Re: [Cfrg] Multi-recipient public key authenticated encryption

Peter Gutmann <> Thu, 30 April 2020 08:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A6A7F3A0BCD for <>; Thu, 30 Apr 2020 01:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nA42aanq2Qno for <>; Thu, 30 Apr 2020 01:45:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6C9BA3A0BCA for <>; Thu, 30 Apr 2020 01:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1588236312; x=1619772312; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=2i43NJ2oHUZRuMXAmWYRjbRwCmBW3s9GU7ezjjINwQ8=; b=wkcrX2J8cwYvxxLicR/38qt534U0PlxPBZf07RVwKlq1fDGztOY+RvIc SeE6lDaqPyK0jYkDj6eEu7pZQ+M76UByNH8U0jsDCobRzYiXtetuCpWmN GogKhrIIV6EsqHcCwoMOSOYrCxKCu4IMRVuPBsL/+RREpuNcwwzLV3CG3 xWoWQjPdS4vjnWAcFm0J+y80FUfQteMsItwHqGjnvaUk/kmRHroXN2yoW +Kxhq8ODu4KtyeUI9ottM6UtaMuY8s+avvoq1U+ylICCDB97QmhB2RP10 +IrFMIIQWMp7gzIEJXK47uyjvpb+J7E0lXey9F6xigNhvP+N5D//NS+Da A==;
X-IronPort-AV: E=Sophos;i="5.73,334,1583146800"; d="scan'208";a="131398863"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 30 Apr 2020 20:45:10 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Apr 2020 20:45:09 +1200
Received: from ([]) by ([]) with mapi id 15.00.1497.006; Thu, 30 Apr 2020 20:45:09 +1200
From: Peter Gutmann <>
To: Neil Madden <>
Thread-Topic: [Cfrg] Multi-recipient public key authenticated encryption
Thread-Index: AQHWHJ3t4hpJnnyQYk+0n57tzwCbNaiQ/H3N//906QCAAOwBKw==
Date: Thu, 30 Apr 2020 08:45:09 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] Multi-recipient public key authenticated encryption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Apr 2020 08:45:15 -0000

Neil Madden <> writes:

>Firstly, is an encryption scheme that has been standardized by NIST for 14
>years really exotic? Or do you mean hashing the ciphertext for integrity is

Just because someone wrote about it somewhere in the past doesn't make it non-
exotic.  In particular I don't know which specific "one-pass unified model
from SP 800-56A" you're referring to since SP 800-56A is just a long shopping
list of everything anyone at NIST could come up with, but all of them are
pretty exotic and AFAICT unsupported in major crypto libraries.

>When you say to instead use a signed + encrypted message format, do you mean
>a proper signcryption mode or do you just mean a generic composition of
>signatures and encryption? The latter is what JOSE already supports, and I
>could just have defined a way to remove the extra base64-encoding

My question was really trying to find out whether this was an attempt to fix a
real problem or just an excuse to play around with a fancy crypto scheme, and
if what you're referring to is "  (Cofactor) Full Unified Model, C(2e,
2s, ECC CDH) Scheme", an extraordinarily awkward and painful one to boot.  It
looks like it's the latter.