Next: Key wrapping mechanisms, Up: cm/encrypted format [Index]
Public-key based KEMs provides sender authentication
only if /kem/*/from field is specified. It should
contain public key’s /load/v/id, but may be equal to 256-bit
zeros, to explicitly specify that sender’s public key is used, but it is
anonymous and hidden. It is not specified how recipient should find
corresponding sender’s key that way – implementation/protocol specific.
Optional /pubs is a list public keys, which may be used to supply
sender’s public key(s). Public keys may be encrypted, to hide the actual
deanonymisation contents.
It is highly recommended to use multi-recipient safe DEM when
encrypting to multiple recipients. For example
dem-xchapoly-krmr instead of
dem-xchapoly-krkc, but unfortunately
with the price of more expensive double pass authentication scheme.