On Thu, 23 May 2024 at 20:58, Ilari Liusvaara <[email protected]> wrote:
> On Thu, May 23, 2024 at 07:54:42AM -0500, Orie Steele wrote: > > > > As an author I support adoption. > > > > The main motivation I have for working on HPKE, is to ensure that > encrypted > > JWT and CWT use cases that want to use PQ algorithms have a consistent > path > > to achieve this. > > > > Both JWT and CWT share alignment regarding confirmation methods, so it is > > important that they share algorithms as well, and with a few exceptions > > that's mostly true today. > > Adding native PQ support is actually even easier than adding HPKE. > Adding a PQ/T Hybrid KEM in Hybrid Public-Key Encryption (HPKE) is much easier, as detailed in https://www.ietf.org/archive/id/draft-reddy-cose-jose-pqc-hybrid-hpke-00.html . > > > I've implemented the current drafts for JOSE and COSE, I think it's been > > beneficial to both specifications to compare the approaches. > > I have implemented what I think is still the current COSE draft. Found > it easy. I have not even tried to implemented the JOSE draft because of > a few issues I find rather nasty. > We have already addressed all your comments. Please review the latest version of the draft to verify if there are any remaining comments. > > > > It's true that currently DHKems feel very similar to ECDH-ES, but PQ or > > hybrid KEMS won't. > > All KEMs feel very similar to ECDH-ES. > > The three operations ECDH-ES performs are _exactly_ the KEM keygen(), > encaps() and decaps() operations! > > > Now, it is not possible to just use ECDH-ES due to some technical > details. But one can just easily clone the algorithms with just the > technical details suitably changed. > > And then register the key subtypes for PQ keys to get complete usable > PQ support. > The challenges with using hybrid schemes is different from using PQ KEM algorithms alone. > > > > Having a framework (JWT/CWT) in place, where JOSE and COSE can share PQ > > algorithms will reduce complexity in the long run, and enable easier > > security analysis and migration. > > Native PQ support can trivially share the algorithms. > > > > There was also a presentation on designated verifier signatures at 119, > > where HPKE was discussed in that context as well. I believe that direct > > mode auth HPKE JWEs might help enable post quantum KEMs to be used for > > those same use cases, whereas building on ECDH-ES + MAC as was recently > > proposed would need more changes to support post quantum or hybrid > > algorithms... So it's possible that this might save the need for future > > algorithm registrations which might be requested to support redudiable > > digital credentials use cases. > > Sorry, HPKE Auth mode is not supported for post-quantum. > > ... Because nobody knows how to create safe and usable authenticated > post-quantum KEM! > To achieve an Authenticated Key Exchange, two full PQ KEM exchanges are required, and their results must be combined to form a single shared secret. This process is not feasible with JOSE/COSE. -Tiru > > > > > -Ilari > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
