IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 06 March 2024 09:09 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E1AC14F5E6; Wed, 6 Mar 2024 01:09:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id twwclvIq4m1b; Wed, 6 Mar 2024 01:09:32 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C826DC14F5E4; Wed, 6 Mar 2024 01:09:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 706D846CFB; Wed, 6 Mar 2024 11:09:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 5_j5CeqGDAJh; Wed, 6 Mar 2024 11:09:28 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 2F1117B; Wed, 6 Mar 2024 11:09:26 +0200 (EET)
Date: Wed, 06 Mar 2024 11:09:26 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose@ietf.org, jose@ietf.org
Message-ID: <ZegyxtVIjQhZhYWi@LK-Perkele-VII2.locald>
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <Zec4yMywy_v5bnUj@LK-Perkele-VII2.locald> <CAFpG3gfJDgO-yuk9B1-zic4ajAfO0w9aTwyUi72TdX8qC5xzoA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFpG3gfJDgO-yuk9B1-zic4ajAfO0w9aTwyUi72TdX8qC5xzoA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/mFBLcXtWx4x-6T5LxklCXKcgMcU>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 09:09:34 -0000

On Wed, Mar 06, 2024 at 01:11:26PM +0530, tirumal reddy wrote:
> Hi Illari,
> 
> On Tue, 5 Mar 2024 at 20:53, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > The way KEMs operate is extremely similar to how ECDH-ES works. So the
> > way to add KEMs is to copy ECDH-ES (fully specified if needed) and make
> > small modifications required for it to work.
> >
> 
> I think you are proposing the following changes:
> 
> 1) Direct key Agreement: The alg parameter will carry the full specified PQ
> KEM with KDF and AEAD (e.g., PQ-MLKEM768-SHA3-384-AES256). No need to
> define "PQ-Direct" in this mode.

Direct Key Agreement does not use AEAD for anything. If using a KEM, it
just combines KEM and KDF (the existing ECDH-ES implcitly uses SHA-256).

Moreover, there is no need for PQ, and usually with SHA-3, one uses
SHAKE256 instead of >256-bit SHA-3. There is only ever going to be one
variant, so might as well leave that out from the name.

So something like "MLKEM768". "enc" parameter will retain its meaning
specified in JWE.

The way it works will be extremely close to how ECDH-ES works.


> 2) Key Agreement with Key Wrapping: alg parameter will carry the full
> specified PQ KEM with KDF and AEAD key wrap (e.g.,
> PQ-MLKEM768-SHA3-384-AES256KW). The "enc" parameter will be used as usual
> to carry AEAD to encrypt the content.

Again, per above plus some conventions, it would be "MLKEM768+A256KW".

And the way it works is extremely close to ECDH-ES+A256KW.


> > The two main modifications compared to ECDH-ES are:
> >
> > 1) The shared secret is generated by encapsulation/decapsulation instead
> >    of ECDH operation.
> > 2) New header parameter for KEM ciphertext, as it is octet string and
> >    not a key.
> >
> 
> Yes, it is possible to introduce a new header parameter to carry the
> KEM ciphertext.

In COSE, one can reuse the -4 from COSE-HPKE draft as it has all the
correct properties. However, JOSE needs a new parameter.




-Ilari

v2.23.0 | Report a Bug | By Email