Thank you for this detailed response.
Building on it, is this what you would expect for a Kyber JWK?
{ kty: OKP, crv: Kyber-1024, alg: KEM+SHA3KDF+A256KW, x, d }
It seems we have a few high level options to consider:
1. Ilari's proposal to use OKP and `crv` to represent lattice and hash
based public key cryptosystems
2. The new kty proposal for LWE, NTRU and HASH
3. Adding a new registry for Lattices and Hashes and adding a new `crv`
like property for representing their subtypes.
Is there another high level approach we should document for consideration?
Regards,
OS
On Tue, Nov 15, 2022 at 4:31 AM Ilari Liusvaara <[email protected]>
wrote:
> On Mon, Nov 14, 2022 at 04:07:48PM -0600, Orie Steele wrote:
> > Thanks again! Responses inline:
>
> Responding to broad points:
>
>
> OKP always requires crv. Which is just horribly named: OKP MAY be used
> for lattices, in which case not only is crv used, but the lattice goes
> to the "COSE Elliptic Curves" registry, despite not being anything to do
> with elliptic curves.
>
> And then, the BLS curve, while being elliptic curve, is not the kind of
> elliptic curve as understood by COSE/JOSE (otherwise it would be EC2/EC
> like the usual elliptic curves).
>
>
> Actually, the problem with fixing alg for JWE keys is not between single
> and multiple recipients, but between compact and JSON serialization of
> JWE. And similar issue already exists for ECDH-ES:
>
> If key has alg=ECDH-ES, it can be used with compact serialization, but
> not JSON serialization, limiting it to a single recipient.
>
> Conversely if key has alg=ECDH-ES+A*KW, it can be used with JSON
> serialization (generic or flattened), but not compact serialization.
>
> In COSE, the constraints are a bit different: ECDH-ES+HKDF* can be
> used with multiple recipients, at cost of extra space. And using
> ECDH-ES+A*KW costs space if there is only one recipient.
>
> And similarly for ECDH-ES* -> KEM+SHA3KDF*
>
>
> There is no way to limit COSE encryption keys to HKDF-SHA256, since
> the only possible scopes of restriction are encryption (which is too
> loose) and algorithm (which is too strict).
>
>
> The combinatorial explosion would occur between KEMs, KDFs and KWs.
> Adding just the three kyber variants would give at least 6 alg's,
> with more appearing if there are additional KEMs. Obviously, using
> generic KEM in alg avoids it. E.g., the proposed four alg's:
>
> - KEM+SHA3KDF (probably just shorten to "KEM")
> - KEM+SHA3KDF+A128KW (probably shorten to "KEM+A128KW")
> - KEM+SHA3KDF+A192KW (probably shorten to "KEM+A192KW")
> - KEM+SHA3KDF+A256KW (probably shorten to "KEM+A256KW")
>
> (The reason for using SHA-3 for KDF is that whatever the KEM is,
> it most probably internally involves either SHA-3 or SHAKE).
>
>
>
>
> -Ilari
>
> _______________________________________________
> COSE mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/cose
>
--
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries
<https://www.transmute.industries>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
