[jose] Re: [COSE] ML-KEM recipient info
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 04 September 2024 19:00 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35687C14F6EE; Wed, 4 Sep 2024 12:00:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3L-W4U5kUdTb; Wed, 4 Sep 2024 12:00:44 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A134C14F6B0; Wed, 4 Sep 2024 12:00:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id AF2801FC18; Wed, 4 Sep 2024 22:00:40 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id piEYbWBd8Aid; Wed, 4 Sep 2024 22:00:40 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-153-79.rev.dnainternet.fi [87.92.153.79]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 0B76F28B; Wed, 4 Sep 2024 22:00:37 +0300 (EEST)
Date: Wed, 04 Sep 2024 22:00:37 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: jose@ietf.org, cose WG <cose@ietf.org>
Message-ID: <ZtiuVU35vo0H1_EG@LK-Perkele-VII2.locald>
References: <CAMm+Lwgu+VmRXCcqJty8CcUdof76HMFYJiSASS0UNvEJr0kp5A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMm+Lwgu+VmRXCcqJty8CcUdof76HMFYJiSASS0UNvEJr0kp5A@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: BO6TAHNE2IVJZIOZ6PDJWVS46HXP5DAV
X-Message-ID-Hash: BO6TAHNE2IVJZIOZ6PDJWVS46HXP5DAV
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [COSE] ML-KEM recipient info
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/87SeVGh5tZjjn6VION517c6dxXI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
On Wed, Sep 04, 2024 at 12:59:57PM -0400, Phillip Hallam-Baker wrote: > Has anyone considered how to encode the recipient info for ML-KEM? Yes. > RFC 7518 specifies a different key blob 'JWE Encrypted Key' per algorithm > and ML-KEM doesn't look like either RSA or DH and its variations. Actually, it does look like how DH is used in COSE/JOSE. > RSA has key recovery, DH uses an ephemeral key and fills the epk slot. > ML-KEM does not create an ephemeral, it looks more like RSA except that it > doesn't provide key recovery. > > And that means that if there are multiple recipient blobs on a message, we > need to extend the definition because we are going to need to encrypt the > content under the content-shared secret and then wrap that in the shared > secret from ML-KEM. Which means we are going to need two slots for data, a > wrapped key slot and an ML-KEM ciphertext slot. Using epk slot would lead to some annoying complications, because that one needs full key strucure, but one only has a byte string. Both COSE and JOSE specify slot to stuff the wrapped key to. For stuffing the ML-KEM ciphertext, for COSE, the easiest would be to reuse the -4 slot from COSE-HPKE. For JOSE, one might have to define a new parameter. > (Because the content has to be encrypted under the same key for each > recipient...) > > So I am thinking of something like this: > > "recipients":[{ > "kid":"MBUX-V4NE-VRJS-6NT7-6QKR-DE2W-QQBG", > "ct": "OYT5iH4doxVrj90NRowmffE20OOPLl....RGqaCav6b-Xw4", > "wmk":"N3KQ0jcCztbOMSOwcvy_UdGNsLL-PMtd9_ZMuWqT4GzEIXj33a > HlKQ"} > > Comments? That looks very much off... I would think it would be something like: "recipients":[ { "header":{ "alg":"KEM+AES256KW", "kid":"2011-04-29", "ek":"geokgoekgosok...oegksgogoesgkosekg" }, "encrypted_key:"D90J_pteUjm-jcoIRrWdgkQuyuzbS584BndndQhPhPvlJbgYWy7qh2qW4qCSmSpW" } ] The "ek" is the ML-KEM ciphertext, "encrypted_key" is the wrapped key. The algorithm has class Key Agreement with Key Wrapping. -Ilari
- [jose] ML-KEM recipient info Phillip Hallam-Baker
- [jose] Re: [COSE] ML-KEM recipient info Ilari Liusvaara
- [jose] Re: [COSE] Re: ML-KEM recipient info Phillip Hallam-Baker
- [jose] Re: [COSE] Re: ML-KEM recipient info Ilari Liusvaara