Re: [jose] [COSE] COSE and JOSE Keys for Kyber
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 15 November 2022 10:31 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FF9C14CEEC; Tue, 15 Nov 2022 02:31:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PiZT2n8pI_Un; Tue, 15 Nov 2022 02:31:23 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A33EBC14F720; Tue, 15 Nov 2022 02:31:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 3B3A3C3F83; Tue, 15 Nov 2022 12:31:19 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id mAekRZ2dShQM; Tue, 15 Nov 2022 12:31:19 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 079287A; Tue, 15 Nov 2022 12:31:16 +0200 (EET)
Date: Tue, 15 Nov 2022 12:31:16 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <Y3NqdFD5lER4GibN@LK-Perkele-VII2.locald>
References: <CAN8C-_LVgq0j5YtFrrO-fWNNXvGSWohQ0874DV5qgfYT4FXT0Q@mail.gmail.com> <Y3IquzJcwMXpwqF0@LK-Perkele-VII2.locald> <CAN8C-_JdGMVMTt16DpDXCqMbmVmqSRAMaHb57X2j092=PAn1Jg@mail.gmail.com> <Y3Kihz762QRilElF@LK-Perkele-VII2.locald> <CAN8C-_LHXt=vS09NDnjBnd5FYqNC0G7cXRCF8-+qQNUq=uFOsA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_LHXt=vS09NDnjBnd5FYqNC0G7cXRCF8-+qQNUq=uFOsA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/E47ODHveYXkogUmwABqwK5w_9CM>
Subject: Re: [jose] [COSE] COSE and JOSE Keys for Kyber
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2022 10:31:25 -0000
On Mon, Nov 14, 2022 at 04:07:48PM -0600, Orie Steele wrote: > Thanks again! Responses inline: Responding to broad points: OKP always requires crv. Which is just horribly named: OKP MAY be used for lattices, in which case not only is crv used, but the lattice goes to the "COSE Elliptic Curves" registry, despite not being anything to do with elliptic curves. And then, the BLS curve, while being elliptic curve, is not the kind of elliptic curve as understood by COSE/JOSE (otherwise it would be EC2/EC like the usual elliptic curves). Actually, the problem with fixing alg for JWE keys is not between single and multiple recipients, but between compact and JSON serialization of JWE. And similar issue already exists for ECDH-ES: If key has alg=ECDH-ES, it can be used with compact serialization, but not JSON serialization, limiting it to a single recipient. Conversely if key has alg=ECDH-ES+A*KW, it can be used with JSON serialization (generic or flattened), but not compact serialization. In COSE, the constraints are a bit different: ECDH-ES+HKDF* can be used with multiple recipients, at cost of extra space. And using ECDH-ES+A*KW costs space if there is only one recipient. And similarly for ECDH-ES* -> KEM+SHA3KDF* There is no way to limit COSE encryption keys to HKDF-SHA256, since the only possible scopes of restriction are encryption (which is too loose) and algorithm (which is too strict). The combinatorial explosion would occur between KEMs, KDFs and KWs. Adding just the three kyber variants would give at least 6 alg's, with more appearing if there are additional KEMs. Obviously, using generic KEM in alg avoids it. E.g., the proposed four alg's: - KEM+SHA3KDF (probably just shorten to "KEM") - KEM+SHA3KDF+A128KW (probably shorten to "KEM+A128KW") - KEM+SHA3KDF+A192KW (probably shorten to "KEM+A192KW") - KEM+SHA3KDF+A256KW (probably shorten to "KEM+A256KW") (The reason for using SHA-3 for KDF is that whatever the KEM is, it most probably internally involves either SHA-3 or SHAKE). -Ilari
- [jose] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
- Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Mike Ounsworth
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Mike Ounsworth