IETF Logo Mail Archive

Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 20 January 2022 17:49 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B9193A1A82 for <cose@ietfa.amsl.com>; Thu, 20 Jan 2022 09:49:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwBCb2-CUv4g for <cose@ietfa.amsl.com>; Thu, 20 Jan 2022 09:49:21 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B8583A1A7F for <cose@ietf.org>; Thu, 20 Jan 2022 09:49:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 4689567BC1; Thu, 20 Jan 2022 19:49:17 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id oVnlo8BCG0ox; Thu, 20 Jan 2022 19:49:17 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id D655C28B; Thu, 20 Jan 2022 19:49:14 +0200 (EET)
Date: Thu, 20 Jan 2022 19:49:13 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "cose@ietf.org" <cose@ietf.org>
Message-ID: <YemgmVX/zsWFQfA/@LK-Perkele-VII2.locald>
References: <DBBPR08MB5915C899B9EF8122898057BDFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeVQooQEGzfjFeE9@LK-Perkele-VII2.locald> <DBBPR08MB5915C7AFF11B55A8AA8CBBEEFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeWbRYe13Mk+IV+2@LK-Perkele-VII2.locald> <DBBPR08MB591586D6CB6BAF7B5354F517FA589@DBBPR08MB5915.eurprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <DBBPR08MB591586D6CB6BAF7B5354F517FA589@DBBPR08MB5915.eurprd08.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/kAhNTXOz-zQYt0MRonS86ghlL7Q>
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jan 2022 17:49:24 -0000

On Tue, Jan 18, 2022 at 11:20:34AM +0000, Hannes Tschofenig wrote:
> Hi Ilari,
> 
> [Hannes] I think you are suggesting to do this:
> 
>    96(
>        [
>            // protected field with alg=AES-GCM-128
>            h'A10101',
>            {    // unprotected field with iv
>                 5: h'26682306D4FB28CA01B43B80'
>            },
>            // null because of detached ciphertext
>            null,
>            [  // COSE_recipient_outer
> 
>              / protected / h'a1013818' / {
>             \ hpke-alg \ 1:16 \ HPKE/P-256+HKDF-256 \
>                     hpke-aead-id: 1     //     AES-128-GCM
>              } / ,
>             / unprotected / {
>                 // HPKE encapsulated key
>                 / ephemeral / -1:{
>                        / kty / 1:2,
>                  / crv / -1:1,
>                  / x / -2:h'98f50a4ff6c05861c8...90bbf91d6280',
>                   / y / -3:true
>               },
>             // kid for recipient static ECDH public key
>             / kid / 4:'meriadoc.brandybuck@buckland.example'
>                },
>                // Encrypted CEK
>                h'FA55A50CF110908DA6443149F2C2062011A7D8333A72721A',
>                ]
>            ]
>         ]
>    )

Yeah, thereabouts.

I am not sure what is the best precise variation to use.

- I would like there being generic support for all HPKE algorithms.
  The most compact way of doing this is:
  * Have new alg=hpke. Which has the AEAD id as parameter.
  * Have new kty=hpke. Which has the KEM and KDF ids as parameters,
    as well as raw public/encapsulated key.

  However, this runs into size issues with P-x curves.

  HPKE encapsulated key for KEM=33, KDF=2, would be roughly:

  -1:{
	1:<id-kty-hpke>,
	-1:33,
	-2:2,
	-3:h'...'
  }

  This would be 11 bytes of overhead, assuming typical PQC sizes.

- Solving the P-x size issues, option a):

  * With EC2, do not include explicit KEM and KDF ids.
  * The public keys are unpacked into public/encapsulated keys.
 
  Roughly corresponds to the above, but with no hpke-alg.

- Solving the P-x size issues, option b):

  * Use the HPKE kty, with negative KEM id.
  * Pack the P-x keys using the same compression as in C509.

  AFAICT, this is one byte more compact than a) with P-x keys.
  The ephemeral key would roughly be:

  -1:{
	1:<id-kty-hpke>,
	-1:-1
	-3:h'0398f50a4ff6c05861c8...90bbf91d6280'
  }


  For X25519 and X448, the both options above save 3 bytes.
  

And looks like I underestimated the space savings from cose_encrypt0
if one only has one recipient. The savings are more like 50 bytes or
so (more for 192-bit and 256-bit levels).



-Ilari

v2.8.7 | Report a Bug | By Email