IETF Logo Mail Archive

Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 21 January 2022 13:16 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA0963A1F80 for <cose@ietfa.amsl.com>; Fri, 21 Jan 2022 05:16:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=yzbu2cMr; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=yzbu2cMr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rkbp0faoMOZo for <cose@ietfa.amsl.com>; Fri, 21 Jan 2022 05:16:09 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150077.outbound.protection.outlook.com [40.107.15.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBD793A1F76 for <cose@ietf.org>; Fri, 21 Jan 2022 05:16:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n8fmo7ZYxHHI14PGu78TCXa6Dk0wTDmPsrFY7zc6LoQ=; b=yzbu2cMrVgQVlnNciIvotjRqQTVvh+3VZBzE3GrOpA+tDsrQDN4ndqr1FNFbulUvTC+acX6UddFkrNSy6KLjr0x1NuGd7elqhYhoAblr86EKVtPg4I7glICMuhzsvgHfadbWPnKXb75+NRFBwa3bN/GFAYjUdqYhJG2tqcj4Gxs=
Received: from DB8P191CA0001.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:130::11) by AS8PR08MB7265.eurprd08.prod.outlook.com (2603:10a6:20b:420::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.12; Fri, 21 Jan 2022 13:16:00 +0000
Received: from DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:130:cafe::74) by DB8P191CA0001.outlook.office365.com (2603:10a6:10:130::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7 via Frontend Transport; Fri, 21 Jan 2022 13:16:00 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT048.mail.protection.outlook.com (10.152.21.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7 via Frontend Transport; Fri, 21 Jan 2022 13:15:59 +0000
Received: ("Tessian outbound 341d209a0e52:v113"); Fri, 21 Jan 2022 13:15:59 +0000
X-CR-MTA-TID: 64aa7808
Received: from 0fc41f959c2e.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3EC802E3-A4D5-4C87-B001-A3538F222C51.1; Fri, 21 Jan 2022 13:15:53 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 0fc41f959c2e.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 21 Jan 2022 13:15:53 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gA/5GgOMANqsbYXudI+3ydr0Kay61jym5eHlL1VrlRsLRP/mQM+ixW5uKNjotT7YFakvF1DDzZsUk6Ijhc9SrQk/TXd5pHo6RgZAi/GrWXgJNXK/kP+fQ9Ld6S86ZEcZFk70YEOnFenzwImv8p4SeuEtoEXynoILTTbXdSNgMDVQ7P1OqEVmKqd8hLkCDLqmwC1BfUDPEVqA4+EMkcMRrXJq5eUbv3cuQ1TC2lhgoFp/em2CPtQTM8NfXddP3+iHQX5/DEYO2k5OYBegljq6aUsyS+6fL/AMN5nVy7o8AoRgy9fN51LOpb1VQLD7K9iZ7SxX0/G/F3cpZMwq5SpZRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n8fmo7ZYxHHI14PGu78TCXa6Dk0wTDmPsrFY7zc6LoQ=; b=deHM32T/vHf5Yv8NA2Dmwjihe/i/3qilBp+xRlEKjhPonjl0lRyS4kkLjTiLVocOWjDSIqzJoOr4jjFLBaxKza34qb+bNAoAWQIcDRmBkCTNT0pGKeUv6PzK1PrD8bP9RuSu8xbRafvQbXRgepbjsZzEFxNcl6+Ir2Gy6uiSrTWtsaXp/aZDsPOYHsgeXzLynIWBJBc4W18xJMLRt934F4TYqe3eLNB8V6qOog72/Uo6d+DDVHmPaGXRGT2Y6KQ87zTy9PIRmlubIpYpdhpX5AG6MpvsU4RWxivwFkWqnrVaIpRNeOD3MXmwhFK8qD69BR9tA2gNEGd9PJ/OfB4EQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n8fmo7ZYxHHI14PGu78TCXa6Dk0wTDmPsrFY7zc6LoQ=; b=yzbu2cMrVgQVlnNciIvotjRqQTVvh+3VZBzE3GrOpA+tDsrQDN4ndqr1FNFbulUvTC+acX6UddFkrNSy6KLjr0x1NuGd7elqhYhoAblr86EKVtPg4I7glICMuhzsvgHfadbWPnKXb75+NRFBwa3bN/GFAYjUdqYhJG2tqcj4Gxs=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by AM0PR08MB4387.eurprd08.prod.outlook.com (2603:10a6:208:140::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7; Fri, 21 Jan 2022 13:15:50 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::ec71:ec1b:a356:3ccb]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::ec71:ec1b:a356:3ccb%7]) with mapi id 15.20.4909.012; Fri, 21 Jan 2022 13:15:50 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
Thread-Index: AdgLhM0SJ9GR/pH8Rn+twyj8D7yFcgADzhAAAAbPMOAABE/7gAAm0yMgAHKOnYAAKGWQwA==
Date: Fri, 21 Jan 2022 13:15:50 +0000
