Skip to content

Apply KEM from RFC 9180; TODO authenticated KEM#29

Open
sander wants to merge 1 commit intoYubico:mainfrom
sander:feat/rfc-kem
Open

Apply KEM from RFC 9180; TODO authenticated KEM#29
sander wants to merge 1 commit intoYubico:mainfrom
sander:feat/rfc-kem

Conversation

@sander
Copy link
Contributor

@sander sander commented Jan 20, 2025

I have not fully checked the details yet, but suspect that the ARKG spec can be simplified by referring to the KEM from RFC 9180.

It removes the ability to provide a context string, but I don’t think that is a problem, since the output from KEM-Encap is ephemeral and therefore bound to the application context anyway.

Referring to DHKEM specifically does add "HPKE-v1" to the HKDF input keying material, which is awkward. But there seem to be already precedents of Internet-Drafts and RFCs reusing the DHKEM outside of the context of HPKE.

Probably the section “Using ECDH as the KEM” can be removed as well, if we find a predefined KEM for secp256k1.

@sander sander requested review from emlun and ve7jtb as code owners January 20, 2025 13:38
Copy link
Member

@emlun emlun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for leaving this unaddressed...

I think this seems like a good idea, but like #27 it's unfortunate that it's a backwards-incompatible change that affects implementations. We may be too far along with concrete prototypes at this point, I'll have to ask our firmware team what they think of it. But if we're going to do this, we should do so before we define official algorithm identifiers (as opposed to the private range COSE algorithm identifiers our prototypes are using for now).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants