[jose] Re: Feedback on draft-ietf-jose-pqc-kem-01
Filip Skokan <panva.ip@gmail.com> Wed, 09 July 2025 12:33 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: jose@mail2.ietf.org
Delivered-To: jose@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F3E8C41D85EC for <jose@mail2.ietf.org>; Wed, 9 Jul 2025 05:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.206
X-Spam-Level:
X-Spam-Status: No, score=-1.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F702AyEGpMFo for <jose@mail2.ietf.org>; Wed, 9 Jul 2025 05:33:13 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 87B3B41D85E9 for <jose@ietf.org>; Wed, 9 Jul 2025 05:33:13 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-453749aef9eso20312745e9.3 for <jose@ietf.org>; Wed, 09 Jul 2025 05:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752064392; x=1752669192; darn=ietf.org; h=to:cc:date:message-id:subject:mime-version:from :content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=suZaH6BlLX4o0m6yk0piFxLBe7wpdn1enBLlU8BZPlw=; b=eCxpoBEl2/XOYzekSB54UvOsfH0qx7xcCMqK2g6WdhrftqPnJdo6bqWtPlM+E08Cqe 6ww5fu43yieX3W1y5XeOORuJUNIX6GuOT5BGBUicJMp/Uah8qW851xULxO4VRHiRKpbQ 5+1zH602HQIWEyJzamJiA4EmCH4+1XCgQoXuffEAAHIgL2IRBDp3XLXu+PiHZpJmkKAa HGFGhsmWk9wwSnfo0WrUXgO83vZblodK4yPH9XNalZ7Xuu/w14/SgZpyyfX5RvwplMIK WyerdBj571DF+Dpod6fxjQhKmGg3X6OkOV16UfpB1bJavPtJnInk5Z2w6fC94v3BbPSX 3DbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752064392; x=1752669192; h=to:cc:date:message-id:subject:mime-version:from :content-transfer-encoding:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=suZaH6BlLX4o0m6yk0piFxLBe7wpdn1enBLlU8BZPlw=; b=JwPoCxYvTNX7A6nPdwH3Ajs83KLXfmw9sccdT3VCyc4bh0mp7YPif71G9T9hY8xOMP P1R1HgRH23XckmBzuwa+uwg+O+Im2knYqEIsAVuB86Xh0vlghhIcXLZcYVXYLTq2vfy0 Zft+zoPO9hjiiHav/tay45DZIgPGx4FmzZRinvXr3Dt6N35qlFZQsosm2CeUZSAbe8Kj CR0GVE0vEp0n/501mEQPaqwWfCdWxmVNcEJj/oOXNd64k1+yio49whAVDrMarkEadnkI /Bp2u1RvARFG7zujugn/1px/d+vU4NKkjhSrc162HUMR/P0bSWUPrvUJgaUrlswhU4mb igjw==
X-Forwarded-Encrypted: i=1; AJvYcCUxckkw/vZG4FXUIg4EU2Zb5tT1725DHJUqNiPVd8oaY5WxdidaLLhetI0bCv10gl/6B79x@ietf.org
X-Gm-Message-State: AOJu0YwdP8h3vMPUiPR8Ixt/Ev+yU8H3OEF7LXwcjflUx1Pos7Pez1jJ r8fOgMPfitmjTZVjEz2CWEtggC8JPR6OMhwkv8WlHA2LunZ8GXgJ2Sg=
X-Gm-Gg: ASbGncuB5Nu2TYZ0FGNXdqTaxlvPSPuCJCQmle33xlzBKO7NYakikDJagCLGom2UEcj +TvzmeM9ejGX5WA0a0Y+hmGHlhMdU3CIwhq0XlHGoPJA2JO+kHlTL7IJY7rzcpq5/iO6hicVg+Z S3qqgZVf95Kh6EbOx5k7ZeyRKQOwIPomJsyAp6ewXT1zv5H74OqzhDa7U2T3WA7VUhquGZ15kAI JRDmDuFlN4dmBoosA3C7jAe5TLjKCNybx9tyP27Xa57Iey6iCyMnp/XN4X1/dp4JdGMOMQBn9ah DzuCV9wPvT3aiMM+8ymsUeQojUsIOjhkS7x1oCwX/ntmCbPUxelVy1Q6ySkPT1smlu4a9RWo
X-Google-Smtp-Source: AGHT+IHCQ7mVzy9++YniYSn9RTG2CaCd4H/UCxsoYgc6YD30CET9gX96gqE89vqrDiS/53SIIHeQvQ==
X-Received: by 2002:a05:600c:35d5:b0:440:9b1a:cd78 with SMTP id 5b1f17b1804b1-454d531e6a3mr28560375e9.10.1752064392148; Wed, 09 Jul 2025 05:33:12 -0700 (PDT)
Received: from smtpclient.apple ([193.86.82.132]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3b47225977dsm15721268f8f.73.2025.07.09.05.33.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Jul 2025 05:33:11 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-EDEFBDB8-E211-4DC8-BF59-69C57E17683C"
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Message-Id: <1E9F1149-DF07-4C80-9AFB-14C828995CC0@gmail.com>
Date: Wed, 09 Jul 2025 14:32:40 +0200
To: tirumal reddy <kondtir@gmail.com>
X-Mailer: iPhone Mail (22F76)
Message-ID-Hash: TPEBBO2DST4J7OGKWPDGHFDLS3Z5DROD
X-Message-ID-Hash: TPEBBO2DST4J7OGKWPDGHFDLS3Z5DROD
X-MailFrom: panva.ip@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Liusvaara Ilari <ilariliusvaara@welho.com>, jose@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/O8PaaQLiJX05UlGc8dbVQkb6yL8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
