On Mon, Nov 07, 2022 at 11:33:09AM +0000, Brendan Moran wrote: > Sorry, I had the wrong email address for Scott. > > I’m trying to understand some of the concerns that have been raised. I > understand that AES-GCM is not exposed to the concerns that Sophie and has > raised? > > If we used AES-GCM with out of order reception and on-the-fly decryption, > would that mitigate the risks?
Probably crazy idea: Define new algorithms A128GCM-DT, A192GCM-DT, A256GCM-DT, and ChaCha20/Poly1305-DT (DT => Detached tag) that are otherwise the same as A128GCM, A192GCM, A256GCM and ChaCha20/Poly1305, except that instead of concatenating the tag to ciphertext, the tag is carried on new "tag" (bstr) parameter in the unprotected bucket. Used with COSE detached ciphertext, that allows placing any expansion into external structure (which one presumably have anyway due to signatures) and almost[*] random-access decryption after prevalidation pass (MAC is over ciphertext, so no need to decrypt in prevalidation). [*] For AES-GCM, any multiple of 16 bytes starting from offset multiple of 16. For Chacha20-Poly1305, any multiple of 64 bytes starting from offset multiple of 64. -Ilari _______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose
