On Thu, Jul 13, 2023 at 01:38:02PM -0700, Orlando Arbildo wrote: > > We are currently working on interfaces that can be used during our > transition to PQ crypto algorithms, and for this we want to use both > classical and PQ algorithms with COSE. We are planning to use a split key > combiner (KEM Combiners | SpringerLink > <https://doi.org/10.1007/978-3-319-76578-5_7>, ia.cr/2022/773) to mix the > key material. > We put together an initial draft of how this could work using COSE and we > found out that we needed a couple of things not currently defined, a way to > represent the set of keys and a way to represent the set of KEMs data to be > used. I am attaching the proposal as a PDF (if a different format is > preferred please let me know); I’d greatly appreciate your feedback.
A few days ago, there was a draft about pretty much the same thing. It used predefined combinations instead of generic composition. As note about generic composition, LAMPS WG, which does not deal with anything constrained considers it too complicated. I considered that draft much too complicated, and proposed number of simplifications. Basically: - Define two new algorithms, KEM and KEM+A256KW. - KEM is Ephemeral-Static Direct Key Agreement. - KEM+A256 is Ephemeral-Static Key Agreement with Key Wrap. The KeyWrap function is AES-256-KW. - Both use CFRG KEM combiner as KDF. - Fixedinfo is core deterministic encoding of COSE_KDF_Context structure. - Long-term keys are encoded by using OKP kty with new crv value, where public and private keys are just concatenations of component keys. - (This is bit dubious) The ciphertext is encoded in ephemeral key header using OKP kty with the same crv, and "public key" being concatenation of component ciphertexts. A non-dubious solution would require a new header parameter. This is extremely similar to how ECDH-ES and ECDH-ES+A256KW work. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
