Re: [COSE] COSE HPKE

Tue, 01 Nov 2022 04:19:04 -0700 

Ilari, Daisuke,
You guys talk a lot about how to use PQC algorithms in HPKE for use with COSE 
but where are those actually described?
Ciao
Hannes

From: AJITOMI Daisuke <ajit...@gmail.com>
Sent: Tuesday, November 1, 2022 12:00 PM
To: Hannes Tschofenig <hannes.tschofe...@arm.com>
Cc: Ilari Liusvaara <ilariliusva...@welho.com>; cose@ietf.org
Subject: Re: [COSE] COSE HPKE

Hi Ilari and Hannes,

Sorry, I finally checked all of Ilari's comments and proposals today.
- Instead of registering hpke_sender to Common Header Parameters,
 register encapsulated_key:

Why is it necessary to define the encapsulated key (enc) independent of HPKE in 
this COSE-HPKE spec?

In the context of HPKE, enc should be bstr and nothing more. We should focus on 
the bstr encapsulated key in the context of HPKE.

In the Kyber case, we can consider only the Kyber mapped onto the HPKE 
framework, in which case enc would still be bstr (or the alternative might be 
to not use the enc field, assuming that enc is included in the ciphertext 
though).
  For algorithm HPKE, encapsulated key MUST be present in unprotected
  bucket and its value SHALL be of type COSE_HPKE_Sender.

Hmm..., it seems a bit odd to put the COSE_HPKE_Sender information into a 
generic encapsulated key attribute, given the fact that the encapsulated key 
itself is just one of the attributes of COSE_HPKE_Sender.

Anyway, I believe that if you want to define generic encapsulated key 
information (for PQC? and so on), that you should make a separate I-D.
- COSE_HPKE_Sender could be simplified to:

  COSE_HPKE_Sender = [
       kdf: uint,
       aead: uint,
       enc: bstr,
       ? kem: uint
  ];

I think this approach using the array type is also good, but I was going to 
suggest the following additions to the HPKE sender information as the next step 
of draft-03. Specifically, I was thinking of the need to specify the HPKE 
version information and support other HPKE modes other than Base mode in the 
long run.
There are 3 optional attributes in this structure and I think it is not 
suitable to be represented as an array.

```
COSE_HPKE_Sender = {
    ? 0 => uint,        ; HPKE version (default: 1) *
    ? 1 => uint,        ; kem id
    2 => uint,           ; kdf id
    3 => uint,           ; aead id
    4 => bstr,           ; enc
    ? 5 => bstr,         ; sender public key (for Auth mode or AuthPSK mode) **
}
* Need to confirm the HPKE version can be expressed in uint.
** Need to discuss whether bstr or COSE_Key.
```

Best regards,
Daisuke
2022年10月31日(月) 20:30 Hannes Tschofenig 
<hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>>:
Hi Ilari,

I updated the PR based on your feedback.

I still have a few question regarding the processing rules. I wonder whether 
this procedure introduces fragility just for a very small byte saving (namely 
saving the kem id value).
It also makes the implementations more difficult since multiple cases have to 
be considered.

~snip~

> * you introduce rules for processing that are dependent upon the
> presence/absence of the kem field. You are asking the developer to
> determine whether "the KEM is consistent with the private key".
>
> I fear that this rule is too loose to understand. We will have to
> specify what "consistent" means i.e. what checks a developer is
> supposed to make. This also changes the text that is currently in the
> draft, which says that the kem is optional one the value of this field
> is inferred already by the key identifier.

This processing is already needed, it is just left unspecified. And my wording 
was apparently very poor.


The question is, what does your implementation do if it receives:

a) A message with no KEM, but there are multiple KEMs that all can
   be used with the private key and have Nenc = |enc|.

   I think it is reasonable to fail to decrypt.

b) A message with no KEM, there are multiple KEMs that all can be
   used with the private key, but only one has Nenc = |enc|.

   I think it is reasonable to attempt decryption with the one
   KEM.

   (checking for Nenc = |enc| is needed in case both compact and
   uncompressed curves are supported with the same private key.)

c) A message with KEM that can not be used with the private key.

   I think it is reasonable to fail to decrypt.

   (If the KEM can be used with private key, but Nenc != |enc|,
   then HPKE will fail anyway.)


Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.

_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose
IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.

_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose

Reply via email to