Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs vs RFC 9180 DHKEM
Aron Wussler <aron@wussler.it> Mon, 19 February 2024 16:17 UTC
Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3D1FC14F726 for <openpgp@ietfa.amsl.com>; Mon, 19 Feb 2024 08:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aRMPIE8H7bCf for <openpgp@ietfa.amsl.com>; Mon, 19 Feb 2024 08:17:50 -0800 (PST)
Received: from mail-4022.proton.ch (mail-4022.proton.ch [185.70.40.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CC6EC14F714 for <openpgp@ietf.org>; Mon, 19 Feb 2024 08:17:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1708359467; x=1708618667; bh=1/oZ0KGSNmlI0Lh4TFS1VxH4osgLKNALkTJWEbuG96U=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=gpOUaqEWxboThWGUzNaQNsQa4kUtB1ifqAQZLQdAyc53e7BKRSMP4bN4w47x6IilT GruIiMDkzMp/P5UU9BRkTv//APM8pV8TmWJzi73q2wk1WQMCO/Px+h56V52linrzI0 xbPg3drkwniFMNOsIhihPgDOtf/3dYkfW4XLGeYWl4jyejfgEc/ap0ULEQAosqMFdg 72ZxErQA9vD2KddZGhH5jTF46CDCsLzT3XR99c5IPNl5jLveTwNMB4swK/gPBLZEbr g0jCoKSGLh2L+HzjQZqCfS0DGbfqpBSjS0VxS04K6+06edMTyD8jelZJumdEKAxU6K lpKQyiMbodGSA==
Date: Mon, 19 Feb 2024 16:17:29 +0000
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
From: Aron Wussler <aron@wussler.it>
Cc: openpgp@ietf.org
Message-ID: <Ip3LVq0DbneXEWLXixebgKtFrugS7xSnNCFVGMzw5lAYc-u9F6UrUmqaNc3ui7QEkaQ2dXX14DecPoCZ88--icPy5FhUxYWK-DgGT-odIKw=@wussler.it>
In-Reply-To: <87edd8fta7.fsf@kaka.sjd.se>
References: <87frxr6s9t.fsf@kaka.sjd.se> <qQr5CeWM2zUr3h887mlyDuL1uQXfhC634kMVjrRcXwhFlokk-YpqPQ5ssOfQvvo7JrIK90O8eqhZG3bDw1SD_uCjQCcsGEd-dJMSWZVI04Q=@wussler.it> <87edd8fta7.fsf@kaka.sjd.se>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------10a60480233ba0c2ab86c33f50b1844812ba73854c9c197cf1a5d460394c3da2"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/vCsiKOY6ybQ8khWg6P-LGZeTweg>
Subject: Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs vs RFC 9180 DHKEM
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 16:17:56 -0000
Hey Simon, > Understood - so no strong cryptographic problem with > HPKE-DHKEM, but chosen to lower implementation code size at the expense > of a higher specification complexity Yes, I think this summarizes the approach so far. I'll keep this noted for the upcoming KEM/KDF thread, and make sure we address it. > Aren't SHA2/HKDF required by other parts of any OpenPGP implementation? Yes, HKDF with SHA2 is used to derive keys in symmetrically encrypted data too (on top of X25519/448), but am not sure which implementations use generic libraries for this. I think we won't really answer this before 119, eager to know what do other implementers say :) Cheers, Aron -- Aron Wussler Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 On Monday, 19 February 2024 at 15:00, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org> wrote: > Aron Wussler aron@wussler.it writes: > > > Hi Simon, > > > > The logic in the draft is similar to the one existing in the > > crypto-refresh [1, 2], just using SHA-3 instead of HKDF. > > We chose plain SHA3 over HKDF with SHA2 because it's shared with the > > key combiner. > > > Hi Aron. Understood - so no strong cryptographic problem with > HPKE-DHKEM, but chosen to lower implementation code size at the expense > of a higher specification complexity, if I understand/summarize > correctly. I can sympatize with a tradeoff like that, it is subjective > what to optimize for. > > Would it make sense to describe this ECC KEM in a separate document and > register it as a proper HPKE KEM? See > https://www.iana.org/assignments/hpke/hpke.xhtml. Doing so would: > > > 1) Make it easier to analyze your ECC-KEM on its own by people who > doesn't (have to) know anything about OpenPGP. Which may increase > confidence in the construct. > > 2) Allow for possible re-use in other protocols with similar needs. > > 3) Shorten the openpgp-pqc document to not have to specify ECC-KEM. > > 4) Reduce complexity of openpgp-pqc -- when reading this, I was asking > myself if there is something in your ECC-KEM that is strongly > cryptographically related to the rest of OpenPGP-PQC. > > 5) Reduce the amount of cryptographically sensitive algorithms that are > standardized by each application protocol WG, which seems like a > wortwhile goal on its own. > > One disadvantage is that we will then get another KEM in the ecosystem, > which has a cost, but that will happen anyway if this KEM is defined in > openpgp-pqc without being registered and reviewed as a HPKE KEM. > > Alternatively, simply use already specified DHKEM from RFC 9180. That > may lead to slightly larger code size, but if people are using general > purpose crypto libraries to implement openpgp-pqc, I don't see any > general purpose crypto library not including SHA2/HKDF. Aren't > SHA2/HKDF required by other parts of any OpenPGP implementation? > > /Simon > > > It's still a provisional choice, and feedback is welcome! I just sent > > on Saturday the thread on Signatures, and will soon follow up with KDF > > and key combination. > > > > Cheers, > > Aron > > > > [1] > > https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.1.6 > > [2] > > https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.1.7 > > > > -- > > Aron Wussler > > Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 > > > > On Saturday, 17 February 2024 at 16:10, Simon Josefsson simon=40josefsson.org@dmarc.ietf.org wrote: > > > > > Hi > > > > > > I am reading about OpenPGP's ECC-to-KEM transform here: > > > > > > https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-ecc-based-kems > > > > > > There are similarities to HPKE's DHKEM: > > > > > > https://www.rfc-editor.org/rfc/rfc9180.html#name-dh-based-kem-dhkem > > > https://www.rfc-editor.org/rfc/rfc9180.html#name-algorithm-identifiers > > > > > > Why doesn't draft-ietf-openpgp-pqc use DHKEM? > > > > > > /Simon > > > _______________________________________________ > > > openpgp mailing list > > > openpgp@ietf.org > > > https://www.ietf.org/mailman/listinfo/openpgp > > > > _______________________________________________ > > openpgp mailing list > > openpgp@ietf.org > > https://www.ietf.org/mailman/listinfo/openpgp > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] draft-ietf-openpgp-pqc ECC-based KEMs v… Simon Josefsson
- Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KE… Aron Wussler
- Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KE… Simon Josefsson
- Re: [openpgp] draft-ietf-openpgp-pqc ECC-based KE… Aron Wussler