IETF Logo Mail Archive

Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs vs RFC 9180 DHKEM

Simon Josefsson <simon@josefsson.org> Mon, 19 February 2024 14:00 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A81C14F6ED for <openpgp@ietfa.amsl.com>; Mon, 19 Feb 2024 06:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="93IvObVp"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="jfzsK0He"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xq6umyqKKSsV for <openpgp@ietfa.amsl.com>; Mon, 19 Feb 2024 06:00:11 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F80C14F6BA for <openpgp@ietf.org>; Mon, 19 Feb 2024 06:00:09 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=xkqbbqNWcdsRCzbAuz86xLLUZOwH5pj7niB2o8XOcsg=; t=1708351206; x=1709560806; b=93IvObVpejAUmWFKiD/MuP+qeecvZt1ga3LJgR4JNato5F8BYtB9ewkEvqQms3kRIsqTTIk8xmd MenglocnRCw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=xkqbbqNWcdsRCzbAuz86xLLUZOwH5pj7niB2o8XOcsg=; t=1708351206; x=1709560806; b=jfzsK0HeO0EkXs3fmkKAcWulU15TAg1dxq2P22q+7eKFcQD8V1w5yCu6QSuMB77qKdOUJ2zhcEW vrp+qYXbV3Z1HUf7BRTrWlZZgLuD0rHnu5ySWgIOspytyGtl+Yxrjiw/iRljJwSe7ubieEH0uNncR jsWGBQJrCBcAbWZlCFg0MrGgph7tG4Y2ta7hsaqdIlUDFeC49syBAu9KmPQydaqrhCSY0WSs7Mwi2 ybbpGkFs8Dn7ErH9DvHFr3lqIuQqMOSGo/ImD5hwtz3rqOIpPnKApPQisDiK29jBinOUq5ClWmk6s Qfg5tq1SdnhH11WkpeO27lOQg4gFZyuJzaIn7kjutwEHNCXxLAaNq/kf14cgeo3EjSBtKAHeaWSai Q19Y1UtZy1J5OYp+B12NEm1iBtb7ZpbPFPTEPS3GZjyVFWwtZCqe6QWCy3fQn9x2jm+vkURCU;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=40100 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1rc4Bf-0091Ck-2a; Mon, 19 Feb 2024 14:00:03 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Aron Wussler <aron@wussler.it>
Cc: openpgp@ietf.org
References: <87frxr6s9t.fsf@kaka.sjd.se> <qQr5CeWM2zUr3h887mlyDuL1uQXfhC634kMVjrRcXwhFlokk-YpqPQ5ssOfQvvo7JrIK90O8eqhZG3bDw1SD_uCjQCcsGEd-dJMSWZVI04Q=@wussler.it>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240219:simon=40josefsson.org@dmarc.ietf.org::hjJDgIn06XV0FOXz:BBc5
X-Hashcash: 1:23:240219:openpgp@ietf.org::9UGqajXSOulb21CN:bNJH
X-Hashcash: 1:23:240219:aron@wussler.it::NNi1QQQ5Cx+sYuGe:yuiY
Date: Mon, 19 Feb 2024 15:00:32 +0100
In-Reply-To: <qQr5CeWM2zUr3h887mlyDuL1uQXfhC634kMVjrRcXwhFlokk-YpqPQ5ssOfQvvo7JrIK90O8eqhZG3bDw1SD_uCjQCcsGEd-dJMSWZVI04Q=@wussler.it> (Aron Wussler's message of "Mon, 19 Feb 2024 09:26:44 +0000")
Message-ID: <87edd8fta7.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/AXt9s9G1TEJp9591puBt3WwzhPk>
Subject: Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs vs RFC 9180 DHKEM
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 14:00:22 -0000

Aron Wussler <aron@wussler.it> writes:

> Hi Simon,
>
> The logic in the draft is similar to the one existing in the
> crypto-refresh [1, 2], just using SHA-3 instead of HKDF.
> We chose plain SHA3 over HKDF with SHA2 because it's shared with the
> key combiner.

Hi Aron.  Understood - so no strong cryptographic problem with
HPKE-DHKEM, but chosen to lower implementation code size at the expense
of a higher specification complexity, if I understand/summarize
correctly.  I can sympatize with a tradeoff like that, it is subjective
what to optimize for.

Would it make sense to describe this ECC KEM in a separate document and
register it as a proper HPKE KEM?  See
<https://www.iana.org/assignments/hpke/hpke.xhtml>.  Doing so would:

1) Make it easier to analyze your ECC-KEM on its own by people who
doesn't (have to) know anything about OpenPGP.  Which may increase
confidence in the construct.

2) Allow for possible re-use in other protocols with similar needs.

3) Shorten the openpgp-pqc document to not have to specify ECC-KEM.

4) Reduce complexity of openpgp-pqc -- when reading this, I was asking
myself if there is something in your ECC-KEM that is strongly
cryptographically related to the rest of OpenPGP-PQC.

5) Reduce the amount of cryptographically sensitive algorithms that are
standardized by each application protocol WG, which seems like a
wortwhile goal on its own.

One disadvantage is that we will then get another KEM in the ecosystem,
which has a cost, but that will happen anyway if this KEM is defined in
openpgp-pqc without being registered and reviewed as a HPKE KEM.

Alternatively, simply use already specified DHKEM from RFC 9180.  That
may lead to slightly larger code size, but if people are using general
purpose crypto libraries to implement openpgp-pqc, I don't see any
general purpose crypto library not including SHA2/HKDF.  Aren't
SHA2/HKDF required by other parts of any OpenPGP implementation?

/Simon

> It's still a provisional choice, and feedback is welcome! I just sent
> on Saturday the thread on Signatures, and will soon follow up with KDF
> and key combination.
>
> Cheers,
> Aron
>
> [1]
> https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.1.6
> [2]
> https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.1.7
>
>
> --
> Aron Wussler
> Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930
>
>
>
> On Saturday, 17 February 2024 at 16:10, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org> wrote:
>
>> Hi
>>
>> I am reading about OpenPGP's ECC-to-KEM transform here:
>>
>> https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-ecc-based-kems
>>
>> There are similarities to HPKE's DHKEM:
>>
>> https://www.rfc-editor.org/rfc/rfc9180.html#name-dh-based-kem-dhkem
>> https://www.rfc-editor.org/rfc/rfc9180.html#name-algorithm-identifiers
>>
>> Why doesn't draft-ietf-openpgp-pqc use DHKEM?
>>
>> /Simon
>> _______________________________________________
>> openpgp mailing list
>> openpgp@ietf.org
>> https://www.ietf.org/mailman/listinfo/openpgp
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>

v2.23.0 | Report a Bug | By Email