[CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM

Bas Westerbaan <bas@cloudflare.com> Tue, 28 May 2024 14:27 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DA5C14F70C for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 07:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HaNQpCT5drZD for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 07:27:50 -0700 (PDT)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C48B6C18DBBC for <cfrg@irtf.org>; Tue, 28 May 2024 07:27:41 -0700 (PDT)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-627ecda47d0so9540497b3.2 for <cfrg@irtf.org>; Tue, 28 May 2024 07:27:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1716906460; x=1717511260; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7838ERlXu8HPQKhw65VNWziJcMMVqzOmiJmWbq1Rlag=; b=S7QqJYTQhIvMyp75gykXjg30XzroRqr3xbJInkadXbUc+KEhlQO+6/ZomP6Nv/kxX2 xj2+H1tf3Yw7n4tCkFu8GXG63Ayo2wwXxXzCXzx6EmSaNZ4OaO4A53Uol0j3kTBb1yip M3aa/uvIaC2ExjAG4tLQcF8Wyd93keW0HtaNIZaiIFAu6NsEIsIPg/zvsCd1ftg22gYp 8CzelqEiKf/PSlfGGtcrWJpLJIQ6fneUZr45O55cVPwIm5ozbv0WRGkdvt5vrbsaanjr oOtFzB0D2d8No6XiNHTb2ogccG7hCiyZoKl6UiVuyd+7vt19ygkWV/LQjuI8FX2E0Fhw cAYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716906460; x=1717511260; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7838ERlXu8HPQKhw65VNWziJcMMVqzOmiJmWbq1Rlag=; b=wUSFFzE8WVVk4YBioSN9DmZ4+Gn4BM3Kr8EL/TBGYlLx+4yD1NERocioAxUINjMdIu ggyq+ALmaPm+Aq2wczp8S+fWDn1VI8WH5UHSBbRyFlJ97Fe1LGS7Xqmbne1zBGHDi7ie iP5i1iCF6Qz6DcAZpWsIqDcISxWTckeWX9kaE/3x7iq3xPiHzgalSFzl4gq0wMTPexl1 NDddXGTudUw245D7WuUSGKgY0+g51tW9UTZ955Gos0tFwPl7+oQIhpVWAaArDOs+m0Cn Lel6BLL6VXNIBCn88gZHnQnZ2V0xcpOFxu6I5jWn8ZILU2+u2cTtt52dcayGeevwxHix V/iA==
X-Gm-Message-State: AOJu0YzbIsvA2n1yeEZeZsmm7yihdBhYUYo7biZd+CblbsGUgtMUBrYU +uGA6Z5C6ukYFZf4C7opXrjnQ13xbr3yQKhs54l1UO/OdPhhL0zZNJrKwjxP+5FhsJSHXkW0LDL hKtj+gNNX0gLrH/b6Gt21Wf8f7z7cnRuYzZVjYA==
X-Google-Smtp-Source: AGHT+IFWMZIQA00m7fMJR39WjT8iiRYQ+utuVvtbNYaXVz9UGJmJaHttBo2BrZ1ld2yjG5aIO/i4BhHhgiCFz4qJPmY=
X-Received: by 2002:a0d:db95:0:b0:618:ce10:2fcd with SMTP id 00721157ae682-62a08ddcaf6mr122584177b3.26.1716906460521; Tue, 28 May 2024 07:27:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_LqcWy=d=6KkVCwfOs28nZugzbTjHYPNOAchs5E_EWHiw@mail.gmail.com> <CAMjbhoVE+44ZnOB4s3Vk3MF26w7gWaodU0AmP9YO6utXZX5_1g@mail.gmail.com> <CAN8C-_KGXmBJqYvu2RW6U5TAvVEp_3z+XkMCjeAwPcKNFO1saA@mail.gmail.com>
In-Reply-To: <CAN8C-_KGXmBJqYvu2RW6U5TAvVEp_3z+XkMCjeAwPcKNFO1saA@mail.gmail.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 28 May 2024 16:27:29 +0200
Message-ID: <CAMjbhoUHidtvgGyL_GZ=gA9bAYPub4z8QKSVUj9-K=kBcXm6Rg@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="000000000000b14ba80619846f8a"
Message-ID-Hash: PMI7NGBA256TQ7GNZZUMZX4736AYWBMQ
X-Message-ID-Hash: PMI7NGBA256TQ7GNZZUMZX4736AYWBMQ
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>, Deirdre Connolly <deirdre.connolly@sandboxquantum.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/b8aLlMMbHR-UkxnQgCb4QWi-9b0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Tue, May 28, 2024 at 4:19 PM Orie Steele <orie@transmute.industries>
wrote:

> If I'm reading the pqc-forum correctly, the domain separation applies to
> KeyGen only (which is before HPKE).
>

A HPKE KEM needs to define a DeriveKeyPair(ikm) function. GenerateKeyPair
is typically implemented as just calling DeriveKeyPair on a random seed.

See the "ikmR" values in the test vectors of

https://datatracker.ietf.org/doc/rfc9180/
https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/

Also we would be assuming there is not any other backwards incompatible
change to ML-KEM.



> Or are you suggesting there will be HPKE ML-KEM domain separation from
> regular ML-KEM?
>

No. [1]


> I'm mostly interested in what parts of HPKE ML-KEM will change, assuming
> ML-KEM is a black box that will eventually become immutable.
>

That's up to NIST.

Best,

 Bas