[jose] Re: [COSE] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-02.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 09 July 2024 15:35 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3EDDC14F603; Tue, 9 Jul 2024 08:35:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ymv1rmWk9Tgt; Tue, 9 Jul 2024 08:34:58 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6936BC15106A; Tue, 9 Jul 2024 08:34:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 6E8C943DC8; Tue, 9 Jul 2024 18:34:54 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id zGFnpvNW_bLC; Tue, 9 Jul 2024 18:34:54 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 0356F72; Tue, 9 Jul 2024 18:34:51 +0300 (EEST)
Date: Tue, 09 Jul 2024 18:34:51 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Message-ID: <Zo1YmzydHLvy6LoA@LK-Perkele-VII2.locald>
References: <172044966080.465321.1376291147750239654@dt-datatracker-5f88556585-j5r2h> <CAFpG3gdnW4ggZK9UOmQMDCKo+QX=CcNkcc1Wkw6T-Rs3A02csw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFpG3gdnW4ggZK9UOmQMDCKo+QX=CcNkcc1Wkw6T-Rs3A02csw@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: RPWPIRYMLTZJWJPZ2ZOCA5KTGS5CHVOT
X-Message-ID-Hash: RPWPIRYMLTZJWJPZ2ZOCA5KTGS5CHVOT
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [COSE] Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-02.txt
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/hlKh7N8NQEZeZLOq5B4FzFg3krU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
On Tue, Jul 09, 2024 at 05:00:52PM +0530, tirumal reddy wrote: > Hi all, > > Revised draft > https://www.ietf.org/archive/id/draft-reddy-cose-jose-pqc-kem-02.html addresses > comments from the WG. > Further comments and suggestions are welcome. > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Mon, 8 Jul 2024 at 20:11 > Subject: New Version Notification for draft-reddy-cose-jose-pqc-kem-02.txt > To: Tirumaleswar Reddy.K <kondtir@gmail.com>, Aritra Banerjee < > aritra.banerjee@nokia.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, > Hannes Tschofenig <hannes.tschofenig@gmx.net> > > > A new version of Internet-Draft draft-reddy-cose-jose-pqc-kem-02.txt has > been > successfully submitted by Tirumaleswar Reddy and posted to the > IETF repository. > > Name: draft-reddy-cose-jose-pqc-kem > Revision: 02 > Title: Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for JOSE and > COSE > Date: 2024-07-08 > Group: Individual Submission > Pages: 19 Some comments: Section 5.1. Key Derivation for JOSE: The inputs "PartyUInfo", "PartyVInfo", "SuppPubInfo" and "SuppPrivInfo" are missing. Those should be just copied from JWA section 4.6.2. "CipherText" is not valid input to Concat KDF. There is no need to bind ciphertext: ML-KEM is already IND-CCA and forwarding-resistant, which is enough for any ordinary encryption. MAL-BIND-K-CT or MAL-BIND-K-PK would require security proof that ML-KEM is safe to use in protocol. Which is not possible to prove, because MAL-BIND-K-CT or MAL-BIND-K-PK adversary can just trivially break all security. Section 5.2. Key Derivation for COSE: Why does this not just use the RFC9053 COSE_KDF_Context? - The structure name conflicting with the existing RFC9053 structure is sure to cause confusion. - Why have PartyUInfo and PartyVInfo been removed? - The ciphertext is completely unnecressary (see above). Section 6.1. Direct Key Agreement: "Both header parameters, "alg" and "enc", MUST be placed in the JWE Protected Header." ... Is this intentional deviation from JWE? If it is, that should be called out. "The parameter "kem-ct" MUST include the output ('ct') from the PQ-KEM algorithm, encoded using base64url." ... Any reason not to use the "ek" parameter from JOSE-HPKE? (there are also references to "kem-ct" in section 6.2.) Section 7.1. Single Recipient / One Layer Structure: COSE only allows one algorithm per layer, but there are two algorithms (bulk encryption and direct key agreement) so this design will not work. This needs to be done the same way as ECDH-ES is used in COSE: Have bulk encryption in layer0, and Direct Key Agreement in layer1. Section 7.2. Multiple Recipients / Two Layer Structure: "and encrypted CEK in the encCEK structure" ... RFC9052 defines COSE_recipient to have "ciphertext" field for the layer ciphertext (which is the key wrap output in this case). Then another way to do the same thing is to stick bulk encryption in layer0, Key Wrap in layer1 and Direct Key Agreement in layer2. Using Key Agreement with Key Wrap just saves some space. Section 8. JOSE Ciphersuite Registration: What KDF hash do those algorithms use? The most aligned choice would be KMAC256 (as in NIST SP800-56Cr2), using 131 (the spec has off-by-one goof) byte all-zeroes salt and H_outputBits=L. Section 9. COSE Ciphersuite Registration: Same as above, what KDF hash do those algorithms use? And the most aligned choice is the same. -Ilari
- [jose] Fwd: New Version Notification for draft-re… tirumal reddy
- [jose] Re: [COSE] Fwd: New Version Notification f… Ilari Liusvaara
- [jose] Re: [COSE] Re: Fwd: New Version Notificati… tirumal reddy
- [jose] Re: [COSE] Re: Fwd: New Version Notificati… Ilari Liusvaara
- [jose] Re: [COSE] Re: Fwd: New Version Notificati… tirumal reddy