IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

tirumal reddy <kondtir@gmail.com> Wed, 06 March 2024 11:51 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE1ECC14F5EF; Wed, 6 Mar 2024 03:51:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfyeRQSpkXyr; Wed, 6 Mar 2024 03:51:40 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78F0C14E515; Wed, 6 Mar 2024 03:51:40 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-5668db0720fso1615265a12.0; Wed, 06 Mar 2024 03:51:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709725899; x=1710330699; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Dlz1iqRylp+lq7bEzjuHpTNBeUQlRB94/nKWQV/T6ck=; b=Bv4vJWGBnyhgulugouF4Ehz1bJ8MOmKx3MUknfRZWyF8oOxMzRa73PFPlLKNzTL2Sy Vq/2gLHb4vO9LykqA4fS17nn+46Vwn88JIYR1peFnFT5gfS/mtB5liAULzNcUTF/fe04 +8iUl28s11MASAHqW8R2XJVjNBEnn/EYUFVDWgKdbB5nboYlkYO/4R1uur4XvBFU2s7O yHWTIT/BE9PDbTt/xz7WRma6VAz9oHxz9WDC4ztz1tvOK8iJcDRfUZ4Fa4su9TuL+VIb vNBNRx8rdyIeehV+u9nRNWQv+tH7E2hE8Q6YsPbm0BURkL22qCcPTou9RlcHN/jVKjXe ZogQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709725899; x=1710330699; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Dlz1iqRylp+lq7bEzjuHpTNBeUQlRB94/nKWQV/T6ck=; b=ndx4tmpOdGiAKTLZkPDK1hEogl1zkoEOWgGEvxZDW4AA/Ngms/rED36oG7ln77MO4d h/c60F4/ityjHdCKWb5e6daQo9VG9rf2BpmIpaopgynMQcuoeo6xY3lK+RbqWqV95u6K brRnyVjsi2oQx3Vu8rtvepbaOZV+nq00g1neh7hROLenHqVui88rhrsln6LmPw5fID5g gAO1k7a+FxM/eAbtiP3He7KjsO1559ZudhAp2uon4DXkT/21XXdLupk3tBUgnYpvRhjV vwOSZ8JrKP+lekH9IIG3EYFhxtbKjvnOrzb8vSBbvOz5d8VUHCeL/skr1dBxqL+z+YOk Egvw==
X-Forwarded-Encrypted: i=1; AJvYcCUx9WxqRzlleQT17LvGvL+7P+JSlEDc+3se8IdzECJqGNSYEGuOg4vwbPkMs3zqUQjKpWbvpqC2VspJdndrMY2ESmfzIhG0r0Gg49dB
X-Gm-Message-State: AOJu0YwOecDuUIT0kMkwEkpeFyZqdZHbSz4r8B75Eqtud+Z1KGSvPLkn jylS8cMzHSw5w6TULkDaJAmtj8jG2TOCsvex+K6Mgv45RZusJ0N4ypot/gNuvbP7W2bPcSH/fnt Icegwu4Jj3kCfXLw7QKfhxpsnsYG9Eh/26fA=
X-Google-Smtp-Source: AGHT+IFXt9ps2WwiajTsbiXhH7VVkeVyMqAb0NX/p0OSldeEaPCRjCUQrObcqTJmcVPdZHjbeeIB3b6Lf+ZNIHxib44=
X-Received: by 2002:aa7:d588:0:b0:566:c1bb:c53 with SMTP id r8-20020aa7d588000000b00566c1bb0c53mr2107495edq.2.1709725899084; Wed, 06 Mar 2024 03:51:39 -0800 (PST)
MIME-Version: 1.0
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com> <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com> <CAFpG3gdxu7L4nwrTdKhLHKEJ3qciWV2A+xXPwHieH5DMtj+vjw@mail.gmail.com> <ZegskkAfMziZfEur@LK-Perkele-VII2.locald> <CAFpG3gczXHm9sPvX6LAcMHdKCcMn0QBoR=XTyz+wbWZLwin5CQ@mail.gmail.com> <CFD846C5-C599-4CF6-95A2-342493050500@gmail.com>
In-Reply-To: <CFD846C5-C599-4CF6-95A2-342493050500@gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 06 Mar 2024 17:21:02 +0530
Message-ID: <CAFpG3gd9pP7MtJWmX_k5tTSEmDK9KoBiZxWByatYBCeTR=_n4g@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e0dbab0612fc94a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/fP4OqODf1dHtYkGihO4b0OwLrsQ>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 11:51:45 -0000

On Wed, 6 Mar 2024 at 15:22, Neil Madden <neil.e.madden@gmail.com> wrote:

> On 6 Mar 2024, at 09:46, tirumal reddy <kondtir@gmail.com> wrote:
>
>
> On Wed, 6 Mar 2024 at 14:13, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
>
>> On Wed, Mar 06, 2024 at 11:50:04AM +0530, tirumal reddy wrote:
>> > On Tue, 5 Mar 2024 at 20:48, Neil Madden <neil.e.madden@gmail.com>
>> wrote:
>> > >
>> > > Regarding this specific draft under discussion, I'm confused why
>> everyone
>> > > keeps wanting to cram things into the "enc" header? JWE is quite
>> clear that
>> > > this header "MUST be an AEAD algorithm"[2]. KEMs are not AEADs. If we
>> are
>> > > going to add ML-KEM as an encryption algorithm then we should have
>> > > something like "alg":"ML-KEM-768","enc":"A256GCM" or
>> > > "alg":"ML-KEM-768+A256KW" etc. (or "alg":"XWingXYZ+A256KW" or
>> whatever we
>> > > choose).
>> > >
>> >
>> > The use of a fully-specified algorithm aims to permit a limited set of
>> > 'known good' PQ-KEM ciphersuites rather than allowing arbitrary
>> > combinations of PQC algorithms, HKDF, and AEAD algorithms. For instance,
>> > ML-KEM-768, with a PQ security level of 3, must not be used with
>> A128GCM.
>>
>> It is should not be used, not must not be used. Strength-matching is
>> about performance: It does not make sense to pay significant extra cost
>> to make another component more secure than another component which
>> limits security (without other good reasons). However, strength-
>> matching is no excuse to weaken algorithms without performance benefit
>> (unfortunately I have heard of that happening).
>>
>
> The PQ security levels are defined to necessitate computational resources
> comparable to or greater than those required for an attack on AES (128,
> 192, and 256) and SHA-2/SHA-3 algorithms. This includes exhaustive key
> recovery for AES and optimal collision search for SHA-2/SHA-3. I don't see
> a reason why a draft should allow ML-KEM-768 (PQ Security Level 3) with
> A128GCM (PQ Security Level 1) as an exception, and allowing such arbitrary
> combinations would significantly increase the number of configurations.
>
>
> This is already the case in JOSE - e.g. you can use ECDH-ES with P-521 and
> then specify A128GCM. You may not like that, but trying to change it
> retrospectively is a massive breaking change.
>

HPKE already specifies the combination of KEM, KDF, and AEAD. The need for
specifying the AEAD is two-fold: to restrict the number of combinations and
to address the threat to symmetric cryptography from quantum computers (see
https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-03.html#section-7.1
for details). NIST suggests that both AES-192 and AES-256 will remain
secure for a very long time but allows applications to continue using AES
with a key size of 128 (see
https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs).

-Tiru


>
> -- Neil
>
>

v2.23.0 | Report a Bug | By Email