IETF Logo Mail Archive

Re: [COSE] COSE_Key for HPKE encapsulated key

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 29 September 2022 11:30 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1312FC14F744 for <cose@ietfa.amsl.com>; Thu, 29 Sep 2022 04:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDVvYrDFXAtp for <cose@ietfa.amsl.com>; Thu, 29 Sep 2022 04:29:57 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB549C14CF04 for <cose@ietf.org>; Thu, 29 Sep 2022 04:29:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 2B9412B42E; Thu, 29 Sep 2022 14:29:54 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Wqx_uCAWdh3F; Thu, 29 Sep 2022 14:29:54 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id EB6F92315; Thu, 29 Sep 2022 14:29:51 +0300 (EEST)
Date: Thu, 29 Sep 2022 14:29:51 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: cose@ietf.org
Message-ID: <YzWBrxjZgsw9uY1V@LK-Perkele-VII2.locald>
References: <CAL02cgTchR_+h8ZZZqbBWgJNcadb-7ki6f57XxFoo+Cpa+94Jg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAL02cgTchR_+h8ZZZqbBWgJNcadb-7ki6f57XxFoo+Cpa+94Jg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/8mgogV1iedAoDtofwFIPZQSiulw>
Subject: Re: [COSE] COSE_Key for HPKE encapsulated key
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2022 11:30:04 -0000

On Wed, Sep 28, 2022 at 01:59:18PM -0400, Richard Barnes wrote:
> 
> It was brought to my attention that this working group is considering
> representing the "enc" output of HPKE as a COSE_Key as opposed to an opaque
> byte string [1].
> 
> Representing the "enc" output as anything other than opaque bytes is a
> mistake.  It would require the COSE implementation to parse the "enc"
> output, causing a bunch of unnecessary work and inviting error.  (If you
> want to represent it as opaque bytes plus some metadata, sure.  But   But
> don't parse it.)

Unfortunately, there is a perverse incentive involved: For NIST curves,
one can save a few dozen bytes by re-encoding the value, as HPKE does
not support compressed nor compact points for NIST curves.

Regarding adding support for compact points, what it would take to add
the stuff from draft-harkins-cfrg-dnhpke-02, section 4.1 to the IANA
registry (I think the ball has been dropped somewhere with that)?


> I'm not sure which of the chairs' options that maps to, but both the
> COSE_Key and Ilari's OKP proposal look incorrect to me, because they both
> imply that the value is a key.  I think Daisuke Ajitomi's proposal is
> closer to correct. In any case, I hope this helps clear things up.

There is really a lot of confusion between long-term public keys and
encapsulated keys (the "enc" output). The OKP proposal was about long-
term public keys (but turns out it is flawed for different reasons).

The nasty hacks I did of encoding "enc" into COSE_Key used key type
"Symmetric", which is the smallest boilerplate to stuff some byte
string into COSE_Key, as "ephemeral key" field takes COSE_Key.

The latest proposal I made (non-injectively) stuffs "enc" into the
beginning of the ciphertext (along with the AEAD ID). This avoids
allocating new header parameters and makes COSE-HPKE look like some-
thing existing (direct encryption / key wrap) rather than a totally new
kind of of thing.



-Ilari

v2.23.0 | Report a Bug | By Email