[jose] ML-KEM recipient info
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 04 September 2024 17:00 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33934C18DB8A; Wed, 4 Sep 2024 10:00:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkSb6GInAvks; Wed, 4 Sep 2024 10:00:09 -0700 (PDT)
Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com [209.85.161.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB1ACC1840DA; Wed, 4 Sep 2024 10:00:09 -0700 (PDT)
Received: by mail-oo1-f42.google.com with SMTP id 006d021491bc7-5e017808428so2446986eaf.1; Wed, 04 Sep 2024 10:00:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725469208; x=1726074008; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KSWdhRgrHkQ7JVCkhsT1Ew0xOVjldsqVBN6vuxQs2ds=; b=QA9wrJqUhua4Ftt9jYDkG/FRQ3gosxjRVDhr4ljlIuRmD69enDwUkdumcUI59Upa/Z HPACVYe0HoAhWJA2D/2OaOSzU6wWT2UcTEncVAekr4VW9UPb42/kzuXhGF6Sx6Re9rkg ydS6208i/yAIwdoenRmsACJ4Fm+AHKMjIx6IU6GCZHAMOsn2Qah78AHjhwIDJYXzyI6S KWl+SHT1LUet3MkORJkr76W2Hdu3jZJiMa44/PIDIMyvBjEeRe55nHYOYHgSwjhSSCyt vjnUlELUSNhULZ/hs/HllQGVhP2nkwCrsyz9GTiMqcys0yhcugEqCdmNsvRSPr9zSiGI S0Bw==
X-Forwarded-Encrypted: i=1; AJvYcCVKzyq5C+xLAW2GHfiQD8GUrhzI0i/02GNi8EGRjY+MghVLh2Ni0L9VyFLArc3UOqV1rl3n@ietf.org
X-Gm-Message-State: AOJu0YxHr3uo/7KRt+keQ5xSfCHVSH4BksEC1U4YWvUdYRbKh3dtSBqN 0KeV2rjySjnZN0fo4QwWNZqlcPe1hCDiOWPKpO63cm9RzPLeDso0pry2cjXGLVolgQrJUfO2LN6 ieC+TsJkiW6K0Ia5cVA7Re0UZHYuIrXPG5A0=
X-Google-Smtp-Source: AGHT+IGIfNC7eet/VpSlIZG9Ni0eDfe/DipyjoAFK5X4WOXsrFRFiGqzuG9d0jWjNlC/9WzHhCZx7T3W9isgq0LjhxU=
X-Received: by 2002:a05:6820:270c:b0:5da:a4a7:8f6a with SMTP id 006d021491bc7-5dfacf6d069mr17806367eaf.4.1725469208027; Wed, 04 Sep 2024 10:00:08 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 04 Sep 2024 12:59:57 -0400
Message-ID: <CAMm+Lwgu+VmRXCcqJty8CcUdof76HMFYJiSASS0UNvEJr0kp5A@mail.gmail.com>
To: jose@ietf.org, cose WG <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000372b6206214e1bb3"
Message-ID-Hash: G5S35TGDREW76CNW2CI75DIEU2XOAUKA
X-Message-ID-Hash: G5S35TGDREW76CNW2CI75DIEU2XOAUKA
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] ML-KEM recipient info
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/TjO-cwEu5wbMVp7hAT-TIKUUsd8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Has anyone considered how to encode the recipient info for ML-KEM?
RFC 7518 specifies a different key blob 'JWE Encrypted Key' per algorithm
and ML-KEM doesn't look like either RSA or DH and its variations.
RSA has key recovery, DH uses an ephemeral key and fills the epk slot.
ML-KEM does not create an ephemeral, it looks more like RSA except that it
doesn't provide key recovery.
And that means that if there are multiple recipient blobs on a message, we
need to extend the definition because we are going to need to encrypt the
content under the content-shared secret and then wrap that in the shared
secret from ML-KEM. Which means we are going to need two slots for data, a
wrapped key slot and an ML-KEM ciphertext slot.
(Because the content has to be encrypted under the same key for each
recipient...)
So I am thinking of something like this:
"recipients":[{
"kid":"MBUX-V4NE-VRJS-6NT7-6QKR-DE2W-QQBG",
"ct": "OYT5iH4doxVrj90NRowmffE20OOPLl....RGqaCav6b-Xw4",
"wmk":"N3KQ0jcCztbOMSOwcvy_UdGNsLL-PMtd9_ZMuWqT4GzEIXj33a
HlKQ"}
Comments?
- [jose] ML-KEM recipient info Phillip Hallam-Baker
- [jose] Re: [COSE] ML-KEM recipient info Ilari Liusvaara
- [jose] Re: [COSE] Re: ML-KEM recipient info Phillip Hallam-Baker
- [jose] Re: [COSE] Re: ML-KEM recipient info Ilari Liusvaara