IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 05 March 2024 16:08 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D39E8C14F69F; Tue, 5 Mar 2024 08:08:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDw5K5rXZQBD; Tue, 5 Mar 2024 08:08:34 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3A2FC14F721; Tue, 5 Mar 2024 08:08:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id C7AB7150B5; Tue, 5 Mar 2024 18:08:30 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 6JvvV5pR0XMu; Tue, 5 Mar 2024 18:08:30 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 826C672; Tue, 5 Mar 2024 18:08:28 +0200 (EET)
Date: Tue, 05 Mar 2024 18:08:28 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <ZedDfNO5B3PrpB4e@LK-Perkele-VII2.locald>
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/15bmQZZIhzc98biN2zJtXPZuV4o>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 16:08:38 -0000

On Tue, Mar 05, 2024 at 07:32:17AM -0600, Orie Steele wrote:
> Draft looks very familiar after have spent so much time with HPKE.

The mechanism should look very similar to ECDH-ES. Not similar at all
to HPKE. In fact, it takes one very small change and relabeling things
to turn ECDH-ES into KEM.


> Having different direct mode alg values for ML-KEM and HPKE that are both
> basically telling you to look an enc... Is wasting registry space.
> 
> alg: dir, is sufficient.

No, it is not. In JWE, alg:dir is REQUIRED to be symmetric AEAD.

Neither this nor HPKE is symmetric AEAD.

Even if I think that JWE does not formally ban interference between alg
and enc (the current fully-specified algorithms draft does ban it), it
is is extremely bad idea to have such interference.

 
> The documents that register the new enc modes can explain why.

I do not think that JWE even allows new enc modes.


> I think it would be better to see ML-KEM suites in HPKE, instead of seeing
> duplicates.

On duplicates, all the current proposed HPKE stuff is essentially
duplicates.

The only things HPKE can do that JOSE/COSE can not is exactly the
stuff that is not supported in present HPKE in JOSE/COSE stuff
(compact curves and the prototype PQ hybrid).

Yes, there are some KDF stuff as well, but I don't think there is any
security relevance.

But see below for very radical idea.


> There will also be different security issues, without the HPKE context and
> key commiting, etc...

The security issues of KEMs will be pretty much the same as security
issues of ECDH-ES.


> With hydrids on the horizon... it's a mistake to register hydrids twice...
> Once for HPKE and once for standalone.
> 
> I think we should use HPKE until there is reason not to use it.
> 
> Is this draft motivated by implementers who could not use HPKE?

HPKE in COSE/JOSE is certainly simpler than ECDH-ES.

Very radical idea would be to deprecate ECDH algorithms for HPKE.


> Are there critical use cases that multiple vendors need to support that
> only work without using HPKE?

One needs pure ML-KEM-1024 for CNSA 2.0. I don't know if HPKE will add
that or not.




-Ilari

v2.23.0 | Report a Bug | By Email