[jose] Re: [EXTERNAL] Re: HPKE and diminishing returns

tirumal reddy <kondtir@gmail.com> Tue, 18 June 2024 13:39 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1D82CC14F6A5 for <jose@ietfa.amsl.com>; Tue, 18 Jun 2024 06:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Fzxi4Aa-SSA5 for <jose@ietfa.amsl.com>; Tue, 18 Jun 2024 06:39:25 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87C3FC14F69F for <jose@ietf.org>; Tue, 18 Jun 2024 06:39:25 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a6f2f5ad1d1so38546066b.1 for <jose@ietf.org>; Tue, 18 Jun 2024 06:39:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718717963; x=1719322763; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9NHCdLLvVFJ0zM4+VpqVw5Q70R+nLKw8n9Mi5RPQchs=; b=ltJjWvAFpebKp64qZpYpSIuwaXfrp0p8xPvqnIB6cEKrqCY7MsyXdK+BJtBHzf01ML zU/SrgvuuqyuvtS4DKjqJdVgH8r/MFiaSDZT+NaQAo5JRVp+FT+pRtHotrjDdpHE443a L258Y6d5uNhI11nKa+H5lwuTFkXNC+cbiFBMyh6s8/la4y3MkCpWxMvteR8sLCAWKMhM BUdnrDYLlBIn//doFqpBJWuuzbWfLxJ6v1Q9Qph3J0u19Giw9Vwy2KPhaydfpSXI8eDN rkavwcheLGaHIPP07FKPZEtG+E+/mCUPGUwzdimVbtu3HvL3jm3ct8yxIn9gf0hd2FFR CwZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718717963; x=1719322763; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9NHCdLLvVFJ0zM4+VpqVw5Q70R+nLKw8n9Mi5RPQchs=; b=F/qRzsRHLX8MXIF2Fv0CJQEo5kBeHWnqKA5cK3Sq7y/8n3EXWMgZzEMbHRZle4WyC1 StB2Xi7V8+G7cijG4FZE8DBEs9ujvzMpU1VOXHHBsnbhaGHK/85gvXEiUq5bBRE93Xrb pJmsICI/OcfIB6+P3AiufgvXPYe3ODHrYK1jbrbu9Uwq8yBPcDLTaJB0GVGULFVpu25d Tm0feUxraEZRqPdNIOLFwvmy/HOgXcqRxD1EHbymVE3b6rIeoBS7wZIBgBBDikvHKbHn 2AHyBxrZEO6yGx8vsjO39tWvxA70cJgFh9O4QwlX3fuOvuy8bl3Qn/Qu4Ak0u7NKf7vy LH/w==
X-Gm-Message-State: AOJu0YxyH4b4C5+anTuOQ2lpNG04O3lbKLXY5UFJ+WuSvAj6RE4yU/wG HnYOGySRQgH/UGw3okci6jEpmCNA3Ao2y9gA4d9o4r7FgEwJJ+6daZiutfpZ4YaLxJb4vzZ+XHQ NSGFkR+g5Y7GETEzmXpNhaK/Uwg0olp5Q
X-Google-Smtp-Source: AGHT+IFK4xSxk0qczSCPS1K65h9S5owj8MogVYGuzARfZsPiN4vvQ0SavG+SfFGekoZ+ctO6Ro/dm3tcQJARQyw7A2A=
X-Received: by 2002:a17:906:f5a3:b0:a69:edd:3323 with SMTP id a640c23a62f3a-a6f60d13971mr994901666b.2.1718717963258; Tue, 18 Jun 2024 06:39:23 -0700 (PDT)
MIME-Version: 1.0
References: <762F63AC-D5B7-4C07-AE44-29BDA6F1077C@gmail.com> <CA+k3eCRez+M4NAH=OqPfciHV4geAXiSn7AnrmUqdFwNVrXt6XA@mail.gmail.com> <Zm2NfyM_XcQZBswu@LK-Perkele-VII2.locald> <CAN8C-_+i4aEFvAFENmyJTzK-b2u_14hpBDeOGi1Nx6cCMyKxDA@mail.gmail.com> <CA+k3eCQo_NhKbZvKqc=rSCL8a8Jaj2PziQaxUriBV35cqE4a+g@mail.gmail.com> <CH0PR11MB573955429ADF7F9516A95DF19FCD2@CH0PR11MB5739.namprd11.prod.outlook.com> <ZnF1UfCv9iGrcwWr@LK-Perkele-VII2.locald>
In-Reply-To: <ZnF1UfCv9iGrcwWr@LK-Perkele-VII2.locald>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 18 Jun 2024 19:08:46 +0530
Message-ID: <CAFpG3geuPFMPMJdeD9yz=CxMgviZN7Nk=r8LfECDmBRhQk1+TA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="000000000000ab52c4061b2a3593"
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [EXTERNAL] Re: HPKE and diminishing returns
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/XmyYMOTL2L5GfBFHPxMmAVBVwV8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Tue, 18 Jun 2024 at 17:32, Ilari Liusvaara <ilariliusvaara@welho.com>

