Hi Brian, >Was this an intentional design? >But then why do the direct ECDH use escalating hash strengths? No idea,
>For equivalence of security strength >Or is there something I’m missing and technically the KDF hash function does >not affect overall security strength? The KDF very much affect the overall security strength, but HMAC-SHA-2 has a security strength of 256 bits when used as KDF. See Table 2 of SP 800-56C. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf Make sense to use HMAC-SHA2 for all but it is not compatible with CNSA 1.0. Note that ECDH is not compatible with CNSA 2.0 at all. (Not that TLS 1.3 is different, the AES-245 cipher suite require HMAC-SHA-384 as they use a long hash chain without any added randomness) John From: Sipos, Brian J. <[email protected]> Date: Thursday, 13 November 2025 at 15:23 To: cose <[email protected]> Subject: [COSE] ECDH + KW algorithms and hash strengths All, In reviewing the current registered COSE algorithms for conformance to CNSA 1.0 and 2.0 (the two releases of CNNSP 15 [1]) restrictions I’ve come across an interesting problem. All of the ECDH + KW algorithms currently registered by RFC 9053 [2] have a series of increasing AES key lengths but all use SHA-256 within the KDF. This is different than the increasing hash strengths for the direct ECDH algorithms registered by RFC 9053 [3]. Was this an intentional design? For equivalence of security strength, would it be more consistent to escalate somewhat like: ECDH + HKDF-256 + A128KW ECDH + HKDF-384 + A192KW ECDH + HKDF-512 + A256KW Or is there something I’m missing and technically the KDF hash function does not affect overall security strength? But then why do the direct ECDH use escalating hash strengths? Thanks for any insight about this, Brian S. [1] https://www.cnss.gov/CNSS/issuances/Policies.cfm [2] https://www.rfc-editor.org/rfc/rfc9053.html#section-6.4.1 [3] https://www.rfc-editor.org/rfc/rfc9053.html#section-6.3.1
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
