IETF Logo Mail Archive

Re: [COSE] COSE HPKE Public Key Format Consensus Call

AJITOMI Daisuke <ajitomi@gmail.com> Mon, 26 September 2022 20:18 UTC

Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B258EC14CF00 for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 13:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zejGr9lvWBR for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 13:18:01 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0AAC14F73B for <cose@ietf.org>; Mon, 26 Sep 2022 13:18:01 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id l14so16515782eja.7 for <cose@ietf.org>; Mon, 26 Sep 2022 13:18:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=efbMAVygnFkvo+engIAzdZepP1/quHLxQlotW8BZ2u8=; b=eKOLWKiSONXS5XtHmFFAYjThK2UtqxA9S7ZdmXKmrweamGzXK/Fo6ejedkbDoE9zSQ 6Mhp6tRiT3uvoMKt1QDZorg9kYqUUGAJv0UyscuU4sCcdrB+Z05lgLNwWGyM1lQ12IC1 HZLhzgkIhn/H5I0S0/34sboY56KlmIwVQPA7hEe24hXQ3Sc6QBl+gKmU0EMTBniqQWgQ Kp6sbGEEDNZllUi6xagwQ0nnAwNNLQvyc3n0B2+8ueBSfyZzLYBK/x3FTg+YPNLkvmug i82POg4pCR9dTJpv20eFaTzFgafP7UpQC1Sxi++dVEcyCqmgE0ZCfQNyCA9NAqi7ccGx aAfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=efbMAVygnFkvo+engIAzdZepP1/quHLxQlotW8BZ2u8=; b=tqRAfXt/2AT1jtbir5g4bOQr8d5aTKT2X1fyORHT6SEIyo2s6gCEl078VbTmPnZewC GLnJVq6oYER2hmh8tj165OynfaGRgp1YVNtKU2yiyLu2OB8+L1iwVU7DFjdMm1/ZclpQ FVDnnO9nsfX+YN6lRFk/NK2YmiDmAvsF1191sF8lKyR2bp0P4RxZOCFDOIpUAXVbh+// +Jre9RMLd/Obn7rk8GX+2dYzToetq+RBhna1rqIr2fYUaZebVhXa+SD4HVr2ZZSKYowq sSuKUuu22EK9a+bepckEPMd1QafZLmUq/c6fjE/A33y1NBS3zp1sRzDnJhDHg1fcAFNi QU+A==
X-Gm-Message-State: ACrzQf2ZZPrOiy9ApLTsXTBYR5LehOflc7Go6BRhDIw9W5VpUU3kQr7Q wl0cEVRMeaXo58myg55+X7XZMnZTMmeYehaO5CU0riympA==
X-Google-Smtp-Source: AMsMyM7YotXRud91GRzaGK2gPPWNH9i9fJxXJGH/O0M+ck5+JRGAgc9aI3GbXtEwS276DiboNo8JJwiMm5d7dVlyfho=
X-Received: by 2002:a17:907:6eaa:b0:783:84e0:3823 with SMTP id sh42-20020a1709076eaa00b0078384e03823mr5992223ejc.601.1664223479896; Mon, 26 Sep 2022 13:17:59 -0700 (PDT)
MIME-Version: 1.0
References: <CO1PR00MB130824EBDD7C1420E9D3065CF54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <CAFWvErXY4NmpAr5SwN7UTsYmYJiL0HdxhmFrdPjpm0Ca0Hh++Q@mail.gmail.com> <DBBPR08MB59155B9005035B3365BCC12AFA529@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAFWvErXuQEASm7Z-ixEcYOGpnVPu6YM9MawWbYTttx9qYCB9Rg@mail.gmail.com> <DBBPR08MB591502A9BD42890E4DB31313FA529@DBBPR08MB5915.eurprd08.prod.outlook.com>
In-Reply-To: <DBBPR08MB591502A9BD42890E4DB31313FA529@DBBPR08MB5915.eurprd08.prod.outlook.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Tue, 27 Sep 2022 05:17:47 +0900
Message-ID: <CAFWvErU6AH_Oi4PdAe7LwGGA4GphQzzzp_PSO3UNfOzmdMs35A@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000058a02c05e99a394c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/y_lAiGZk9k4cjLGqmdB2RVrDhuo>
Subject: Re: [COSE] COSE HPKE Public Key Format Consensus Call
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 20:18:05 -0000

