Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 06 March 2024 14:19 UTC

Date: Wed, 06 Mar 2024 16:19:43 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <Zeh7f_RnEhSQey3w@LK-Perkele-VII2.locald>
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com> <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com> <CAFpG3gdxu7L4nwrTdKhLHKEJ3qciWV2A+xXPwHieH5DMtj+vjw@mail.gmail.com> <ZegskkAfMziZfEur@LK-Perkele-VII2.locald> <CAFpG3gczXHm9sPvX6LAcMHdKCcMn0QBoR=XTyz+wbWZLwin5CQ@mail.gmail.com> <CFD846C5-C599-4CF6-95A2-342493050500@gmail.com> <CAFpG3gd9pP7MtJWmX_k5tTSEmDK9KoBiZxWByatYBCeTR=_n4g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFpG3gd9pP7MtJWmX_k5tTSEmDK9KoBiZxWByatYBCeTR=_n4g@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/1CRE17LzexN2g7kaPYIsAmURBAs>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
Precedence: list

On Wed, Mar 06, 2024 at 05:21:02PM +0530, tirumal reddy wrote:
> 
> HPKE already specifies the combination of KEM, KDF, and AEAD. The need for
> specifying the AEAD is two-fold: to restrict the number of combinations and
> to address the threat to symmetric cryptography from quantum computers (see
> https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-03.html#section-7.1
> for details). 

HPKE does that because it also does bulk encryption.

Direct Key Agreement does not use AEAD anywhere. And JWE fundamentally
assumes that any supported alg and enc can be combined. Then
draft-ietf-jose-fully-specified-algorithms-02 makes that an explicit
requirement on any alg/enc registration, with no exceptions.

And COSE fundamentally assumes similar things, being based on
composition of algorithms in any way that makes sense[1].

The reason both do that is that coupling the two would make complexity
absolutely explode.

[1] E.g., have Direct Key Agreement drive Key Wrap drive bulk encryption
(can't do that in JWE). And why not mix-and-match that with Key Wrap or
Key Transport? Or whatever HPKE is.

-Ilari

[COSE] Fwd: New Version Notification for draft-re… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Orie Steele
Re: [COSE] [jose] Fwd: New Version Notification f… AJITOMI Daisuke
Re: [COSE] [jose] Fwd: New Version Notification f… Neil Madden
Re: [COSE] [jose] Fwd: New Version Notification f… Ilari Liusvaara
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Ilari Liusvaara
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Ilari Liusvaara
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Ilari Liusvaara
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Ilari Liusvaara
Re: [COSE] [jose] Fwd: New Version Notification f… Neil Madden
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Neil Madden
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… tirumal reddy
Re: [COSE] [jose] Fwd: New Version Notification f… Ilari Liusvaara