[jose] Re: [COSE] Re: Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-02.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 11 July 2024 13:43 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B697C180B63; Thu, 11 Jul 2024 06:43:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VdwcxO8HPie; Thu, 11 Jul 2024 06:43:49 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12D1FC180B47; Thu, 11 Jul 2024 06:43:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 11F9C18C9C; Thu, 11 Jul 2024 16:43:46 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id VUJxxIyG9vFd; Thu, 11 Jul 2024 16:43:45 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id BD4FA28B; Thu, 11 Jul 2024 16:43:43 +0300 (EEST)
Date: Thu, 11 Jul 2024 16:43:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Message-ID: <Zo_hj4rSwL3Yb0_h@LK-Perkele-VII2.locald>
References: <172044966080.465321.1376291147750239654@dt-datatracker-5f88556585-j5r2h> <CAFpG3gdnW4ggZK9UOmQMDCKo+QX=CcNkcc1Wkw6T-Rs3A02csw@mail.gmail.com> <Zo1YmzydHLvy6LoA@LK-Perkele-VII2.locald> <CAFpG3gcXy7AnDqAfyeP11g8VzQqm=B3_zPrnzdk=4_M7+qB5eQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFpG3gcXy7AnDqAfyeP11g8VzQqm=B3_zPrnzdk=4_M7+qB5eQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: DXM7CQVFXXME7QEYMOHUSXXJUBYF2DUY
X-Message-ID-Hash: DXM7CQVFXXME7QEYMOHUSXXJUBYF2DUY
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [COSE] Re: Fwd: New Version Notification for draft-reddy-cose-jose-pqc-kem-02.txt
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/kcyQlksctVznCBA__Y5yx8Uh-vM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
On Thu, Jul 11, 2024 at 06:15:28PM +0530, tirumal reddy wrote: > Hi Illari, > > On Tue, 9 Jul 2024 at 21:05, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > "CipherText" is not valid input to Concat KDF. There is no need to > > bind ciphertext: ML-KEM is already IND-CCA and forwarding-resistant, > > which is enough for any ordinary encryption. > > > > MAL-BIND-K-CT or MAL-BIND-K-PK would require security proof that > > ML-KEM is safe to use in protocol. Which is not possible to prove, > > because MAL-BIND-K-CT or MAL-BIND-K-PK adversary can just trivially > > break all security. > > > > It is added to provide the same level of security properties as the HPKE > and Hybrid HPKE (draft-connolly-cfrg-hpke-mlkem). Both offer MAL-BIND-K-CT > and MAL-BIND-K-PK, whereas ML-KEM only provides MAL-BIND-K-PK. Those KEM properties are red herring, because neither COSE nor JOSE can use such properties. The reason is that the attacks are just too powerful to defend against. MAL-BIND-* stuff is worse than LEAK-BIND-* stuff, and that already allows compromising any private key, which already destroys both COSE and JOSE. > > Section 7.1. Single Recipient / One Layer Structure: > > > > COSE only allows one algorithm per layer, but there are two algorithms > > (bulk encryption and direct key agreement) so this design will not work. > > > > This needs to be done the same way as ECDH-ES is used in COSE: Have bulk > > encryption in layer0, and Direct Key Agreement in layer1. > > > > We are following the same approach specified for ECDH-ES in COSE (Section > 8.5.4 of RFC9052 and COSE HPKE) Using ECDH-ES in COSE requires two layers: One layer to generate a CEK and another to use CEK for bulk encryption. COSE HPKE has nothing to do with ECDH-ES. It is totally different mode, which is actually critical in making the thing work. > > Section 7.2. Multiple Recipients / Two Layer Structure: > > > > "and encrypted CEK in the encCEK structure" > > > > ... RFC9052 defines COSE_recipient to have "ciphertext" field for the > > layer ciphertext (which is the key wrap output in this case). > > > > Yes but I see COSE HPKE uses encCEK structure. In the end, both end up doing the same thing. > > Section 8. JOSE Ciphersuite Registration: > > > > What KDF hash do those algorithms use? > > > > The most aligned choice would be KMAC256 (as in NIST SP800-56Cr2), > > using 131 (the spec has off-by-one goof) byte all-zeroes salt and > > H_outputBits=L. > > > > Yes, KMAC256 sounds good. > > > > > > > > Section 9. COSE Ciphersuite Registration: > > > > Same as above, what KDF hash do those algorithms use? And the most > > aligned choice is the same. > > > > In case of COSE, HMAC with SHA-256 can be used as KDF. The C in COSE ultimately stands for "constrained", so it is even more important to align the KDF than in JOSE. Using SHA256 as KDF would require implmenting both SHA-2 and SHA-3 (ML-KEM requires SHA-3). Using KMAC256 as KDF would only require implementing SHA-3. -Ilari
- [jose] Fwd: New Version Notification for draft-re… tirumal reddy
- [jose] Re: [COSE] Fwd: New Version Notification f… Ilari Liusvaara
- [jose] Re: [COSE] Re: Fwd: New Version Notificati… tirumal reddy
- [jose] Re: [COSE] Re: Fwd: New Version Notificati… Ilari Liusvaara
- [jose] Re: [COSE] Re: Fwd: New Version Notificati… tirumal reddy