Hi Ilari, It’s taking some time for me to understand HPKE well. Patience appreciated. Let me ask a couple questions that seem important and clarifying and have you confirm my understanding.
Is the bulk AEAD operation (JUST the bulk operation) on the pt that produce the ct the same for HPKE as for the methods in COSE section 6? They both can use AES 128 GCM, but it looks to me like they aren’t the same because HPKE has a stateful encryption context (HPKE section 5.2) and COSE doesn’t. You might be able to use the same AES 128 GCM library for both, but the surrounding inputs don’t seem compatible. Are we considering whether and how reuse of the HPKE encryption context fits into COSE? It is probably not useful in COSE (but can see it is critical in TLS). How will multiple recipients be handled with COSE-HPKE? In one case one HPKE recipient may use Edwards curves and another HPKE recipient NIST curves. There’s also the possibility that one recipient uses HPKE and another something that is not HPKE like AES key wrap from RFC 9053 section 6.2. It kind of seems like HPKE was not designed for multiple recipients because it was designed in the TLS context. You mentioned two-layered HPKE in a previous message. What is that? My first thought for multiple recipients in COSE-HPKE is to use the facilities COSE has, but I’m not sure how to line that up with the way AEAD is integrated into the HPKE encryption context. It does seem necessary to address this now. So focusing on the COSE body header parameter algorithm ID, it seems that it should be a COSE algorithm ID if it is doing what COSE says to do even if the recipient structure is HPKE, but if it is not compatible with COSE’s use of AEAD, then it should be something else (which must be in the COSE registry). Not saying which way to go here. Just building up some facts. Thanks! LL > On Nov 11, 2022, at 5:59 AM, Ilari Liusvaara <[email protected]> wrote: > > On Fri, Nov 11, 2022 at 12:53:51PM +0000, Laurence Lundblade wrote: >> >> I mentioned two algorithm IDs (in red in the example below), not two >> layers of encryption. >> >> From reading the PR#9 more carefully I see that you put HPKE as the >> algorithm ID in both the body header and recipient headers. This kind >> of bypasses the COSE design intent as I understand it. Don’t have a >> comment on that yet. >> >> So I do think there are two algorithm IDs in the example, but maybe >> you can say there is just one in HPKE because both instances are the >> same in HPKE. > > Since HPKE internally combines asymmetric and symmetric encryption, > essentially those two algorithms collapse into sub-algorithms of HPKE, > with HPKE becoming the main algorithm. > > I think it is simpler that way (and is more compact too), albeit this > makes HPKE a new kind of thing, instead of instance of existing mode. > > While operating HPKE like ECDH-ES+KDF would allow using COSE key > wrapping algorithms not in HPKE, that does not seem that useful, as > key wrapping algorithms are not good for bulk encryption (but bulk > ciphers are decent at key wrapping using a decent KDF), and HPKE > does have the most important bulk ciphers. > > >> 96( >> [ >> / protected h'a10101' / << { >> / alg / 1:1 / AES-GCM 128 / >> } >>, >> / unprotected / { >> / iv / 5:h'c9cf4df2fe6c632bf7886413' >> }, >> / ciphertext / h'7adbe2709ca818fb415f1e5df66f4e1a51053ba6d65a1a0 >> c52a357da7a644b8070a151b0', >> / recipients / [ >> [ >> / protected h'a1013818' / << { >> / alg / 1:-25 / ECDH-ES + HKDF-256 / >> } >>, >> / unprotected / { >> / ephemeral / -1:{ >> / kty / 1:2, >> / crv / -1:1, >> / x / -2:h'98f50a4ff6c05861c8860d13a638ea56c3f5ad7590bbf >> bf054e1c7b4d91d6280', >> / y / -3:true >> }, >> / kid / 4:'[email protected]' >> }, >> / ciphertext / h'' >> ] >> ] >> ] >> ) > > > -Ilari > > _______________________________________________ > COSE mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/cose > <https://www.ietf.org/mailman/listinfo/cose>
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
