Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs vs RFC 9180 DHKEM
Simon Josefsson <simon@josefsson.org> Mon, 19 February 2024 14:00 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A81C14F6ED for <openpgp@ietfa.amsl.com>; Mon, 19 Feb 2024 06:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="93IvObVp"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="jfzsK0He"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xq6umyqKKSsV for <openpgp@ietfa.amsl.com>; Mon, 19 Feb 2024 06:00:11 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F80C14F6BA for <openpgp@ietf.org>; Mon, 19 Feb 2024 06:00:09 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=xkqbbqNWcdsRCzbAuz86xLLUZOwH5pj7niB2o8XOcsg=; t=1708351206; x=1709560806; b=93IvObVpejAUmWFKiD/MuP+qeecvZt1ga3LJgR4JNato5F8BYtB9ewkEvqQms3kRIsqTTIk8xmd MenglocnRCw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=xkqbbqNWcdsRCzbAuz86xLLUZOwH5pj7niB2o8XOcsg=; t=1708351206; x=1709560806; b=jfzsK0HeO0EkXs3fmkKAcWulU15TAg1dxq2P22q+7eKFcQD8V1w5yCu6QSuMB77qKdOUJ2zhcEW vrp+qYXbV3Z1HUf7BRTrWlZZgLuD0rHnu5ySWgIOspytyGtl+Yxrjiw/iRljJwSe7ubieEH0uNncR jsWGBQJrCBcAbWZlCFg0MrGgph7tG4Y2ta7hsaqdIlUDFeC49syBAu9KmPQydaqrhCSY0WSs7Mwi2 ybbpGkFs8Dn7ErH9DvHFr3lqIuQqMOSGo/ImD5hwtz3rqOIpPnKApPQisDiK29jBinOUq5ClWmk6s Qfg5tq1SdnhH11WkpeO27lOQg4gFZyuJzaIn7kjutwEHNCXxLAaNq/kf14cgeo3EjSBtKAHeaWSai Q19Y1UtZy1J5OYp+B12NEm1iBtb7ZpbPFPTEPS3GZjyVFWwtZCqe6QWCy3fQn9x2jm+vkURCU;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=40100 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1rc4Bf-0091Ck-2a; Mon, 19 Feb 2024 14:00:03 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Aron Wussler <aron@wussler.it>
Cc: openpgp@ietf.org
References: <87frxr6s9t.fsf@kaka.sjd.se> <qQr5CeWM2zUr3h887mlyDuL1uQXfhC634kMVjrRcXwhFlokk-YpqPQ5ssOfQvvo7JrIK90O8eqhZG3bDw1SD_uCjQCcsGEd-dJMSWZVI04Q=@wussler.it>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240219:simon=40josefsson.org@dmarc.ietf.org::hjJDgIn06XV0FOXz:BBc5
X-Hashcash: 1:23:240219:openpgp@ietf.org::9UGqajXSOulb21CN:bNJH
X-Hashcash: 1:23:240219:aron@wussler.it::NNi1QQQ5Cx+sYuGe:yuiY
Date: Mon, 19 Feb 2024 15:00:32 +0100
In-Reply-To: <qQr5CeWM2zUr3h887mlyDuL1uQXfhC634kMVjrRcXwhFlokk-YpqPQ5ssOfQvvo7JrIK90O8eqhZG3bDw1SD_uCjQCcsGEd-dJMSWZVI04Q=@wussler.it> (Aron Wussler's message of "Mon, 19 Feb 2024 09:26:44 +0000")
Message-ID: <87edd8fta7.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/AXt9s9G1TEJp9591puBt3WwzhPk>
Subject: Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs vs RFC 9180 DHKEM
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 14:00:22 -0000
Aron Wussler <aron@wussler.it> writes: > Hi Simon, > > The logic in the draft is similar to the one existing in the > crypto-refresh [1, 2], just using SHA-3 instead of HKDF. > We chose plain SHA3 over HKDF with SHA2 because it's shared with the > key combiner. Hi Aron. Understood - so no strong cryptographic problem with HPKE-DHKEM, but chosen to lower implementation code size at the expense of a higher specification complexity, if I understand/summarize correctly. I can sympatize with a tradeoff like that, it is subjective what to optimize for. Would it make sense to describe this ECC KEM in a separate document and register it as a proper HPKE KEM? See <https://www.iana.org/assignments/hpke/hpke.xhtml>. Doing so would: 1) Make it easier to analyze your ECC-KEM on its own by people who doesn't (have to) know anything about OpenPGP. Which may increase confidence in the construct. 2) Allow for possible re-use in other protocols with similar needs. 3) Shorten the openpgp-pqc document to not have to specify ECC-KEM. 4) Reduce complexity of openpgp-pqc -- when reading this, I was asking myself if there is something in your ECC-KEM that is strongly cryptographically related to the rest of OpenPGP-PQC. 5) Reduce the amount of cryptographically sensitive algorithms that are standardized by each application protocol WG, which seems like a wortwhile goal on its own. One disadvantage is that we will then get another KEM in the ecosystem, which has a cost, but that will happen anyway if this KEM is defined in openpgp-pqc without being registered and reviewed as a HPKE KEM. Alternatively, simply use already specified DHKEM from RFC 9180. That may lead to slightly larger code size, but if people are using general purpose crypto libraries to implement openpgp-pqc, I don't see any general purpose crypto library not including SHA2/HKDF. Aren't SHA2/HKDF required by other parts of any OpenPGP implementation? /Simon > It's still a provisional choice, and feedback is welcome! I just sent > on Saturday the thread on Signatures, and will soon follow up with KDF > and key combination. > > Cheers, > Aron > > [1] > https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.1.6 > [2] > https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.1.7 > > > -- > Aron Wussler > Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 > > > > On Saturday, 17 February 2024 at 16:10, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org> wrote: > >> Hi >> >> I am reading about OpenPGP's ECC-to-KEM transform here: >> >> https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-ecc-based-kems >> >> There are similarities to HPKE's DHKEM: >> >> https://www.rfc-editor.org/rfc/rfc9180.html#name-dh-based-kem-dhkem >> https://www.rfc-editor.org/rfc/rfc9180.html#name-algorithm-identifiers >> >> Why doesn't draft-ietf-openpgp-pqc use DHKEM? >> >> /Simon >> _______________________________________________ >> openpgp mailing list >> openpgp@ietf.org >> https://www.ietf.org/mailman/listinfo/openpgp > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp >
- [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs v… Simon Josefsson
- Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KE… Aron Wussler
- Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KE… Simon Josefsson
- Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KE… Aron Wussler