Hi Hannes,

I think my proposal would reduce the code size compared to the current
draft (even in case of adding to the existing code) and also reduce the
final output message size.

Let me ask one question.

The current draft does not represent the KDF information that should be
communicated to the recipient; can you tell us how you intend to include
the KDF information in the message?
(This is a concern that correspond to 2) in the comparison chart I shared)

The current draft does not adequately represent the information that should
be exchanged between a sender and a recipient in HPKE, and I don't think it
is comparable to my proposal in the first place.
Please let us know how you handle KDF information.

Regards,
Daisuke


2022年9月27日(火) 2:08 Hannes Tschofenig <Hannes.Tschofenig@arm.com>:

> Hi Daisuke,
>
>
>
> I have been working on code that is meant to be used on IoT devices. So,
> my focus is on reducing the overall code size on the device.
>
>
>
> Imagine there is a library implementing the COSE specification (or most of
> it). The COSE spec already defines various public key formats.
>
>
>
> Now, you are implementing COSE-HPKE and HPKE for this library. With the
> proposed encodings you are adding new encodings for how to carry the
> payloads in COSE.
>
>
>
> That’s what I mean by adding complexity.
>
>
>
> Just because something is processed in HPKE does not mean that the other
> code for the key representations in a COSE library suddenly vanishes.
>
>
>
> How long will it take for someone to come along and to propose various PQC
> public key encodings in COSE and then again in HPKE?
>
> Then, we have even more encodings of the same information.
>
>
>
> I think I have shared my view on this subject and let other people speak
> up because so far we have heard mostly from you, me, and Ilari.
>
>
>
> Ciao
>
> Hannes
>
>
>
> *From:* COSE <cose-bounces@ietf.org> *On Behalf Of * AJITOMI Daisuke
> *Sent:* Monday, September 26, 2022 1:57 PM
> *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>; cose@ietf.org
> *Subject:* Re: [COSE] COSE HPKE Public Key Format Consensus Call
>
>
>
> Hi Hannes,
>
> > Here is my question to you: How do you deal with this added complexity?
>
> As I and Ilari mentioned before,  the static recipient's public key and
> the encapsulated key (sender's ephemeral public key) are different things
> and the encoding format of them should also be considered separately.
> Having two encoding schemes is natural, and there is no complexity.
>
> From my point of view, the COSE-HPKE specification should only cover the
> latter encapsulated key format, so I will limit my discussion to the latter.
>
> In my proposal, an encapsulated key is a byte string output by the HPKE
> module as it is, and is put into the COSE message without any unnecessary
> conversion process. Thus, the implementation is very simple. In addition,
> there is no need to update the implementation when new HPKE algorithms are
> added.
>
> On the other hand, in the current draft, each time a new HPKE algorithm is
> added, an additional conversion process must be implemented to convert the
> encapsulated key to COSE_Key format.
>
> Indeed, as you point out,  my proposal has 1 (COSE_Key structure for the
> recipient's public key[1]) + 1 (octet string for the encapsulated key) = 2
> ways for key encoding,
>
> but the current draft has n + n = 2n (if there are n HPKE algorithms) ways.
>
> I think it is clear which is more complicated.
>
>
>
> In addition, to reiterate what I mentioned in my previous post[2],  the
> encapsulated key is generated and consumed internally (in the
> COSE-HPKE process).It does not emerge on the COSE interface.
>
> While the recipient's public key and private keys need to be expressed
