[Note: Recipient list trimmed to those who've shown an interest so far]
Instead of using OAEP-type padding (which is rather complex to implement and
results in data expansion), why not just encrypt the wrapped key twice? This
way, the outer encryption layer depends on every bit in the inner encryption
layer, and that depends on the plaintext and MEK, so you never get lots of
identical messages encrypted with different keys. This is trivial to
implement, requires no extra algorithms beside than the cipher used for the
wrapping, and results in no data expansion. Here's how it works:
Notation:
P[] = plaintext blocks
C1[], C2[] = ciphertext blocks encrypted once/twice
Encryption:
Encrypt P[ 0 ]...P[ n ] using the initial IV
Encrypt C1[ 0 ]...C1[ n ] using the existing IV from the previous pass
(ie C1[ n ])
Decryption:
Decrypt C2[ 1 ]...C2[ n ] using C2[ 0 ] as the IV
Decrypt C2[ 0 ] using C1[ n ] as the IV
Decrypt C1[ 0 ]...C1[ n ] using the initial IV
Peter.