[CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM

Bas Westerbaan <bas@cloudflare.com> Tue, 28 May 2024 12:31 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5683FC14F6FE for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 05:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKCzTZXec8MZ for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 05:31:18 -0700 (PDT)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38D20C14F6EC for <cfrg@irtf.org>; Tue, 28 May 2024 05:31:18 -0700 (PDT)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-62a08099115so7949457b3.0 for <cfrg@irtf.org>; Tue, 28 May 2024 05:31:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1716899477; x=1717504277; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2SoM6FxM+gPBlhlmtfV4DrzrHzt/FzEV7Bxf1DhIzss=; b=gHc2zwOJ1ctYEcjbhkqvVuye5QxEgJFYO1naZZe9hixmJcoFs4KsGd4dXpGq70PGji m5UAtSPHTLBhyWlD3u52XZ2hmieOgIHpJahrU+imiwcGLavYiMhpEQj8YK0BkZzJadpM zUfhbeqTmNTadHKg9HQAt3W4m1lfdUkz3im6MopLmETQP++EYaeVeESO3lYTLSWvOAcw 6Vumv/UxUDmDg28ha9r58ayCxcKvsvhbqR+nCw2XBMhwaQb8ta/tkA+yaIJjjgvID+c2 Ggf35T/zCbj2RLrxKsV5nemRaeY63Ix9zA6dHMQm5X9DThpJ1xDtHTmwTqH9sHr2/6AQ 8ZPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716899477; x=1717504277; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2SoM6FxM+gPBlhlmtfV4DrzrHzt/FzEV7Bxf1DhIzss=; b=Ua0A9YG67Xe+7vMPyn9k9MsMRN5cp2K/D/H3rQkAp56mx03FJWBqbTEOtSzpr6gDYh +T9W80iMCv/1NdgvM9dck+brRzdQRQIxMIP+XUtrrk+WOkPDMEi6k9SM3xzSka1xC5r/ qwq9ozX2124N7DbE2ZgrpzEC/uRvHdDpJpvwCHwMqayym7cB2stn+FxFvfQKu9NNfmhi Rf04uGfxEe0A85mAZkrUEUO9CtWJ0kddaArQlS8dh0pjPgg7RCuVcUHJaV6BsjRwtHle bl9v/utUduJS3d4W1FHMiQjpD1Un5upu+HxNfYsrwcYk57pLy5DfdY0WTeZaQ+8776uh tPwQ==
X-Gm-Message-State: AOJu0YyjRzZJ59OOakAP7hyV4mZIQqR6nBmzUUmfiSJHv9OylhQyDb85 YjND8/qEKa5tIx2hsuVGTf62FNEpkNvQ8V7WP4/nMBSZdi89dEulnQuzUzwXUqP9Npcq51UUlvF m3AZZgGCFN+dFC/qyvS/aIHDcfQQ0bwPn8JqsCQ==
X-Google-Smtp-Source: AGHT+IE1L0QQNJIu+bNjtAq0ZhSxp1vqRp4JK8AnF0X1oJw+EYyJQU00m0uW+jhxxXDwKyC5sC2+4fKASXwJ2CPZTPI=
X-Received: by 2002:a81:848d:0:b0:627:972f:bac3 with SMTP id 00721157ae682-62a08d6148cmr109664417b3.8.1716899476921; Tue, 28 May 2024 05:31:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_LqcWy=d=6KkVCwfOs28nZugzbTjHYPNOAchs5E_EWHiw@mail.gmail.com>
In-Reply-To: <CAN8C-_LqcWy=d=6KkVCwfOs28nZugzbTjHYPNOAchs5E_EWHiw@mail.gmail.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 28 May 2024 14:31:05 +0200
Message-ID: <CAMjbhoVE+44ZnOB4s3Vk3MF26w7gWaodU0AmP9YO6utXZX5_1g@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="0000000000007018a5061982cfcb"
Message-ID-Hash: 4IMTEGSTBIFKWIIDB2U3ZI65ZSFOAY3R
X-Message-ID-Hash: 4IMTEGSTBIFKWIIDB2U3ZI65ZSFOAY3R
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>, Deirdre Connolly <deirdre.connolly@sandboxquantum.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: PQ HPKE in JOSE and COSE with ML-KEM-768, HKDF-SHA256, AES128GCM
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dxX5UkB0VcVd5j7DGqqJjynrQHQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Some replies inline.

I based my HPKE KEM implementation on ML-KEM-768 in
> https://github.com/paulmillr/noble-post-quantum
>

A word of caution that this implementation is not constant time. (It's very
difficult in javascript anyway, but a warning is in place.)


> This meant I needed to address both the HPKE and COSE / JOSE related
> context issues myself.
> It was not obvious to me exactly how to do this.
> Especially since there is no registry entries for ML-KEM in:
> https://www.iana.org/assignments/hpke/hpke.xhtml
> The answer appears to be in this draft:
> https://datatracker.ietf.org/doc/html/draft-connolly-cfrg-hpke-mlkem-00#name-encap-and-decap
> I've done my best to follow the draft, in my experimental implementation.
>
> Are there implementations of HPKE out there using kem id 0x0070?
>
> Are we waiting on some final confirmation from NIST to add 0x0070 to
> https://www.iana.org/assignments/hpke/hpke.xhtml ?
> I can understand not wanting to burn a code point.
>

ML-KEM is not final yet. What people call ML-KEM now is typically the
"ipd", the initial public draft. HPKE KEMs test vectors typically include
deterministic key generation, and it seems likely [1]  that that will
change for the final version of ML-KEM.

Best,

 Bas

[1]
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5CT4NC_6zRI/m/KyFx0sapAgAJ