Message-ID: <DBBPR08MB59153905223EB68CD94F44E0FA5B9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915C899B9EF8122898057BDFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeVQooQEGzfjFeE9@LK-Perkele-VII2.locald> <DBBPR08MB5915C7AFF11B55A8AA8CBBEEFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeWbRYe13Mk+IV+2@LK-Perkele-VII2.locald> <DBBPR08MB591586D6CB6BAF7B5354F517FA589@DBBPR08MB5915.eurprd08.prod.outlook.com> <YemgmVX/zsWFQfA/@LK-Perkele-VII2.locald>
In-Reply-To: <YemgmVX/zsWFQfA/@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: A735D32C9A70EA45A8B4289E24CD5A6B.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: c18752e7-0a0a-4502-2e5f-08d9dce02ab1
x-ms-traffictypediagnostic: AM0PR08MB4387:EE_|DB5EUR03FT048:EE_|AS8PR08MB7265:EE_
X-Microsoft-Antispam-PRVS: <AS8PR08MB726520C4B3B480C1B25EF51DFA5B9@AS8PR08MB7265.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8273;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: l/sHB3zkRHNNMPDHqDwQ9TTl0Mb+cBBTsaY9FweHVE7yUz3jqRa0tWHdVD09VsKJML8gQcrgDZfdcHxO4HIokJvQV5xMCTgyLRyDhDvOQyfK3Ub00b7iZSD0h1vVTT4tALAYy1nyw2weCBA9lOycr0G24yD7mSbtuVPIn/lBQIOxtGPkm49RH+qBq8BkCsubeIx+P9I+evBL+bb547jVGecuXIQa2jIR6vijKqO5+d9gWzUcVse57CEx6Dme++0P5hm8LG4VVqiaP6ZHNfKbkL1Q8n3+WDSZfEGdQd4iMXEFCf+OIRCW2lpOJ2sEixeG1VJeBP+C+wckTKmUpa4hswliGfv+cK4cdZ+InlZFvIicD+Oq7EHQ/+Zy3qdMmz6LOO8z3KREqe8oddtuc+ej+dNHQo7fPkeUO8NjJUJR7T2sY4kw+8vwe/FTL1TB3hm3Zd297JpxiZ3N2HDeI+CbvXTypoSMD7ultzAWc002Ep72c85ww+XoLL6Jdyxh/MkfBZ+I90xLH5kPDT0bBc1WVcsCSZD9jeILn1CFBpeq/p5hqqU0Wz5ERxuANhswma/ozncoXKs3lOKREiAWVtQX8SwcpEFryxOjzayNlK+8395kaWm1IG5SeJb+lcGJbg70P5ZpiUfx5ZjStk/S8d1TDMmMMJMXDgLbCfpKTQKYWYtjjmBuqIhLut4OTL5Q4rEPI/HcW7nAMYwuOsHmEB8nqA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(7696005)(2906002)(9686003)(316002)(83380400001)(33656002)(8936002)(6916009)(8676002)(86362001)(71200400001)(508600001)(64756008)(5660300002)(66476007)(66556008)(53546011)(66446008)(122000001)(38100700002)(26005)(52536014)(76116006)(38070700005)(66946007)(186003)(4326008)(55016003)(6506007); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4387
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 64d81dc4-c5f9-43ae-75f6-08d9dce02575
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: PTYhKEvd1uorq4xRwOyiCjP+VGhEfV/e3ux/NjS2LfUSaE1r8rSMvxsNtm68P6UoCBu2e+PQBd12zkKem/QKjA2rVBYXzlckJzPMWG3eb7qCHTGroVXYxrQHX23nMSMhQ2q3mFJZhq6LdvKlHBeCMdBMEyl/TAhvIVXw2kkbKvtTJ0YXKsVaB6aUCpMk9br7dxZs9g4dUsq+cewx/jbggkydDiLKzT+rfrlfWHDo7m7W9PKvsYbTT1JnrokdBSJ6jzBnKaZFqb/h8rdtuN5B/CuuzIRtK92y3mtC9WrPffAue2QjjroLPWKl/xG5KOATAj+i8pwRNJjmbZmUOjgFUzQhdGfzDhEqi5WW/rt7LbVBe0+JvD+z0WuR4i/y5rVPxcZ8Xo/9wJnXNM+l/qWx/fqHtR5svVBrFui5f1oRx/XU9h6nr6SSIxMeSppdtrVBvSEXJjt9ljhp+vWZ068BPF8eMi+pAZZuhFop8PTUsTmgbyeCm5tCUbpHd/w+4Rl8Yhc+Muc2FvMGOj37hpmHY+mtMwMuuXUZ03nxb0JWtQhfL2a/a+H9vW8fy47hzY1G23k7C59IWRc8Jyth5xelMwLN8JzHBoqpAYcsEPX5OhphOUXW4wTTol1bx6884yd+CnrOmvDuARZyX8/uxEhuNa3CI1IBTi5ng6uEO1jXQV7oP8Z/70rCKIyfc0TupGjPY2d+uq4FnYuAb8lyOOPaMg==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(36840700001)(46966006)(8936002)(508600001)(336012)(82310400004)(4326008)(70206006)(6862004)(55016003)(186003)(316002)(70586007)(8676002)(356005)(26005)(33656002)(2906002)(52536014)(6506007)(47076005)(83380400001)(86362001)(36860700001)(5660300002)(9686003)(53546011)(81166007)(7696005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Jan 2022 13:15:59.6595 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c18752e7-0a0a-4502-2e5f-08d9dce02ab1
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT048.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB7265
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Gh50HIhUJI7yrTfo9M0LJLs7M2A>
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2022 13:16:14 -0000

