[jose] Re: [EXTERNAL] Re: HPKE and diminishing returns

tirumal reddy <kondtir@gmail.com> Thu, 20 June 2024 14:03 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C614DC169424 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2024 07:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yl5VpRYxWizk for <jose@ietfa.amsl.com>; Thu, 20 Jun 2024 07:03:15 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BB7DC169421 for <jose@ietf.org>; Thu, 20 Jun 2024 07:03:15 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a6e896781a6so7529566b.0 for <jose@ietf.org>; Thu, 20 Jun 2024 07:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718892193; x=1719496993; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EwD6Z7AiAK5v0LJZZu//tTfdxUc+SpliV2gfXS4LZ2c=; b=ZxpLNuCA/69TbvsKPYJiUNPx8Hc8PIZofxQRVeAwmOMVKtJWuN+0CH3LRuqurZK91o bZ9z2PXz+Zndiyxh/8bkdTB5JmgsN8Yq7bgyfWX5DQDv1cTvNIvJHah+2jcnl/6JRH8m AOg6m+M9D0lqZaak9UuRGIw5dc9EOI86k4cEHFStIBSRP/Kn1VDJjz+vXyNiUcpe4/PA LhmSIsqStLiFrg1ENvxlx338SnuQ5HHRuyh1VhFYU+y8oFEmfVliqFBVGvcQXnUEaHmE azOpbRSka53tTa1q2YklRv35KrBGRW1+HnIY6RjlNrx0c4xqlvDHswqryNTLr1qNhChL 5opw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718892193; x=1719496993; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EwD6Z7AiAK5v0LJZZu//tTfdxUc+SpliV2gfXS4LZ2c=; b=ex8knbKuEhu2QBIw/f9+n9z2LPGDFrfSnFgEzvZsh0zKwCfDoPkbWFNFi4WDo0JdJV Nextc2Squp9moPdjRryG14+EXeP1SaYQKsitQ18OUYHDuWlloUtlrzsQ6cyLGxbZ1/2n i0ePBpiARMsJEcu+cXD4CgVJVBdq3yB4xRPI4mzCipTI54g+PLwkJyZbSmQ7ZAxj1z64 9vHQkGx4Q39GgrFqz0NwDfGz/LETtkfNq09BM3hbdH5kwHBcFPHTI7N2iGq68nlOpO6s ceWr/3DFLSvtzL2thd20IuWItab/l1SUe/NPGCsfE/2rllm3cKeZXKm9DhPpg5hlZGZO zEwg==
X-Gm-Message-State: AOJu0Yw1DMsXymWwpDHbNJvYs3YU4iCpvnOXsVMPY8YP7wYOhGEG/KQf E5TRuRhc9zJARemfINStqpzVZXzkuMMyN8e/SA9mhoZVd0btxDvkvrI2yvqI7Q15c1OAL16q1PP 5bWPVGHW7wQENXtP/LiimsQagqTgWAH2I
X-Google-Smtp-Source: AGHT+IHLimZ/dhzjPnyPk49PYRJ1aZmyuCqZ5amwsSLOOnQzz+OK0aJuyU/FUJgCFPa3kTTiJKxVG48o+HHXsYrANCY=
X-Received: by 2002:a17:907:7f0f:b0:a6f:70b6:b063 with SMTP id a640c23a62f3a-a6fab602749mr405132366b.1.1718892192495; Thu, 20 Jun 2024 07:03:12 -0700 (PDT)
MIME-Version: 1.0
References: <762F63AC-D5B7-4C07-AE44-29BDA6F1077C@gmail.com> <CA+k3eCRez+M4NAH=OqPfciHV4geAXiSn7AnrmUqdFwNVrXt6XA@mail.gmail.com> <Zm2NfyM_XcQZBswu@LK-Perkele-VII2.locald> <CAN8C-_+i4aEFvAFENmyJTzK-b2u_14hpBDeOGi1Nx6cCMyKxDA@mail.gmail.com> <CA+k3eCQo_NhKbZvKqc=rSCL8a8Jaj2PziQaxUriBV35cqE4a+g@mail.gmail.com> <CH0PR11MB573955429ADF7F9516A95DF19FCD2@CH0PR11MB5739.namprd11.prod.outlook.com> <ZnF1UfCv9iGrcwWr@LK-Perkele-VII2.locald> <CAFpG3geuPFMPMJdeD9yz=CxMgviZN7Nk=r8LfECDmBRhQk1+TA@mail.gmail.com> <ZnGn7eI6dKpfEUVA@LK-Perkele-VII2.locald> <CAFpG3gcT95i0DD11dUW37TN9ucfQVzYxMEkE8okiuFPzZAR=7w@mail.gmail.com> <ZnL5XmfTebPSltSE@LK-Perkele-VII2.locald>
In-Reply-To: <ZnL5XmfTebPSltSE@LK-Perkele-VII2.locald>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 20 Jun 2024 19:32:35 +0530
Message-ID: <CAFpG3gceD61PzG2VO3AD9E61ZUvjA+456CaihmQ3BgnBHzJEtQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="0000000000008a8206061b52c6ca"
Message-ID-Hash: JNPX4AAUROMNF6AOV33DVIUVI5QA4ZRO
X-Message-ID-Hash: JNPX4AAUROMNF6AOV33DVIUVI5QA4ZRO
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [EXTERNAL] Re: HPKE and diminishing returns
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/bgPf7kKgM5JQbSIv2d_N0nboy5w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Wed, 19 Jun 2024 at 20:59, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Jun 19, 2024 at 05:00:09PM +0530, tirumal reddy wrote:
> > On Tue, 18 Jun 2024 at 21:02, Ilari Liusvaara <ilariliusvaara@welho.com>
> > wrote:
> >
> > > Hybrid KEMs do not introduce the same complexities as HPKE:
> > >
> >
> > HPKE has the advantage of integrated key management to handle the
> > combination of the shared secrets to derive the final secret, utilizing a
> > KDF at the required strength, and ensuring the appropriate security
> levels
> > to combine traditional and post-quantum cryptography (PQC).
> > What makes leveraging HPKE complex compared to native Hybrid KEM support
> in
> > JWE?
>
> The thing that makes HPKE complicated to integrate is that it also
> performs symmetric encryption.
>

