On Thu, Nov 17, 2022 at 10:05:28AM -0600, Orie Steele wrote: > Illari answered a related question here: > https://mailarchive.ietf.org/arch/msg/cose/eIxt4u8ox8N35-ZbDk_vsFD9PP4/ > > I have similar questions on how HPKE, PQC KEMs, and COSE Key work together > in practice.
Here is how I think it will work: - The COSE_Key has new kty HPKE, containing the algorithm used (expressed using HPKE KEM identifier), public key blob (bstr), possibly some hints and for private keys, private key blob (bstr). - When encrypting, the COSE-HPKE just passes the HPKE code the KEM identifier and the public key blob from the key (along with other stuff like the plaintext to encrypt). HPKE code knows what to do with those. - When decrypting, the COSE-HPKE just passes the HPKE code the KEM identifier and the private key blob from the key (along with other stuff like encapsulated key and the ciphertext to decrypt. HPKE code knows what to do with those. If the KEM is PQC or not is not something COSE-HPKE code needs to concern itself with. Currently HPKE does not have any PQC KEMs, but that could change at any time. As for PQC outside HPKE in COSE, that is obviously more complicated matter, that turns out to need at least some new alg values, along with new (sub)types for the keys. Those things work in way similar to ECDH-ES, however reusing the ECDH-ES codepoints is not possible due to ECDH-ES requiring ephemeral key, which just does not exist for PQC. > On Thu, Nov 17, 2022 at 9:55 AM Laurence Lundblade <[email protected]> > wrote: > > > The details of how HPKE wraps the CEK are needed. The simple answer could > > be that the CEK is the plain text input to Seal(), but typically we want to > > use a specialized key wrap protocol when wrapping keys and Seal() may not > > be that. Maybe it’s OK though, but the crypto experts that know why key > > wrap is needed should make that call. Alternatively, we could come up with > > some way for HPKE to output a KEK. HPKE Seal() is good enough to wrap keys. It does not have the Initialization Vector issues that traditionally drive use of the special key wrap algorithms. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