Hi Ilari,

You are again raising good points, namely

1) Should we convey the KEM ID, and KDF ID explicitly? I think so.
2) If we do, where should this information go? You suggest to put them into the COSE key (ephemeral key) structure. I would have thought that the unprotected header would be more appropriate but I do not really have a strong preference.
3) Should we define a new kty id? If we place the KEM ID and the KDF ID into the COSE key structure then I think it would be a good idea to define a new kty id.

I am curious what others in the group think about this idea.

I lost you when you are were talking about the "size issues" and tried to solve the issues. Maybe you could elaborate a bit what problem you see. IMHO we cannot use COSE_Encrypt0 because we need the recipient structure, which is not present with the COSE_Encrypt0.

You also seem to define new key formats. What prevents us from re-using the existing COSE key formats? Section 13 of RFC 8152 defines various ECC key formats and those could be re-used. Since there is no compressed point format, we could add it.

I am also not sure why you talk about PQC algorithms. Neither COSE nor HPKE define PQC algorithms. Do you think we should define them in this document?

Ciao
Hannes

-----Original Message-----
From: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
Sent: Thursday, January 20, 2022 6:49 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: cose@ietf.org
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

On Tue, Jan 18, 2022 at 11:20:34AM +0000, Hannes Tschofenig wrote:
> Hi Ilari,
>
> [Hannes] I think you are suggesting to do this:
>
>    96(
>        [
>            // protected field with alg=AES-GCM-128
>            h'A10101',
>            {    // unprotected field with iv
>                 5: h'26682306D4FB28CA01B43B80'
>            },
>            // null because of detached ciphertext
>            null,
>            [  // COSE_recipient_outer
>
>              / protected / h'a1013818' / {
>             \ hpke-alg \ 1:16 \ HPKE/P-256+HKDF-256 \
>                     hpke-aead-id: 1     //     AES-128-GCM
>              } / ,
>             / unprotected / {
>                 // HPKE encapsulated key
>                 / ephemeral / -1:{
>                        / kty / 1:2,
>                  / crv / -1:1,
>                  / x / -2:h'98f50a4ff6c05861c8...90bbf91d6280',
>                   / y / -3:true
>               },
>             // kid for recipient static ECDH public key
>             / kid / 4:'meriadoc.brandybuck@buckland.example'
>                },
>                // Encrypted CEK
>                h'FA55A50CF110908DA6443149F2C2062011A7D8333A72721A',
>                ]
>            ]
>         ]
>    )

Yeah, thereabouts.

I am not sure what is the best precise variation to use.

- I would like there being generic support for all HPKE algorithms.
  The most compact way of doing this is:
  * Have new alg=hpke. Which has the AEAD id as parameter.
  * Have new kty=hpke. Which has the KEM and KDF ids as parameters,
    as well as raw public/encapsulated key.

  However, this runs into size issues with P-x curves.

  HPKE encapsulated key for KEM=33, KDF=2, would be roughly:

  -1:{
        1:<id-kty-hpke>,
        -1:33,
        -2:2,
        -3:h'...'
  }

  This would be 11 bytes of overhead, assuming typical PQC sizes.

- Solving the P-x size issues, option a):

  * With EC2, do not include explicit KEM and KDF ids.
  * The public keys are unpacked into public/encapsulated keys.

  Roughly corresponds to the above, but with no hpke-alg.

- Solving the P-x size issues, option b):

  * Use the HPKE kty, with negative KEM id.
  * Pack the P-x keys using the same compression as in C509.

  AFAICT, this is one byte more compact than a) with P-x keys.
  The ephemeral key would roughly be:

  -1:{
        1:<id-kty-hpke>,
        -1:-1
        -3:h'0398f50a4ff6c05861c8...90bbf91d6280'
  }


  For X25519 and X448, the both options above save 3 bytes.


And looks like I underestimated the space savings from cose_encrypt0 if one only has one recipient. The savings are more like 50 bytes or so (more for 192-bit and 256-bit levels).



-Ilari
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.8.7 | Report a Bug | By Email