On Mon, Aug 29, 2022 at 11:47:27AM +0000, Hannes Tschofenig wrote: > Hi Ilari > > The participants of the IETF#114 meeting expressed an opinion about > the approach of how to encode the public key in a COSE message, namely > to re-use the structures already defined. Those map nicely to what is > being defined for HPKE in terms of algorithms as well.
Well, turns out x25519 and x448 do not quite map nicely to present structures: The encapsulated key is octet string, but putting it to eph requires some extra junk. At best this wastes space. At worst it causes security issues. Assuming redefining eph to allow bstr is not acceptable (compare allowing kid to be int), solving this would require a new header that can take bstr and cose_key. E.g., "ek" (encapsulated key). Which would also be used by native KEM modes. Such header would be useful for backport to JOSE, since there presumably will not be JOSE-HPKE, so PQC requires native KEM modes for JOSE. For long-term keys, one could specify that HPKE keys MUST be OKP unless specified otherwise. This would allow reusing existing x25519 and x448 key structures without causing a long-term mess. > For PQC algorithms the work on these encodings is still ongoing and I > am sure they will be re-usable as well. Well, judging from what I have seen about PQC (signature) work on COSE/JOSE, I do not think the codepoints will be reusable. And then there might be some non-PQC additions, like compact NIST curves. Those things would obsolete the current NIST curves in COSE-HPKE. There are no encodings to reuse for these. > In terms of implementation effort, the biggest work is on implementing > the PQC algorithm and the integration of it into HPKE not in the > integration with COSE (where we are talking about a few lines of code > only anyway). That is true only if the algorithm is not special in any way. If there is anything special in the way the algorithm is mapped to COSE, the complexity leaps up greatly: Specification is entiere document instead registry entry. And implementation will be way more than a few lines (one line in my test implementation). E.g., in hundreds of lines range with NIST curves. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
