IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

Neil Madden <neil.e.madden@gmail.com> Tue, 05 March 2024 15:18 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33DF5C15155A; Tue, 5 Mar 2024 07:18:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpKCaKorIwrq; Tue, 5 Mar 2024 07:18:12 -0800 (PST)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C573C14F73E; Tue, 5 Mar 2024 07:18:12 -0800 (PST)
Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-33e12bcf6adso1997146f8f.1; Tue, 05 Mar 2024 07:18:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709651890; x=1710256690; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=Kbt7cz19WXjh5Lr2M5Wa1RLLk5RgssDyInVr0AR294U=; b=nNt5dSuSBMWcxSZzDH/lveNxuqtbzi4sKDy84v4QSOxjMR0Xiu3AKG19/Xl0W/smvC 6KHp3H5nXwmzY3MXUu0wLgjFlSOlDKckknwceYPjjia1nHh0reXHXXsZc0EPWvXHFguI qaK8Anjm4Zk8BXRVUmWsU8jYYMZyUlY7v7OXady1TUeldwmexFSc400GdMtQzwoNackY CldIKmTKjbba9KXJaJ9ZJ03LiNhiGncWEloRDBmkJvbDy5kOdwvm5+qlq4r3xR66AM1m L69fMS0PIZfzLEHvgjgntdFYnWjGrOp6Emwx2amAqe8nCsPjq4tVOW451c83IBp0PJrv UsTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709651890; x=1710256690; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Kbt7cz19WXjh5Lr2M5Wa1RLLk5RgssDyInVr0AR294U=; b=kICU1PkWJ9OhMXLeqd6IweYzgoYr9DUxfJoS98/ywo0BSILyQQIuZ38oBNs8p3/Min jytgRIWl072zlA6b8xapV1jhjueErZ0YnTo28zssxKTegnrmfV3kP0HKnRz2ZgtjnGaO HJAex/NVnbs37rs8WptwQ0ZPNaLMWkgwc3Omh3xFukkDylp7F4NJurLbLhSQPyhSnZrU btAP/9xjJTfMV+LTFnrrqdPp85Sy/x9gFF7sQF3b+V5ZhiYk/jq0mZDfFxo5USAGhP/O bzp7sbLh5PRMCpy2gxuOdctTTnUSrwA14pTJ1UT4oo7iHK7lu2dO6hy+GiqS5B2r/62g UgJQ==
X-Forwarded-Encrypted: i=1; AJvYcCV2OaMnIODHNZq/L+Y0mQ660d/Du/hfemzSynOjub7+9b3UH2SA/1FIy2CoeIUWheyHQZbnbDaCM8M30uD4kmHrAH3mfHaeNC+dV0+/
X-Gm-Message-State: AOJu0YyVSlAsjEAaDsx0EqCWRXnHYBx5NgXTHSj0TApBAnmOAvQv/GMI NiIUbZJfs5jJ5x5i6lLadlN88iGlQu0LbeQXxux7abp3MEYU0vMe
X-Google-Smtp-Source: AGHT+IGjEMRmf+9FM9LcnBbVc3JloIuZJJW2hdS9WYWrcdQ/kArBNeQBKM7Yvft/g2xfZ8sWDwfFPQ==
X-Received: by 2002:adf:e883:0:b0:33d:9e15:12bf with SMTP id d3-20020adfe883000000b0033d9e1512bfmr459628wrm.3.1709651889948; Tue, 05 Mar 2024 07:18:09 -0800 (PST)
Received: from smtpclient.apple (232.211.93.209.dyn.plus.net. [209.93.211.232]) by smtp.gmail.com with ESMTPSA id b7-20020a05600003c700b0033e44b23921sm3912219wrg.24.2024.03.05.07.18.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2024 07:18:08 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_29C21219-4B38-46B4-9383-247397CB287D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Date: Tue, 05 Mar 2024 15:18:07 +0000
In-Reply-To: <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com>
Cc: Orie Steele <orie@transmute.industries>, tirumal reddy <kondtir@gmail.com>, cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
To: AJITOMI Daisuke <ajitomi@gmail.com>
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/o-0k_87HNEgzqnzn5X55cTaa7Ck>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 15:18:16 -0000

> On 5 Mar 2024, at 14:41, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
> 
> > I think we should use HPKE until there is reason not to use it.
> 
> I agree.

I think there *are* lots of reasons not to use HPKE. I described some of them in my previous message to this list [1]. For a start, including all of HPKE is using a sledgehammer if all we want is a PQC option for JOSE, not to mention that it doesn't help at all with signatures. What it does do is create redundancy with existing JOSE ECDH algorithms and introduce some new ones that have glaring security issues when used in JOSE (refer to my previous message). 

> 
> Regarding ML-KEM, I was thinking that we should add X-Wing as a PQ/T Hybrid KEM to the list of COSE-HPKE ciphersuites at first.
> 
> X-Wing: general-purpose hybrid post-quantum KEM
> https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/ <https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/>
> 

There are a bunch of proposals for hybrid schemes under discussion in CFRG. I agree that we should generally adopt one of those rather than ML-KEM on its own, but we should perhaps let the dust settle on those discussions before moving ahead with one here.

Regarding this specific draft under discussion, I'm confused why everyone keeps wanting to cram things into the "enc" header? JWE is quite clear that this header "MUST be an AEAD algorithm"[2]. KEMs are not AEADs. If we are going to add ML-KEM as an encryption algorithm then we should have something like "alg":"ML-KEM-768","enc":"A256GCM" or "alg":"ML-KEM-768+A256KW" etc. (or "alg":"XWingXYZ+A256KW" or whatever we choose).

-- Neil

[1]: https://mailarchive.ietf.org/arch/msg/jose/-1rVajt_tnl2Ai-Cz3ioRI8BxtQ/ <https://mailarchive.ietf.org/arch/msg/jose/-1rVajt_tnl2Ai-Cz3ioRI8BxtQ/> 
[2]: https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.2 <https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.2>

v2.23.0 | Report a Bug | By Email