9. 7. 2025 v 13:16, tirumal reddy <kondtir@gmail.com>:
_______________________________________________Thanks Illari for the detailed explanation, updated PR https://github.com/tireddy2/PQC_JOSE_COSE/pull/11" rel="nofollow">https://github.com/tireddy2/PQC_JOSE_COSE/pull/11, please have a look.Cheers,-TiruOn Mon, Jul 07, 2025 at 12:44:47PM +0530, tirumal reddy wrote:
> On Fri, 4 Jul 2025 at 21:13, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
>
> Got it, "OKP" won't work either, since RFC8037 mandates that "crv" must
> come from the "JSON Web Elliptic Curve" registry. Since ML-KEM is not an
> elliptic curve, it seems defining a new "kty" is necessary.
RFC8037 explicitly allows things that are not elliptic curves — and
technically neither x25519 nor x448 is an elliptic curve. Then COSE
explicitly inherits that.
OKP was designed to support stuff other than elliptic curves from the
very beginning — There even was early version that had different name
for what is now "crv".
(It might be useful to fix the fixable — pretty much all except the
"crv" name in JOSE — issues with OKP.)
> > JOSE/COSE HPKE has absolutely nothing to do with how key agreement
> > works in JOSE/COSE. There is no "similar", only is or is not.
> >
> > And COSE-HPKE does explicitly use protected via the structures passed as
> > HPKE aad.
> >
> > Then RFC 9052 explicitly requires protected in context info for Key
> > Agreement with Key Wrap, and impiles that protected is required for
> > Direct Key Agreement.
> >
> > Then Direct Key Agreement is a privileged mode in both JOSE and COSE
> > with properties no other mode can have. Thus using KEM for deriving
> > CEK has to be Direct Key Agreement, it can not be anything else.
> >
> > Key Agreement with Key Wrapping is also privileged mode in JOSE.
> > However, Key Agreement with Key Wrap is not privileged in COSE, but
> > what KEM followed by Key Wrap does fits perfectly in that mode.
> >
>
> Thanks for the clarification. What would be the security justification for
> excluding PartyUInfo and PartyVInfo in both COSE and JOSE ?
Lack of sender keys — building authenticated post-quantum KEM is an
open problem — renders PartyUInfo/PartyVInfo moot:
- Sender/receiver symmetry inherently can not exist.
- The ephemeral key inherently provides per-kex entropy.
- There is nothing to prevent attacker from putting whatever that causes
the most damage into PartyUInfo/PartyVInfo.
These do apply to ECDH-ES as well — I think the reason why JOSE has
PartyUInfo/PartyVInfo at all is that it copied the NIST spec without
thinking why the stuff is there.
COSE has ECDH-SS, which has sender keys, and thus needs a
mechanism to break the symmetry and inject per-kex entropy —
PartyUInfo/PartyVInfo can be used for this purpose.
-Ilari
_______________________________________________
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-leave@ietf.org
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-leave@ietf.org
- [jose] Feedback on draft-ietf-jose-pqc-kem-01 Yakimovich, Stepan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Ilari Liusvaara
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Ilari Liusvaara
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Ilari Liusvaara
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Ilari Liusvaara
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Ilari Liusvaara
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Yakimovich, Stepan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Ilari Liusvaara
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 tirumal reddy
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Filip Skokan
- [jose] Re: Feedback on draft-ietf-jose-pqc-kem-01 Daniel Huigens