On Tue, Nov 08, 2022 at 12:25:51PM +0000, Hannes Tschofenig wrote:
> Hi Ilari
>
> I am not sure why you bring up the alignment with JOSE.
Just pointing out that if there is ever JOSE-HPKE, it will be very
different.
> Also, nobody suggested supporting modes beyond base since this
> would raise further challenges with COSE because COSE supports
> those already.
The PSK modes certainly seem like too much complexity to be worth it.
Auth mode might be useful in some edge cases (replacing need for
separate signature). But that can presumably be left as future
enhancement.
> If we omit the kem parameter from the structure then we need to
> define the precise processing rules, which so far nobody has done
Vast majority of the time, there is at most one KEM that could possibly
work.
Some processing rules for handling absent KEM:
1) Filter list of supported KEMs by compatibility with the private
key.
- What on Earth is implementation going to use as key for the
HPKE decryption otherwise?
- For any generic key, this will always give at most 1 candidate.
2) If multiple entries remain, filter list further by Nenc == |enc|.
- These would fail decryption anyway.
3) If there is exactly one entry, attempt decryption with that,
otherwise fail.
And the processing rules for handling present KEM:
1) Check that the indicated KEM is consistent with the private
key.
- What on Earth is implementation going to use as key for the
HPKE decryption otherwise?
2) Attempt decryption with that KEM.
For example for the absent KEM case, assume implementation supports
all five present HPKE KEMs and the three proposed compact NIST KEMs.
The private key is EC2/P256, and message has 32 byte enc.
The initial list of supported KEMs:
- DHKEM(P-256, HKDF-SHA256)
- DHKEM(P-384, HKDF-SHA384)
- DHKEM(P-521, HKDF-SHA512)
- DHKEM(X25519, HKDF-SHA256)
- DHKEM(X448, HKDF-SHA512)
- DHKEM(CP-256, HKDF-SHA256)
- DHKEM(CP-384, HKDF-SHA384)
- DHKEM(CP-521, HKDF-SHA512)
Now, only ones with P-256 and CP-256 are compatible with the key, so
after the first filtering step, the following remain:
- DHKEM(P-256, HKDF-SHA256)
- DHKEM(CP-256, HKDF-SHA256)
Now, the first one has Nenc == 65 != |enc|, and the second has
Nenc == 32 == |enc|, so only the second is kept, and the following
remains:
- DHKEM(CP-256, HKDF-SHA256)
There is one remaining entry, so attempt decryption with KEM
DHKEM(CP-256, HKDF-SHA256).
Or with OKP/x25519 private key, after first step:
- DHKEM(X25519, HKDF-SHA256)
Only one remains, so attempt decryption with KEM
DHKEM(X25519, HKDF-SHA256).
-Ilari
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
