IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

Neil Madden <neil.e.madden@gmail.com> Wed, 06 March 2024 09:52 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D8E4C14F683; Wed, 6 Mar 2024 01:52:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zvW0xGVd5SV; Wed, 6 Mar 2024 01:52:57 -0800 (PST)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D1FDC151536; Wed, 6 Mar 2024 01:52:28 -0800 (PST)
Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-33dc6df042aso1197639f8f.1; Wed, 06 Mar 2024 01:52:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709718746; x=1710323546; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=1cpQykHWTwjQE0psJNiPrwyGNvbQJRIOp7lM8v1IKk4=; b=mPV1oowVeBDKNQZ+8ME3nNT/tqBWcVrbiOyzw1uF9u5vXFb/KTj75dV1IcbwBfY60W SOGCqazE4SGASUFp7zdnvJKsyzaITSV1v8/714LaA45FhNUGQ5Y8ZBE1PvuChTkNdBYd 9WHnRzBhwjfFZgBxLjW8pRcaweoaAYg/WR9K2hgCtJmBfhx7aF/MRa3j3kumNjjvXXbu bneXNJQKh10+hf1iimSg+lkbp4OLy/dubhGLIfxd3cVJX+JV6fKCuHVH+UdJukRSfikD Siv3yGFcQp/ll9jlansDfepcE+fEIBAn3gES+JLAn+rurdSYa7pE3ja8kVoVuv72jVmy kldQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709718746; x=1710323546; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1cpQykHWTwjQE0psJNiPrwyGNvbQJRIOp7lM8v1IKk4=; b=OEZ4i3dwh5BBP/lDzE+/IlxeB+odQLNAMoTqZbpns/evxazCcuFRsmbzhyR1kRhPyY bCla3QOOObaKRTPOuwG2Tn5FQQh5tLVZl75iDKyWIHYHM1ngibZJmn7+Jk0li0VraMBT ezKM1HkaNZk833KSNg+OD61nmA7koAGzKy5+4cwnSEmzC04JbwKL1/Yx0rlUTAaCl1m1 rK4TqwubKZtq7sHrEe8e3UHwIoVkTR82gmhzgD/lIfvv4AACfD4TRhl0NtbecNw/u38l XP6/xbeve7lLomKWo67afBZ+j1iYgcxBvNqfWDFKOKTmzzeva+Dd3BBRxjgew40Aw434 xf9A==
X-Forwarded-Encrypted: i=1; AJvYcCWmtNP0/B27oDoIS66PBicGxB8JpHY5ZLsh5YRKZQaVDjK6/LfiRKCX73Haf83L7b+2vAImR7xPZi6sGBNWhb0NTAQkKF9bMy3kQuFg
X-Gm-Message-State: AOJu0YztwBvqL8C2fdccvbkddZ8fPJas2qp/jjx+ET7Kf3e9fdoY2JJT WQbv1WBcdHks7TyLNH4zpuOKe3yZCwNI3Kkv2LVYWjriM0CA0+RL
X-Google-Smtp-Source: AGHT+IHiWOQaDbK2PTuCh2HYA1FBYxJFeCXoZE+9IB0OF97m3+aDIdRHthCYODLQlfBJqS3O+0EzBA==
X-Received: by 2002:a05:600c:511a:b0:412:f3f0:d8af with SMTP id o26-20020a05600c511a00b00412f3f0d8afmr1098411wms.0.1709718746103; Wed, 06 Mar 2024 01:52:26 -0800 (PST)
Received: from smtpclient.apple ([185.147.91.181]) by smtp.gmail.com with ESMTPSA id o38-20020a05600c512600b00412f478a90bsm1644979wms.48.2024.03.06.01.52.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Mar 2024 01:52:25 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <CFD846C5-C599-4CF6-95A2-342493050500@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_39DC4A3F-BC18-45BE-A41C-51511DB58A1F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Date: Wed, 06 Mar 2024 09:52:24 +0000
In-Reply-To: <CAFpG3gczXHm9sPvX6LAcMHdKCcMn0QBoR=XTyz+wbWZLwin5CQ@mail.gmail.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
To: tirumal reddy <kondtir@gmail.com>
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com> <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com> <CAFpG3gdxu7L4nwrTdKhLHKEJ3qciWV2A+xXPwHieH5DMtj+vjw@mail.gmail.com> <ZegskkAfMziZfEur@LK-Perkele-VII2.locald> <CAFpG3gczXHm9sPvX6LAcMHdKCcMn0QBoR=XTyz+wbWZLwin5CQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/GsSsQpfMIughRpmni7jcXLgvz-0>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 09:52:58 -0000

On 6 Mar 2024, at 09:46, tirumal reddy <kondtir@gmail.com> wrote:
> 
> On Wed, 6 Mar 2024 at 14:13, Ilari Liusvaara <ilariliusvaara@welho.com <mailto:ilariliusvaara@welho.com>> wrote:
> On Wed, Mar 06, 2024 at 11:50:04AM +0530, tirumal reddy wrote:
> > On Tue, 5 Mar 2024 at 20:48, Neil Madden <neil.e.madden@gmail.com <mailto:neil.e.madden@gmail.com>> wrote:
> > >
> > > Regarding this specific draft under discussion, I'm confused why everyone
> > > keeps wanting to cram things into the "enc" header? JWE is quite clear that
> > > this header "MUST be an AEAD algorithm"[2]. KEMs are not AEADs. If we are
> > > going to add ML-KEM as an encryption algorithm then we should have
> > > something like "alg":"ML-KEM-768","enc":"A256GCM" or
> > > "alg":"ML-KEM-768+A256KW" etc. (or "alg":"XWingXYZ+A256KW" or whatever we
> > > choose).
> > >
> > 
> > The use of a fully-specified algorithm aims to permit a limited set of
> > 'known good' PQ-KEM ciphersuites rather than allowing arbitrary
> > combinations of PQC algorithms, HKDF, and AEAD algorithms. For instance,
> > ML-KEM-768, with a PQ security level of 3, must not be used with A128GCM.
> 
> It is should not be used, not must not be used. Strength-matching is
> about performance: It does not make sense to pay significant extra cost
> to make another component more secure than another component which
> limits security (without other good reasons). However, strength-
> matching is no excuse to weaken algorithms without performance benefit
> (unfortunately I have heard of that happening).
> 
> The PQ security levels are defined to necessitate computational resources comparable to or greater than those required for an attack on AES (128, 192, and 256) and SHA-2/SHA-3 algorithms. This includes exhaustive key recovery for AES and optimal collision search for SHA-2/SHA-3. I don't see a reason why a draft should allow ML-KEM-768 (PQ Security Level 3) with A128GCM (PQ Security Level 1) as an exception, and allowing such arbitrary combinations would significantly increase the number of configurations.

This is already the case in JOSE - e.g. you can use ECDH-ES with P-521 and then specify A128GCM. You may not like that, but trying to change it retrospectively is a massive breaking change. 

-- Neil

v2.23.0 | Report a Bug | By Email