On Thu, May 23, 2024 at 07:54:42AM -0500, Orie Steele wrote: > > As an author I support adoption. > > The main motivation I have for working on HPKE, is to ensure that encrypted > JWT and CWT use cases that want to use PQ algorithms have a consistent path > to achieve this. > > Both JWT and CWT share alignment regarding confirmation methods, so it is > important that they share algorithms as well, and with a few exceptions > that's mostly true today.
Adding native PQ support is actually even easier than adding HPKE. > I've implemented the current drafts for JOSE and COSE, I think it's been > beneficial to both specifications to compare the approaches. I have implemented what I think is still the current COSE draft. Found it easy. I have not even tried to implemented the JOSE draft because of a few issues I find rather nasty. > It's true that currently DHKems feel very similar to ECDH-ES, but PQ or > hybrid KEMS won't. All KEMs feel very similar to ECDH-ES. The three operations ECDH-ES performs are _exactly_ the KEM keygen(), encaps() and decaps() operations! Now, it is not possible to just use ECDH-ES due to some technical details. But one can just easily clone the algorithms with just the technical details suitably changed. And then register the key subtypes for PQ keys to get complete usable PQ support. > Having a framework (JWT/CWT) in place, where JOSE and COSE can share PQ > algorithms will reduce complexity in the long run, and enable easier > security analysis and migration. Native PQ support can trivially share the algorithms. > There was also a presentation on designated verifier signatures at 119, > where HPKE was discussed in that context as well. I believe that direct > mode auth HPKE JWEs might help enable post quantum KEMs to be used for > those same use cases, whereas building on ECDH-ES + MAC as was recently > proposed would need more changes to support post quantum or hybrid > algorithms... So it's possible that this might save the need for future > algorithm registrations which might be requested to support redudiable > digital credentials use cases. Sorry, HPKE Auth mode is not supported for post-quantum. ... Because nobody knows how to create safe and usable authenticated post-quantum KEM! -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
