IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

tirumal reddy <kondtir@gmail.com> Wed, 06 March 2024 06:20 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60158C14CE2C; Tue, 5 Mar 2024 22:20:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDZ5BSXeizqa; Tue, 5 Mar 2024 22:20:46 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7FEC14F5F7; Tue, 5 Mar 2024 22:20:43 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-567312db4aeso997890a12.1; Tue, 05 Mar 2024 22:20:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709706041; x=1710310841; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YvvOzcXOpB92CH+q0RN71aGUduEGqyHqV3x6t69Shio=; b=gtQlhsm6Vv9GvbTL+56PpQHvfJEirKiEEbAR0aDxJZ1kJSpRbbbHL7vbvqVtGlMpUy s4CyX4TpAptxpcc2iKEaeCAYddicdGzwWClwCM3WuHRN+b7ppE+F/90fb5V3n4igylep gfW+cFBrNLujmg2iIcEFEPofzLffyu4mdyrW8eHW9AanGpdu6TJJb7qEIxZ+KVF0D8O1 Pfhab3Vm0NhhW2Oc1iF26yQFVLbPNH7LTn4NRZeYrRFVvej0kme9d+NBjjzfR3dFiWP+ 8nBd+hXU3Y8NYpI7j8UEpVuZ7M+lUi6LL1T85dtKBAi2gHuOsiXvMe3yKFA6+oklGUfD EIqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709706041; x=1710310841; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YvvOzcXOpB92CH+q0RN71aGUduEGqyHqV3x6t69Shio=; b=Nf5uuCj8T0MCyCLY9J3su1QWAbwWyWLrbPj4WjhPB/wrnuaf+zeGNwkHIECU7z9rwN ccuG7OjqhVKoUvbyWryScsRyCJcdEJYz7lgEiWESvwGs9XKcFCYLskEK2ASgAuQ8cBwY HnC1HJgK9oUOYh/2w0vNFWzpJyosOUTZ88KW1IKZCwKjrnY+hl4UbL2YTSsCB6ErbMQv MV9MaM0836mQ3pj83Af2iporsZKUa3zudB6lv2cezSWQEwbEuTYHpggOl2J2V+Fjq4XH k/2Z1DnCouCewymlE3n9FM4B8vSyda/H8ZZnUDAd2yXfjPjAhi3xvdVhtCZdDOZGsWd2 1BQg==
X-Forwarded-Encrypted: i=1; AJvYcCVsogoOw41MIQt6W74W0AnvjLowHrw40jirNQugyH5aEeEafuBy4PX1jiCPEM+vM1TI1yVCz6GlwMHXwN785yYqAJoQMRuctFqRjhCO
X-Gm-Message-State: AOJu0YxWa/zZJWyIZzhEEi4pcmodKuAnyS1WjkcTYcP/D58RNhHvVwbs H5DU3inHBiLnDFFu+RkRCWaEQqIpq3OF1XXe0vknCgPUBiXvfSLpauMB5NvhKfkuP0iN8R9SzvP 9J6b538Xdq3lis+JKysMoxa9RLuUaZvxRhsE=
X-Google-Smtp-Source: AGHT+IHhY0n9y9s5TXlrbmiBCoxXRx0VD6/AcqsyWd9Kjbr/BYPVGLSgnsqaghT26gJyMYuweXegnQuT/m50fk2X8DM=
X-Received: by 2002:a17:907:d50a:b0:a45:c085:f87d with SMTP id wb10-20020a170907d50a00b00a45c085f87dmr79374ejc.7.1709706041365; Tue, 05 Mar 2024 22:20:41 -0800 (PST)
MIME-Version: 1.0
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com> <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com>
In-Reply-To: <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 06 Mar 2024 11:50:04 +0530
Message-ID: <CAFpG3gdxu7L4nwrTdKhLHKEJ3qciWV2A+xXPwHieH5DMtj+vjw@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: AJITOMI Daisuke <ajitomi@gmail.com>, Orie Steele <orie@transmute.industries>, cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000441fab0612f7f513"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/G8nyaMl2gHQ-mhRoI7itXpyAkRQ>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 06:20:50 -0000

On Tue, 5 Mar 2024 at 20:48, Neil Madden <neil.e.madden@gmail.com> wrote:

>
> On 5 Mar 2024, at 14:41, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>
> > I think we should use HPKE until there is reason not to use it.
>
> I agree.
>
>
> I think there *are* lots of reasons not to use HPKE. I described some of
> them in my previous message to this list [1]. For a start, including all of
> HPKE is using a sledgehammer if all we want is a PQC option for JOSE, not
> to mention that it doesn't help at all with signatures. What it does do is
> create redundancy with existing JOSE ECDH algorithms and introduce some new
> ones that have glaring security issues when used in JOSE (refer to my
> previous message).
>
>
> Regarding ML-KEM, I was thinking that we should add X-Wing as a PQ/T
> Hybrid KEM to the list of COSE-HPKE ciphersuites at first.
>
> X-Wing: general-purpose hybrid post-quantum KEM
> https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/
>
>
> There are a bunch of proposals for hybrid schemes under discussion in
> CFRG. I agree that we should generally adopt one of those rather than
> ML-KEM on its own, but we should perhaps let the dust settle on those
> discussions before moving ahead with one here.
>
> Regarding this specific draft under discussion, I'm confused why everyone
> keeps wanting to cram things into the "enc" header? JWE is quite clear that
> this header "MUST be an AEAD algorithm"[2]. KEMs are not AEADs. If we are
> going to add ML-KEM as an encryption algorithm then we should have
> something like "alg":"ML-KEM-768","enc":"A256GCM" or
> "alg":"ML-KEM-768+A256KW" etc. (or "alg":"XWingXYZ+A256KW" or whatever we
> choose).
>

The use of a fully-specified algorithm aims to permit a limited set of
'known good' PQ-KEM ciphersuites rather than allowing arbitrary
combinations of PQC algorithms, HKDF, and AEAD algorithms. For instance,
ML-KEM-768, with a PQ security level of 3, must not be used with A128GCM.
Refer to
https://datatracker.ietf.org/doc/html/draft-ietf-pquip-pqc-engineers-03#section-12
for more details.

-Tiru


>
> -- Neil
>
> [1]:
> https://mailarchive.ietf.org/arch/msg/jose/-1rVajt_tnl2Ai-Cz3ioRI8BxtQ/
> [2]: https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.2
>

v2.23.0 | Report a Bug | By Email