IETF Logo Mail Archive

Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt

Neil Madden <neil.e.madden@gmail.com> Wed, 06 March 2024 13:33 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5E1BC14F5F4; Wed, 6 Mar 2024 05:33:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.104
X-Spam-Level:
X-Spam-Status: No, score=-6.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhqelcIqoO6e; Wed, 6 Mar 2024 05:33:47 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BE83C14F5F1; Wed, 6 Mar 2024 05:33:47 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-33d855caf7dso1223500f8f.0; Wed, 06 Mar 2024 05:33:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709732025; x=1710336825; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=gLJ+wWJiHhQvS1LoAzqUL+HuY9TYbwSEcy5m6cx0nS0=; b=jmDHW4ITRFGPbm6Zjp3u05IUSMMrxmRWeRliz3XHthDgtGX29q+Ffuzrb+gQY1oRxT ydY4QnUXEPpI9EXbX3ttF3hi9mQj1FZt/7lzworJgJu/kuCbjlHfyxb0tz93nKfvcq43 QlIMVLU7KAm9VEEkDU+9Rd5UhgRAn7y1D8+Swk1cQ23IrVVQeB5G+muBIas5yXBRwhI1 CUh9Vw+VO8VQFVXdBC5oHzRMhVf4drAmr/02sU1nEBHrki23x36NY/geDH4Ulxw3gglF TZV8aUETlOpJwFJsr53VXXWOZ57amfgTfXIBX5GoArJTQCM1ffDNwF0SHlJ/olAP/Aol 1OaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709732025; x=1710336825; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gLJ+wWJiHhQvS1LoAzqUL+HuY9TYbwSEcy5m6cx0nS0=; b=D45WQLTxvfaNKM+Q6Kt1kokFleyd/NKG1F3lL2LHTTe4p10iivdZ1TI+EucnSc9uuY BGw3GPwGfT9pdgOlQlX/zs7003j0LWi0xOnCBJMrfEqughD/59ZPiVD8eW58y6AI38IN kNIUrEsNEqzRsXfzrfdleWYS74+cRny/T4+deqqmWD7M0WXlQ/EDWgiNWHBM3xHKcTW4 zHLpEZyV66kcC/JCXE+h02g+VrkN4ttmxtHx5/FDYxLeRUuN0nnMJL1d0SJsHtK3Dh32 9FnkkFT25YoHgfx3e4TuOVXsHB7cN6R8qy0BPo544dh2dQSekazo6WSX+QMCP00/NX2k /C+w==
X-Forwarded-Encrypted: i=1; AJvYcCUZNO/JU3aKt1v/nXARbNDx2rLa+Ey3mv8Wi8B0qg+pPz0vNCr4UndOIAKmyivrTr+jih245XscstQxY2oAINepPFSzsRkDHvBrtXO5
X-Gm-Message-State: AOJu0Yxq4FVTBe9tZ1zhMfBacdH5D0c9ld+bftGpNKuAvDB0HVi3CFqR VHt7POcFe2bwtxQX2UgIDawNDk/UXipIdq9z9npLCW+qo+skbNiZ
X-Google-Smtp-Source: AGHT+IHy0yy5GlaGhXsKgrBu3z5OZ2a2yWgMgM3lbJUcIPaxOPeGFFrfPav3Cc4GxehUpWA+Vs7lqQ==
X-Received: by 2002:adf:f201:0:b0:33b:48ed:be63 with SMTP id p1-20020adff201000000b0033b48edbe63mr2359514wro.7.1709732025241; Wed, 06 Mar 2024 05:33:45 -0800 (PST)
Received: from smtpclient.apple (232.211.93.209.dyn.plus.net. [209.93.211.232]) by smtp.gmail.com with ESMTPSA id bq3-20020a5d5a03000000b0033e2750194fsm12672192wrb.89.2024.03.06.05.33.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Mar 2024 05:33:44 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <C7C587D7-FC7D-4B85-AA4F-456865A6F3D0@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E9517504-1B80-4D17-A3F4-E7D57B0975C9"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Date: Wed, 06 Mar 2024 13:33:44 +0000
In-Reply-To: <CAFpG3gd9pP7MtJWmX_k5tTSEmDK9KoBiZxWByatYBCeTR=_n4g@mail.gmail.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
To: tirumal reddy <kondtir@gmail.com>
References: <170944215832.65165.15558599263256086018@ietfa.amsl.com> <CAFpG3gdGiw2wap8C1H+AOWvEn1ewSjmtBmghKKAvNBmXnDmoYg@mail.gmail.com> <CAN8C-_KZifohssn3WoZa6Qn3QMeh0YMya6c8RGa1ZieWgRY9=A@mail.gmail.com> <CAFWvErUpD+p5enboksM1QiPq1ixJnRMi2NM4oyu+_8XQo_f++Q@mail.gmail.com> <F60D40C8-1870-4485-9EDC-F906AF4A60F2@gmail.com> <CAFpG3gdxu7L4nwrTdKhLHKEJ3qciWV2A+xXPwHieH5DMtj+vjw@mail.gmail.com> <ZegskkAfMziZfEur@LK-Perkele-VII2.locald> <CAFpG3gczXHm9sPvX6LAcMHdKCcMn0QBoR=XTyz+wbWZLwin5CQ@mail.gmail.com> <CFD846C5-C599-4CF6-95A2-342493050500@gmail.com> <CAFpG3gd9pP7MtJWmX_k5tTSEmDK9KoBiZxWByatYBCeTR=_n4g@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/wefv8VGMOzz4biBy0xDid8p6qwE>
Subject: Re: [COSE] [jose] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-00.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 13:33:51 -0000

