IETF Logo Mail Archive

Re: [COSE] Updating the COSE alg registry for HPKE

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 06 July 2023 08:19 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A34C14CEFE for <cose@ietfa.amsl.com>; Thu, 6 Jul 2023 01:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3ARBfCUxYKT for <cose@ietfa.amsl.com>; Thu, 6 Jul 2023 01:19:08 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C292C14CF17 for <cose@ietf.org>; Thu, 6 Jul 2023 01:19:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 20A592126F for <cose@ietf.org>; Thu, 6 Jul 2023 11:19:05 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id ce-iPvqk9Oqe for <cose@ietf.org>; Thu, 6 Jul 2023 11:19:04 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-94-129-82.rev.dnainternet.fi [87.94.129.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 58D30230A for <cose@ietf.org>; Thu, 6 Jul 2023 11:19:03 +0300 (EEST)
Date: Thu, 06 Jul 2023 11:19:02 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>
Message-ID: <ZKZ49kp3Ve2LAG89@LK-Perkele-VII2.locald>
References: <ZIC0QkJh5uV4Z8hB@LK-Perkele-VII2.locald> <4AFF8D80-037E-46BA-8444-104A3711327A@island-resort.com> <CAFWvErWJY5CFxMDCJGYSq7eJid4-_Ak=R_NVPNAa=B0XkJiGxA@mail.gmail.com> <CAN8C-_+1GHLqFMwLH3x8kN_RtQd2K6wXjV-mFCftcreqYbMEMQ@mail.gmail.com> <PH0PR02MB72562293527E9E3A4C215999F225A@PH0PR02MB7256.namprd02.prod.outlook.com> <ZJ3sZSq25Owq/Cmc@LK-Perkele-VII2.locald> <PH0PR02MB7256A70FD3F4CDD4E0587E1BF22FA@PH0PR02MB7256.namprd02.prod.outlook.com> <244BCF09-5188-48C5-B63D-2F2C20154F3E@island-resort.com> <ZKWvA2yKauIdKqv1@LK-Perkele-VII2.locald> <CAN8C-_+bez3jykTB7sWvegKUuZ8RH66Q4fD1i_SEGstd9s0xJw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAN8C-_+bez3jykTB7sWvegKUuZ8RH66Q4fD1i_SEGstd9s0xJw@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/ciokMENeHCH5Yzdf8FQtGzD9xIM>
Subject: Re: [COSE] Updating the COSE alg registry for HPKE
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2023 08:19:12 -0000

On Wed, Jul 05, 2023 at 04:31:37PM -0500, Orie Steele wrote:
> Inline:
> 
> On Wed, Jul 5, 2023 at 12:59 PM Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > On Wed, Jul 05, 2023 at 05:03:28PM +0000, lgl island-resort.com wrote:
> >
> > There would currently be 2. Little idea about what happens in the
> > future. I would imagine there will be at least:
> >
> > - X25519+MLWE-KEM-768
> > - P-384+MLWE-KEM-1024
> > - X448+MLWE-KEM-1024
> > - MLWE-KEM-1024 (CNSA2)
> >
> >
> https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kem-ids
> 
> So far I only see X25519Kyber768Draft00 ...
> https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/02/

Well, yeah. MLWE-KEM (or whatever) is due 2024, as standardized version
of Kyber.

 
> I have no idea how to represent keys for this using JWK or COSE Key, but
> the current draft seems compatible with either "alg" or "sender info / hkc"
> approach.

{
   "kty":"HPKE",
   "kem":48,
   "pub":"some_base64url_gunk"
}

(Add priv for private keys, translate to COSE in the usual way.)


> > And while inferring KEM from key is regarded as too complex, I think it
> > is technically possible.
> >
> >
> It's especially possible in the case that you meant "key serialization" as
> in "JWK" or "COSE Key".
> 
> It remains better to be explicit, in case some variant of P-256 DHKem
> emerges in the future...
>
> which could happen, as soon as the HPKE registry takes an update (notice
> that the draft for x25519 + kyber hybrid scheme has already been added to
> the registry).

There is already HPKE extensions draft, which adds a second KEM
compatible with P-256/P-384/P-521. That can be detected from length of
encapsulated key (32/48/66 vs. 65/97/133).

A really nasty one would be another KEM with the same EK length but
different internal KDF (e.g. based on SHA-3 instead of SHA-2). That
could cause some major pain without having full KEM identifiers.

 
> There have been critical security bugs related to not validating key to
> algorithm bindings.
> I'm not asserting this kind of thing applies to DHKems, or composit /
> hybrid kems....
> I don't know if it does, or if feeding different encapsulated keys that
> don't match the kem id does anything useful, other than error...
> (regardless of twisting or hybrid stuff used).
> 
> https://crypto.stackexchange.com/questions/43132/is-elliptic-curve-diffie-hellman-ecdh-still-secure-if-i-use-the-public-key-mor

It is actually possible to have nasty cases, even with ECDH.

It is possible to come up with (pathological) ECDHKem BAD such that:

- If used with legimately generated keys, BAD is roughly as secure as
  x25519.
- BAD keys and ciphertexts have the same length as x25519 keys and
  ciphertexts.
- If one tries to encrypt using BAD with x25519 key, there is about
  50% chance that the result is easily breakable.

Now, such KEM would look somewhat suspicious, but one could design
less suspicious KEM that interacts badly with something else. Esp.
compact version of P-384.

As for non-ECDH KEMs, those could react badly to algorithm mixup just
by accident.


> > > There’s a lot of flexibility if this doesn’t suit your use case.
> > > The COSE IANA alg registry ranges from the private use (less than
> > > -65536) that has no requirements to a full IETF standard. Note
> > > that the recent Chinese algorithm registration was content with
> > > specification required.
> >
> > I much rather have these _not_ have a specification, as that would
> > make it possible for there to be a special snowflakes, which would
> > cause a lot of pain for anyone implementing those.
> >
>
> I don't follow... Can you restate what you mean here?

For example, anything that sticks the encapsulated key into different
place compared to the rest. For whatever reason.
 

> > > I would expect final agreed-upon HPKE PQ algorithms would come in
> > > as informational RFCs since HPKE and RFC 9053 are informational.
> > > For something as important as this, I would think the informational
> > > RFC process is about the right level. There should be a good public
> > > discussion and agreement.
> >
> > There is already Kyber I-D, that is intended to serve as precursor to
> > MLWE-KEM (or whatever it is). For asymmetric encryption, it essentially
> > says "Use HPKE". Intended status is informational RFC.
> >
> > It forms the basis of current post-quantum algorithm in HPKE.
> 
> Where are you getting the term "MLWE-KEM" from?

I vaguely remember some discussions about what the eventual standardized
version of Kyber (and Dilithium) will be called. 

MLWE stands for Module Learning With Errors.




-Ilari

v2.23.0 | Report a Bug | By Email