[CFRG] PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM
Orie Steele <orie@transmute.industries> Sun, 26 May 2024 18:38 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A337C14F68F for <cfrg@ietfa.amsl.com>; Sun, 26 May 2024 11:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Vbm2n7f7LWw for <cfrg@ietfa.amsl.com>; Sun, 26 May 2024 11:38:38 -0700 (PDT)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7007C14F68C for <cfrg@irtf.org>; Sun, 26 May 2024 11:38:38 -0700 (PDT)
Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-2bf59b781d6so2017101a91.0 for <cfrg@irtf.org>; Sun, 26 May 2024 11:38:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1716748717; x=1717353517; darn=irtf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=uDSOjsn2vEcSFPJTKqDMU0GBR7icU415tWXOmJJYf7w=; b=cEHj82rTcYtw4Y4t5V1AnyIzlPywguPEecJhgwjq0xroeIg+9Y43r+PwcxCpKuIO9V lDB3BNKJOWeFUzw4hGTtwE86YusWdn0N9b0lqjVJTdgRukSGHDx2gVqcTjwqP1+z/uSq XTVQbOlfDSBSwqUmiXFjiHUpTi2KQaFyQTst9kqhdsxKF2PvwFvHNmsi/EwmFHgI4DJS fb2f6H8sJt4coiVTIMVZvS6oXbHV+6AlKm0jN4qFZ/Ew8k/S1JjsABG12i/NpYqozSdu ncEMPYcSZuMoykUdZuuF3MVZBj1N/RVKfNVM88gxqnwGDzz3+04Q7cmXEBeYXP0w4aJ3 Nu7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716748717; x=1717353517; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=uDSOjsn2vEcSFPJTKqDMU0GBR7icU415tWXOmJJYf7w=; b=t94255zdR60beiyDt1sKq8m3f6J8706VTkkftx7PI5/yQePRh46fnowTNTB1i6FMW7 EXt/vHb0gjcrtbqGd6ax/ELdcqtmw25Z502rSDFrSf76bgAMKMm1JdPFgtHV+YVTPL9t lKFWBdaxO8YJAp6d9k4O9C5TpkvUk0K0Ttw6cvX+oywufL1IpUr6qW3qdjhzrRCq/K3P TMAZvPDBWA51HJIU1tzauUQPH53ZenWnDoaEjFqV2f89G7i9qrk2Hpg1JjLHcExu78N1 Zlz8RPVub4Cgx6ADm9fLSb2cWZA42DqbcG4KB3KfR8FEknl1Oo+qG9Az5faF0q12YkzO X1YA==
X-Gm-Message-State: AOJu0Yzzz/BJXCJTYwcDXK8apH5N74aCRMPmjG8tBi5FyCQs3IDKqxA5 OLpweQlvYkRjXX6ijPBd3UZRUgx/cAdjtwGfXZBZ2GE8hDGa15aibzv/atNJvlGMmZFJgUKcFaN zvo/X2FE4DjChiE5DAYD2YP3RUZl/HoAYR0Bnh4sxA+mBND/GZPo=
X-Google-Smtp-Source: AGHT+IHurstz9GqA+dpW1hgSmpy0Ed4EubxaiJ3Gp2JA4SugQydYXdCCBX0RDpFMiA6/O/NoqE3TjD8UJdF4NRQXMAI=
X-Received: by 2002:a17:90a:68c3:b0:2bd:76f6:8d30 with SMTP id 98e67ed59e1d1-2bf5ee16ca3mr6473009a91.32.1716748717404; Sun, 26 May 2024 11:38:37 -0700 (PDT)
MIME-Version: 1.0
From: Orie Steele <orie@transmute.industries>
Date: Sun, 26 May 2024 13:38:26 -0500
Message-ID: <CAN8C-_LqcWy=d=6KkVCwfOs28nZugzbTjHYPNOAchs5E_EWHiw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000785bd806195fb53d"
Message-ID-Hash: XS4NECWG2QZDVBZ2MKVLPU7UOLOJ7OHA
X-Message-ID-Hash: XS4NECWG2QZDVBZ2MKVLPU7UOLOJ7OHA
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Deirdre Connolly <deirdre.connolly@sandboxquantum.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Y2mMMiTyFZEddE0Mzr9LEU88DeA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
[as an individual] Hello hybrid (not the PQ/T kind) enthusiasts, We've been working to align the algorithms and key expressions needed for HPKE in JOSE and COSE: - https://datatracker.ietf.org/doc/draft-ietf-cose-hpke/ - https://datatracker.ietf.org/doc/html/draft-rha-jose-hpke-encrypt-07 - https://datatracker.ietf.org/doc/draft-steele-jose-cose-hpke-cookbook/ Based on my experience implementing "HPKE-Base-P256-SHA256-AES128GCM". I attempted to implement "HPKE-Base-ML-KEM-768-SHA256-AES128GCM" I was able to produce the following EDN from my experimental implementation: 16([ / protected / << / algorithm / 1 : -777777 / HPKE-Base-ML-KEM-768-SHA256-AES128GCM / >>, / unprotected / { / key identifier / 4: "urn:ietf:params:oauth:ckt:sha-256:QcJhXe4j82YETvLzXQ5pXDtin541byZup5l0WuSC820", / encapsulated key / -4: h'f161ea5a094a55b21...6ae13e7e43613f' }, / ciphertext / h'f224bd528704969d0ad5...6d0d27121a67e808c' ]) A couple comments and suggestions, spanning several drafts adopted and unadopted in CFRG, JOSE and COSE. ## JOSE HPKE should use new header params not new key types. @Ilari Liusvaara <ilariliusvaara@welho.com> is correct that a new header parameter ( ek / -4 ) is a better approach then what I have previously implemented for JOSE, using { epk : { ek } }. JOSE HPKE should drop the registration requests related to new kty: epk, ek : enc. JOSE HPKE should adopt the COSE convention of passing "encapsulated keys" or "kem cipher texts" as header parameters. This became more obvious to me, only after seeing how PQ Kem based HPKE envelopes will look. I've changed my mind, and I agree with the arguments Ilari has patiently made for the past several months : ) ## KEM vs HPKE KEM I based my HPKE KEM implementation on ML-KEM-768 in https://github.com/paulmillr/noble-post-quantum This meant I needed to address both the HPKE and COSE / JOSE related context issues myself. It was not obvious to me exactly how to do this. Especially since there is no registry entries for ML-KEM in: https://www.iana.org/assignments/hpke/hpke.xhtml The answer appears to be in this draft: https://datatracker.ietf.org/doc/html/draft-connolly-cfrg-hpke-mlkem-00#name-encap-and-decap I've done my best to follow the draft, in my experimental implementation. Are there implementations of HPKE out there using kem id 0x0070? Are we waiting on some final confirmation from NIST to add 0x0070 to https://www.iana.org/assignments/hpke/hpke.xhtml ? I can understand not wanting to burn a code point. Currently the registry implies that "X25519Kyber768Draft00" (0x0030) is the only interoperable KEM that has any QR (Quantum Resistance). I would like to test HPKE ML-KEM-768 with HKDF-SHA256 and AES128GCM, without needing to implement a PQ/T hybrid KEM. Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [CFRG] PQ HPKE in JOSE and COSE with ML-KEM-768, … Orie Steele
- [CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-7… Bas Westerbaan
- [CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-7… Orie Steele
- [CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-7… Bas Westerbaan