS/q sddZoFcCkwVT9koVXTopnKEyHtFNYNz1p4sfExt8R8XqEHPXvM8728GnS uq26HfntMaN2EBhYXuKnTaFmKD5ChGR5nVDR3CdtryTHyVCiuB5c3fyi9 mGGhVoUVv0RbvDRZNL7+tZL6oar5DtHvyHgo4vVXbw2fJQGGF8f0heeCf WU9IIzqAT4yb67uXwugxYaK+MbLX0xkbWtekFuu73neL+4E1aUdmtcE+3 A==;
X-IronPort-AV: E=Sophos;i="5.73,333,1583146800"; d="scan'208";a="131339250"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 30 Apr 2020 14:56:25 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Apr 2020 14:56:24 +1200
Received: from ([]) by ([]) with mapi id 15.00.1497.006; Thu, 30 Apr 2020 14:56:24 +1200
From: Peter Gutmann <>
To: Neil Madden <>, CFRG <>
Thread-Topic: [Cfrg] Multi-recipient public key authenticated encryption
Thread-Index: AQHWHJ3t4hpJnnyQYk+0n57tzwCbNaiQ/H3N
Date: Thu, 30 Apr 2020 02:56:24 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] Multi-recipient public key authenticated encryption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Apr 2020 02:56:41 -0000

Neil Madden <> writes:

>Given that many uses of this sign-then-encrypt pattern do not require the
>strong security properties of signatures, I have proposed [1] a public key
>authenticated encryption mode based on NIST’s one-pass unified model from SP
>800-56A. This avoids the nested structure and means that you don’t need
>multiple cryptographic primitives. The proposed algorithm uses two ECDH key
>agreements: one between the sender’s ephemeral private key and the
>recipient’s long-term public key; and a second between the two parties’ long
>term keys. The two shared secrets are concatenated and passed through a KDF
>along with some context arguments. For a single recipient this achieves
>sender authentication (subject to replay), and the single recipient case is
>what I am primarily concerned about.

Maybe I'm missing something about JOSE here, but rather than introducing
complex and exotic new encryption modes, couldn't you just define a signed +
encrypted message format like PGP and S/MIME have been using for thirty years