Using HPKE SetupBase+KDF, HPKE SendExportBase, or plain KEM+KDF

lamps-wg / cmp-updates

RFC4210bis and RFC6712bis

Other

2 stars 5 forks source link

Using HPKE SetupBase+KDF, HPKE SendExportBase, or plain KEM+KDF #8

Closed HBrock closed 1 year ago

HBrock commented 1 year ago

https://datatracker.ietf.org/doc/html/draft-celi-wiggers-tls-authkem-01#section-3.1 uses SetupExport. https://lamps-wg.github.io/cmp-updates/draft-ietf-lamps-rfc4210bis.html#section-5.1.3.4 uses SendExportBase. Are there reasons for using SetupExport + KDF instead of SendExportBase?

HBrock commented 1 year ago

The WG recommended use of HPKE for establishing a shared secret key. Today HPKE specifies only a D-H bases KEM in RFC9180 Section 4.1. To be independent to HPKE this document could also use the approach shown in https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/ only relying on the availability of a KeyGen, Encapsulate, and Decapsulate function. This would ease this specification and allow further reuse of profiling KEM algorithms for use in CMS. What do others think?

HBrock commented 1 year ago

Authors meeting 3.2.23: I will submit a version including the HPKE SendExportBase based approach and then I will provide an update providing the plain KEM+KDF approach as this is the preferred choice of the group.

HBrock commented 1 year ago

The change to plain KEM+KDF will be submitted with version -05

HBrock commented 1 year ago

The changes to plain KEM+KDF was presented to IETF116 and supported