> On Mon, Jun 17, 2024 at 07:44:04PM +0000, Mike Ounsworth wrote:
> >
> >
> > My TL;DR #1: If you already have an encryption framework that
> > separates out the asymmetric key establishment from the symmetric
> > content encryption, then integrating HPKE (RFC9180) is … awkward at
> > best; it may be wise to borrow useful ideas from HPKE (like the
> > domain separation properties that you get from LabeledExtract), but
> > taking HPKE in its entirety is problematic.
> And JOSE does exactly that, and as result, integrating (direct) HPKE
> is quite thorny. The indirect case (act as PKE to encrypt CEK) is
> much easier.
> Whereas COSE has very different kind of design, which makes integrating
> HPKE very easy. It even gives multi-recipient for free!
> > My TL;DR #2: KEMs are a different interface from either Key Transport
> > (ie pure PKE), or Key Agreement (DH) and probably should get their
> > own message types.
> Due to technical limiations in JOSE and COSE, KEMs must be Direct
> Key Agreement algorithms.
> Fortunately, the main Direct Key Agreement algorithm in JOSE and COSE
> is ECDH-ES, which is extremely similar to KEMs. Where "extremely
> similar" means operations map one-to-one.
> I estimate that defining the needed algorithms for native KEM support
> to both JOSE and COSE would take about a page of spec text (not
> counting IANA considerations).

Integrating the PQ/T hybrid scheme (ECDH-ES+ML-KEM) into JWE introduces the
same complexities as HPKE that require modifications to the existing JOSE
framework. In both cases, a new parameter would have to be defined to carry
the KEM ciphertext. As discussed previously, it is not essential to use the
one-shot API in HPKE. It is easy
to split the HPKE suite information differently for key encryption and
direct algorithm to align with JWE. For example:

1. Direct: {alg: HPKE-Base-P256-SHA256, enc: A128GCM} (this could lead to
mismatches in strength, and hash function, and poor interop)
2. Indirect: { alg: HPKE-Base-P256-SHA256-A128KW, enc: A128GCM }


> > Again, I’m just a tourist in JOSE / COSE, but this feels like CMS
> > where you already have the asymmetric “alg” and symmetric “enc”
> > separated out. Trying to merge these back together so that you can
> > take advantage of the one-shot HPKE API seems like a whole lot of
> > complex breaking changes in the name of simplicity.
> This is the case in JOSE, but not in COSE. Bulk encryption in COSE is
> not required to be symmetric.
> > I would cherry-pick the useful ideas out of 9180 and add the minimum
> > amount of new message types to support KEMs.
> In JOSE and COSE, it is not about new message types, but new algorithms
> of already existing type.
> At minimum:
> - KEM (Direct Key Agreement)
> - KEM+A256KW (Key Agreement with Key Wrap/Wrappping).
> -Ilari
> _______________________________________________
> jose mailing list -- jose@ietf.org
> To unsubscribe send an email to jose-leave@ietf.org