This complication can be avoided by defining {alg: "HPKE-Base-P256-SHA256",
enc: "A128"}.


>
> JOSE (and COSE) already has KDF in order to handle ECDH-ES. And proper
> hybrid KEM (e.g., X-Wing) already handles combining traditional and
> post-quantum cryptography.
>

Yes, and X-Wing also defines Hybrid PQ/T HPKE interfaces.


>
>
> > > > In both cases, a new parameter would have to be defined to carry
> > > > the KEM ciphertext.
> > >
> > > New parameter is trivial to add.
> >
> >
> > The new parameter will not be integrity protected but in the case of JWE
> > compact serialization it must be integrity protected.
>
> There is no need to integerity protect the encapsulated key unless using
> some bad KEMs with PSK.
>

No, compact serialization requires JWE protected headers and the new
parameter has to be within the protected header.


>
> And also, if there was some requirement for integerity protecting it,
> then the whole thing would be broken, because it can not be protected
> with multiple recipients.
>

I meant integrity protected only in case of compact serialization and no
integrity protection with multiple recipients.


>
>
> > > I had designs like this a while back. I think HPKE-Base-P256-SHA256 can
> > > be regarded as Direct Key Agreement. Which would make
> > > HPKE-Base-P256-SHA256-A128KW Key Agreement with Key Wrapping.
> > >
> >
> > Yes.
>
> Idea that is bit odd but should technically work would be to use
> Direct Key Agremeent and Key Encryption.
>

I think you mean a) Direct Key Agreement b) Key Agreement with Key Wrapping.


>
> As constructing Key Encryption from HPKE is easier than constructing
> Key Agreement with Key Wrap out of HPKE.
>
> Yes, it is not symmetric, but there are going to be all sorts of
> differences anyway.
>
>
> > > This design is compatible with oneshot API (all designs using existing
> > > modes are).
> > >
> >
> > The design is not compatible with oneshot API in case of compact
> > serialization, it creates a cyclic dependency (encapsulated key will have
> > to be integrity protected).
>
> ECDH-ES also uses headers in key agreement step, and works just fine
> with compact serialization.
>
> Key agreement operation occurs before committing protected headers,
> which occurs before bulk encryption.
>

Yes, that means the oneshot API won't work (but that is anyway not a
requirement to mandate the use of it).

-Tiru


>
>
> > > One small issue with this is that enc gets base64-url encoded twice,
> > >
> >
> > The overhead of base64url encoded twice is only applicable to compact
> > serialization, it is the same problem with Hybrid KEM or Pure PQ KEM
> (e.g.,
> > ML-KEM) where the KEM ciphertext will have to be base64url encoded twice.
>
> Yes, native KEMs also double-encode, unless doing weird stuff with
> encoding.
>
>
>
>
> -Ilari
>
> _______________________________________________
> jose mailing list -- jose@ietf.org
> To unsubscribe send an email to jose-leave@ietf.org
>