On 6 Mar 2024, at 11:51, tirumal reddy <kondtir@gmail.com> wrote:
> 
> On Wed, 6 Mar 2024 at 15:22, Neil Madden <neil.e.madden@gmail.com <mailto:neil.e.madden@gmail.com>> wrote:
> On 6 Mar 2024, at 09:46, tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
>> 
>> On Wed, 6 Mar 2024 at 14:13, Ilari Liusvaara <ilariliusvaara@welho.com <mailto:ilariliusvaara@welho.com>> wrote:
>> On Wed, Mar 06, 2024 at 11:50:04AM +0530, tirumal reddy wrote:
>> > On Tue, 5 Mar 2024 at 20:48, Neil Madden <neil.e.madden@gmail.com <mailto:neil.e.madden@gmail.com>> wrote:
>> > >
>> > > Regarding this specific draft under discussion, I'm confused why everyone
>> > > keeps wanting to cram things into the "enc" header? JWE is quite clear that
>> > > this header "MUST be an AEAD algorithm"[2]. KEMs are not AEADs. If we are
>> > > going to add ML-KEM as an encryption algorithm then we should have
>> > > something like "alg":"ML-KEM-768","enc":"A256GCM" or
>> > > "alg":"ML-KEM-768+A256KW" etc. (or "alg":"XWingXYZ+A256KW" or whatever we
>> > > choose).
>> > >
>> > 
>> > The use of a fully-specified algorithm aims to permit a limited set of
>> > 'known good' PQ-KEM ciphersuites rather than allowing arbitrary
>> > combinations of PQC algorithms, HKDF, and AEAD algorithms. For instance,
>> > ML-KEM-768, with a PQ security level of 3, must not be used with A128GCM.
>> 
>> It is should not be used, not must not be used. Strength-matching is
>> about performance: It does not make sense to pay significant extra cost
>> to make another component more secure than another component which
>> limits security (without other good reasons). However, strength-
>> matching is no excuse to weaken algorithms without performance benefit
>> (unfortunately I have heard of that happening).
>> 
>> The PQ security levels are defined to necessitate computational resources comparable to or greater than those required for an attack on AES (128, 192, and 256) and SHA-2/SHA-3 algorithms. This includes exhaustive key recovery for AES and optimal collision search for SHA-2/SHA-3. I don't see a reason why a draft should allow ML-KEM-768 (PQ Security Level 3) with A128GCM (PQ Security Level 1) as an exception, and allowing such arbitrary combinations would significantly increase the number of configurations.
> 
> This is already the case in JOSE - e.g. you can use ECDH-ES with P-521 and then specify A128GCM. You may not like that, but trying to change it retrospectively is a massive breaking change. 
> 
> HPKE already specifies the combination of KEM, KDF, and AEAD.

I'm not sure why HPKE is relevant to this discussion, but in any case HPKE defines separate identifiers for KEMs and AEADs, the same as JOSE: https://www.iana.org/assignments/hpke/hpke.xhtml <https://www.iana.org/assignments/hpke/hpke.xhtml> 

> The need for specifying the AEAD is two-fold: to restrict the number of combinations and to address the threat to symmetric cryptography from quantum computers (see https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-03.html#section-7.1 <https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-03.html#section-7.1> for details). NIST suggests that both AES-192 and AES-256 will remain secure for a very long time but allows applications to continue using AES with a key size of 128 (see https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs <https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs>).

If anything, these references (including the one you co-wrote) just reinforce that A128GCM is fine. One of the few things that JOSE got right was defining "enc" as an AEAD. We don't need to change that now.

-- Neil

v2.23.0 | Report a Bug | By Email