On Fri, Sep 01, 2023 at 06:58:04PM +0300, Ilari Liusvaara wrote: > On Thu, Aug 31, 2023 at 02:12:00PM +0000, John Mattsson wrote: > > Hi all, > > > > -------------------------------------------------------------- > > This group is chartered to work on the following deliverables: > > > > - Document registering cryptographic algorithm identifiers that fully > > specify the cryptographic operations to be performed. > > - Document describing the use of the NIST algorithm ML-KEM in JOSE. > > - Document describing the use of the NIST algorithm ML-DSA in JOSE. > > - Document describing the use of the NIST algorithm SLH-DSA in JOSE. > > - Document describing the use of the NIST algorithm NL-DSA in JOSE. > > - One or more documents describing the proper use of algorithms. > > These algorithms must meet the requirements outlined above. > > -------------------------------------------------------------- > > I think there should also be work item for sound signature pre- > hashing. Doing pre-hashing in naive way is cryptographically > *unsound*.
Oh, and there should be general framework for using KEMs in JOSE, and ML-KEM stuff should be instance of that. Such framework can be done by taking ECDH-ES, doing minimal modifications required for things to work (basically using a new header parameter instead of "eph" and changing some wording from ECDH to KEM) and then rethinking the algorithms a bit (I think SHAKE256[1] and SHAKE256+AES256KW[2]). If one wants a test KEM for it, I think X25519+Kyber768 using KEM combiner would make a good one. That stuff has effectively been vetted by CFRG. (Using HPKE is not a good idea because HPKE and JWE do not mix.) [1] E.g., one needs SHAKE256 (or something extremely close) anyway for ML-KEM. [2] Post-quantum! -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
