Lack of key commitment - Different users receiving different plaintexts

[emanjon]

Thanks for implementing and maintaining this. This seems like a huge improvement over the archaic OpenSSL and GPG file encryption applications. All Linux distributions should ship with an acceptable file encryption application.

I read the format specification
https://github.com/C2SP/C2SP/blob/main/age.md

It seems to me that due to the lack of key commitment in ChaCha20-Poly1305 makes it easy for a sender to create an encrypted file that two recipients decrypts to different plaintexts. This kind of attack is for example described under Envelope Encryption in [1]. How bad it is depends on the use case but it does not seen like a thing you want in your file encryption system. I would suggest that version 2 of age have key committing encryption. In the long-term future it would be nice if NIST's future accordion mode [2] is used.

[1] "How to Abuse and Fix Authenticated Encryption Without Key Commitment"
https://www.usenix.org/system/files/sec22summer_albertini.pdf

[2] Proposal of Requirements for an Accordion Mode
https://csrc.nist.gov/files/pubs/other/2024/04/10/proposal-of-requirements-for-an-accordion-mode-dis/iprd/docs/proposal-of-requirements-for-an-accordion-mode-discussion-draft.pdf

[emanjon]

Seems like this is already considered. I missed the MAC in the header.