> with COSE_Key, there is no need to express the encapsulated key with
> COSE_Key.
> I believe that the dedicated data structure for HPKE sender
> information(consists of the encapsulated key and a selected HPKE cipher
> suite) should be introduced so that the COSE-HPKE process can be
> implemented as simply, effectively and securely as possible.
>
>
>
> Best regards,
>
> Daisuke
>
>
>
> [1]
> https://mailarchive.ietf.org/arch/msg/cose/Rg_AAtgOL4p9SdlXHyL8-0HSrI8/
> (I suggested a JWK format for the recipient's public key here)
>
> [2]
> https://mailarchive.ietf.org/arch/msg/cose/IgS66HB4xTySUDb45vQlkJe_etQ/
>
> 2022年9月26日(月) 16:34 Hannes Tschofenig <Hannes.Tschofenig@arm.com>:
>
> Hi Daisuke,
>
>
>
> With your proposal and Ilari’s proposal there are two ways to encode
> public keys in COSE libraries. This adds complexity. Complexity leads to
> security problems.
>
>
>
> Here is my question to you: How do you deal with this added complexity?
>
> (FWIW this is not something you mention in your comparison table.)
>
>
>
> Ciao
> Hannes
>
>
>
> *From:* COSE <cose-bounces@ietf.org> *On Behalf Of *AJITOMI Daisuke
> *Sent:* Friday, September 23, 2022 12:00 AM
> *To:* Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
> *Cc:* cose@ietf.org
> *Subject:* Re: [COSE] COSE HPKE Public Key Format Consensus Call
>
>
>
> Thanks for initiating the consensus call.
>
> > 3.  Other (please describe in sufficient detail to enable its
> specification)
>
>
> +1 to my proposal described in my previous post[1].
>
> I have made a chart comparing my proposal to the current draft. As
> described in the chart, there are some problems with the current draft that
> cannot be overlooked. I would be happy if you could use it as a reference
> for your vote.
>
> https://docs.google.com/presentation/d/1azfHu93NCm5M9KUbpbtRze7aitvpBAj9SxhpvHe877M
>
> In addition,  Mr. Richard Barnes also pointed out on the JOSE WG mailing
> list that it is incorrect to use COSE_Key to represent encapsulated
> keys[2]. I have the same opinion.
>
>
> As I mentioned repeatedly,  the encoding format of the recipient public
> key and the encapsulated key (ephemeral sender's public key) should be
> considered separately.
>
> The former should be able to be expressed with COSE_Key, but the latter
> should not.
>
> Best regards,
>
> Daisuke
>
> [1]
> https://mailarchive.ietf.org/arch/msg/cose/ZY5v7jJr4SxHGIbeA3dgLC6eZDg/
> [2]
> https://mailarchive.ietf.org/arch/msg/jose/IKIR_XusfHD26ewqZSt5ad2WUc8/
>
>
>
> 2022年9月23日(金) 2:09 Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org>:
>
> As discussed at IETF 114, the HPKE draft uses the COSE_Key public key
> representation.  The authors described that Ilari Liusvaara had proposed
> using a different public key representation, which is detailed in Slide 2
> of
> https://datatracker.ietf.org/meeting/114/materials/slides-114-cose-cose-hpke-00.
> As recorded in the minutes
> <https://datatracker.ietf.org/doc/minutes-114-cose/>, consensus during
> the meeting appeared to be in favor of continuing to use COSE_Key.
>
>
>
> This note initiates a consensus call by the chairs on the topic of what
> public key format the COSE HPKE specification will use.  Working group
> members are requested to express their preferences within two weeks of this
> note (by Thursday, September 6th) for either:
>
>
>
> 1.  Continuing to use COSE_Key
>
> 2.  Using the different format proposed by Ilari Liusvaara
>
> 3.  Other (please describe in sufficient detail to enable its
> specification)
>
>
>
>                                                        Thank you,
>
>                                          -- Mike (for the COSE chairs)
>
>
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email