IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

tirumal reddy <kondtir@gmail.com> Wed, 06 March 2024 09:47 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F46AC15170B; Wed, 6 Mar 2024 01:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCiuIr__fpHv; Wed, 6 Mar 2024 01:47:33 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5CF6C1516E9; Wed, 6 Mar 2024 01:47:33 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-565c4d0fa48so2295266a12.1; Wed, 06 Mar 2024 01:47:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709718452; x=1710323252; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tx3S7noBOa2Embk9CLbDjUTrLEkaS/rgkueF2OkgvAc=; b=Wpiy01RZ2WloO1npYJihWS6HuQM2Ywxd76dTRWnOf/OlRKh+FRaz7n2se5g8DjRCsW 3bAGYuRve3KZGThFmlc82FI9UDPuWsfcL2mrGc9xedpXxR1L/W05ZNLF5k/aR362y1Dm KXuNj8EzfQQ2mIRkjqFqqpvvOXOqv0yz7SB0A/eB0iqNivJ7LLSqYlwC9vTZB0piZhcu +GNLcKntGFepPSGetNna2RwiGRX0M3DG+cS+ii2GZnymyNX2sUo1a4o8Lm7rrHkvY7eG O8COwL7KDgE4WvG/7YMPiTZ77JIxyzRxdS4v91uUjJZ5rR7Rsn9cbTtnaneZFSrucZCT rpiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709718452; x=1710323252; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tx3S7noBOa2Embk9CLbDjUTrLEkaS/rgkueF2OkgvAc=; b=E0zNuODZfVmVv6x3CFCNJ0dF1CdPcDAyXvk8wEhXTxg54p8g464f6NXITO2W5G0QBW MuOXg4n6HytCdlXcyQfKWYOPhjnOn7lIzxKn1SqG5jnp364HRAJS75AntPZDlWr0I864 0pgi8mVJPMVXN7IW7kfSYyQswN8zg0q1MwwAY6SPdgFOS9Kv7WPZLa4gPNe2NIg85vD9 M6XDSo8GMMtZkbYsCspSY4jd5UhxcvMApu7m7O8/RrD5ccTctAS/ZiJmFgcHTTTBA39J AIYjZ+lafRiNvt5LQOl7rKX/XjxmsNu6RH++39HsA3x6WVNCwrVA0Po0+IfRRML3mZ/7 1jnw==
X-Forwarded-Encrypted: i=1; AJvYcCX8fYSx6AEE5gjJUF1kDNocQ6GNrN8M/qdE2Gi4i14TfZA+gWuAG5ZUDM9gYGf9KYDNR+EUTkDc2gyXhIxW
X-Gm-Message-State: AOJu0YwQlONLQ+YXabYTparN6W4FHqpsnVsxZTYFPqhppI0iULCQlH8N 1bfE1/rCF4W8t+9fgc4mQp+BvQzC35n7908CmeVwU2FtJVMKC/AlRdJr+Q2istKioHX8fSwjWue kwjhzze2jcDlhUBH3EeNeQ9Tx+Ns=
X-Google-Smtp-Source: AGHT+IH1pT26zqCg51KbXY1EjVqtIDAbAVfkTVj7A8emw0CO5iVSZeAlynU446lumT+9vw+SNPmylmUBjJFLnrv6frY=
X-Received: by 2002:aa7:c987:0:b0:567:ed0a:7b15 with SMTP id c7-20020aa7c987000000b00567ed0a7b15mr728092edt.2.1709718451947; Wed, 06 Mar 2024 01:47:31 -0800 (PST)
MIME-Version: 1.0
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com> <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com> <CAFpG3gdxu7L4nwrTdKhLHKEJ3qciWV2A+xXPwHieH5DMtj+vjw@mail.gmail.com> <ZegskkAfMziZfEur@LK-Perkele-VII2.locald>
In-Reply-To: <ZegskkAfMziZfEur@LK-Perkele-VII2.locald>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 06 Mar 2024 15:16:55 +0530
Message-ID: <CAFpG3gczXHm9sPvX6LAcMHdKCcMn0QBoR=XTyz+wbWZLwin5CQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe92170612fad84f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/NJESQ6wfsACAdsWpNs2wiD41urY>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 09:47:34 -0000

On Wed, 6 Mar 2024 at 14:13, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Mar 06, 2024 at 11:50:04AM +0530, tirumal reddy wrote:
> > On Tue, 5 Mar 2024 at 20:48, Neil Madden <neil.e.madden@gmail.com>
> wrote:
> > >
> > > Regarding this specific draft under discussion, I'm confused why
> everyone
> > > keeps wanting to cram things into the "enc" header? JWE is quite clear
> that
> > > this header "MUST be an AEAD algorithm"[2]. KEMs are not AEADs. If we
> are
> > > going to add ML-KEM as an encryption algorithm then we should have
> > > something like "alg":"ML-KEM-768","enc":"A256GCM" or
> > > "alg":"ML-KEM-768+A256KW" etc. (or "alg":"XWingXYZ+A256KW" or whatever
> we
> > > choose).
> > >
> >
> > The use of a fully-specified algorithm aims to permit a limited set of
> > 'known good' PQ-KEM ciphersuites rather than allowing arbitrary
> > combinations of PQC algorithms, HKDF, and AEAD algorithms. For instance,
> > ML-KEM-768, with a PQ security level of 3, must not be used with A128GCM.
>
> It is should not be used, not must not be used. Strength-matching is
> about performance: It does not make sense to pay significant extra cost
> to make another component more secure than another component which
> limits security (without other good reasons). However, strength-
> matching is no excuse to weaken algorithms without performance benefit
> (unfortunately I have heard of that happening).
>

The PQ security levels are defined to necessitate computational resources
comparable to or greater than those required for an attack on AES (128,
192, and 256) and SHA-2/SHA-3 algorithms. This includes exhaustive key
recovery for AES and optimal collision search for SHA-2/SHA-3. I don't see
a reason why a draft should allow ML-KEM-768 (PQ Security Level 3) with
A128GCM (PQ Security Level 1) as an exception, and allowing such arbitrary
combinations would significantly increase the number of configurations.

-Tiru


>
> And draft-ietf-jose-fully-specified-algorithms-02 is very clear that
> ML-KEM MUST be added like in the above quoted post, not like the draft
> does it.
>
> Moreover, the JWE requirement that enc is an AEAD is critical for
> security. COSE forgot to add explicit requirement for all encryption
> algorithms to be authenticated. Then someone added algorithm that
> is not, which created an attack.
>
>
>
>
> -Ilari
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email