[CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM

Orie Steele <orie@transmute.industries> Tue, 28 May 2024 14:19 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9952C14F5E5 for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 07:19:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ypq0TpbtDrPB for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 07:19:54 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FCCFC14F5F5 for <cfrg@irtf.org>; Tue, 28 May 2024 07:19:54 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-1f082d92864so6679735ad.1 for <cfrg@irtf.org>; Tue, 28 May 2024 07:19:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1716905994; x=1717510794; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TqlyckG6Jo+Gw/YPlF1HcAMpYtQmPhz6RaJE/FiHECQ=; b=BM/X1fqlljiIFGLRwhOSw46ocMN2uuaawjOkikT5coVJLshZSBCf+rsEGnghpMsa1u lUi8blmIv9T8zuAFrLPiIRdtDZu55byMOdjpDNA2qO9RXQZeKEdSO0QW3W6IECqHAYrZ zWjLNkEEFDbfmk/HlWk4cAl8nAFBl97t7EMZb433RLBI2Cbk3o8CuGRipJBdbexp90gw 3skGlqvdl9WBKrYssPOvtNR2PeKt97DdpGncId5vouVwb14fme14pXQ9yVi5VgONEkg1 SVFkYe64H19w3e5mECHobMqA7OZOstdaQ5hgYGQqCdbCf28sNcM6KwiyUThR9JzPJCwK 28qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716905994; x=1717510794; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TqlyckG6Jo+Gw/YPlF1HcAMpYtQmPhz6RaJE/FiHECQ=; b=W1Mm+BfmFtCLjuVQN9feu3/DeVh0rtsHxsAVFNA/uRnDflbCUElfmw9GLe0cPLydXt K9YIDFGJoQy1SjUIN1OEgadGHFe4GVPQe92vjH07+Rq325iZQlPTZzVHy2DnlsV673ZH Ww+otjsKz9V2AardmGs1CHVBCOPiY1NIDrfgz1yK0DbHWRBu3YYYIUdYQmkIeOMvSMEP 0BHAFty4SHyhFYy7GcC6lpxFkYwCiyfK78GCKjb+7HgrzTQdOv1MQsz3CeTCrN4KjSN0 2l70guNONdQk9C2ToeY2Hw9h20pc5mjQ/F8YopbHOAtcKhV8bzNoR9bnaxQoE+a9/Q3Y SsZQ==
X-Gm-Message-State: AOJu0YzgcRXgTV+vVof7XPtCX0rWiyjw+A1KoEsxRSDExmNAEriI/aTb lRPPbJDi5H6u2Wp3/MAadtwdVCZvHT5tJoJQRhf0Pk3ahl4EtvuyzeHuj/hYwOH4wXveFNrsVmW Y7dr9GKhGi/5KhgPxsJU47H4xUIcb0xZ0wZotmg==
X-Google-Smtp-Source: AGHT+IFwcF2qeAhcE1pTeX1Pmr7rv9IUsey6BHsW2yrnh3xroISHT4FSkizrQRv5JyToWkRAtAKdl4dB3yikZQhDrIM=
X-Received: by 2002:a17:902:f687:b0:1f3:5346:35f4 with SMTP id d9443c01a7336-1f44873dd4dmr130657225ad.35.1716905993617; Tue, 28 May 2024 07:19:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_LqcWy=d=6KkVCwfOs28nZugzbTjHYPNOAchs5E_EWHiw@mail.gmail.com> <CAMjbhoVE+44ZnOB4s3Vk3MF26w7gWaodU0AmP9YO6utXZX5_1g@mail.gmail.com>
In-Reply-To: <CAMjbhoVE+44ZnOB4s3Vk3MF26w7gWaodU0AmP9YO6utXZX5_1g@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 28 May 2024 09:19:41 -0500
Message-ID: <CAN8C-_KGXmBJqYvu2RW6U5TAvVEp_3z+XkMCjeAwPcKNFO1saA@mail.gmail.com>
To: Bas Westerbaan <bas@cloudflare.com>
Content-Type: multipart/alternative; boundary="000000000000dcde5c0619845304"
Message-ID-Hash: BUBXJEDUG6KLXTQMSSJTL6KQ2HEYQBE6
X-Message-ID-Hash: BUBXJEDUG6KLXTQMSSJTL6KQ2HEYQBE6
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>, Deirdre Connolly <deirdre.connolly@sandboxquantum.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-9zvWbPLupa-YIrCZvPGr2kHPaI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

If I'm reading the pqc-forum correctly, the domain separation applies to
KeyGen only (which is before HPKE).

Meaning that the parts of test vectors after KeyGen would remain unchanged?

Or are you suggesting there will be HPKE ML-KEM domain separation from
regular ML-KEM?

I'm mostly interested in what parts of HPKE ML-KEM will change, assuming
ML-KEM is a black box that will eventually become immutable.

Ideally, I'd be able to confirm compatibility, prior to the keygen domain
separation being added to FIPS 203 and FIPS 204.

Also, I'm prototyping with TypeScript because that's what's easiest for me
to generate examples for drafts.

I agree with all the normal cautions about doing crypto in javascript.

Regards,

OS

On Tue, May 28, 2024 at 7:31 AM Bas Westerbaan <bas@cloudflare.com> wrote:

> Some replies inline.
>
> I based my HPKE KEM implementation on ML-KEM-768 in
>> https://github.com/paulmillr/noble-post-quantum
>>
>
> A word of caution that this implementation is not constant time. (It's
> very difficult in javascript anyway, but a warning is in place.)
>
>
>> This meant I needed to address both the HPKE and COSE / JOSE related
>> context issues myself.
>> It was not obvious to me exactly how to do this.
>> Especially since there is no registry entries for ML-KEM in:
>> https://www.iana.org/assignments/hpke/hpke.xhtml
>> The answer appears to be in this draft:
>> https://datatracker.ietf.org/doc/html/draft-connolly-cfrg-hpke-mlkem-00#name-encap-and-decap
>> I've done my best to follow the draft, in my experimental implementation.
>>
>> Are there implementations of HPKE out there using kem id 0x0070?
>>
>> Are we waiting on some final confirmation from NIST to add 0x0070 to
>> https://www.iana.org/assignments/hpke/hpke.xhtml ?
>> I can understand not wanting to burn a code point.
>>
>
> ML-KEM is not final yet. What people call ML-KEM now is typically the
> "ipd", the initial public draft. HPKE KEMs test vectors typically include
> deterministic key generation, and it seems likely [1]  that that will
> change for the final version of ML-KEM.
>
> Best,
>
>  Bas
>
> [1]
> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5CT4NC_6zRI/m/KyFx0sapAgAJ
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>