Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encapsulation and ECIES (v2) #222

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Encapsulation and ECIES (v2) #222

wants to merge 5 commits into from

Conversation

athoelke
Copy link
Contributor

@athoelke athoelke commented Oct 21, 2024
edited
Loading

Starting from #220 - this PR:

  • Strips out ML-KEM (to be presented in a PQC extension document).
  • Updates the text align with other key establishment APIs.
  • Provide a more general overview for KEMs.
  • Provide a detailed alignment for ECIES with the SEC1 procedures, as the ECIES in the Crypto API is just the key agreement aspect.
  • Moved some of the description and commentary into admonitions to clarify the content.

Some open issues:

  • The encapsulation data sizing macro names. On other APIs, we typically name these after the function and the output parameter - but that would result in PSA_ENCAPSULATE_ENCAPSULATION_SIZE() which seems somewhat repetitive. I have currently gone with PSA_ENCAPSULATION_SIZE(), as the variable name is pretty distinctive.
  • Should we consistently call this 'Encapsulation', 'Key encapsulation', or 'Key encapsulation mechanism'? - currently the text is mostly a mix of the first two.
  • The output key is variously referred to as 'output key', 'shared output key', 'shared secret', and 'shared secret key'. Is there a best/preferred term for this in this API?
  • If a decapsulation algorithm has an explicit failure (returns an error if the decapsulation fails rather than the wrong key), what error code should we use? (INVALID_ARGUMENT, or INVALID_SIGNATURE, or something else?).

This PR provides the API foundations for ML-KEM (#95).

@athoelke athoelke added enhancement New feature or request API design Related the design of the API Crypto API Issue or PR related to the Cryptography API labels Oct 21, 2024
@athoelke athoelke added this to the Crypto API 1.3 milestone Oct 21, 2024
@athoelke
Copy link
Contributor Author

Another thing I am noticing in the additions for 1.3 - there are a lot of new key-returning functions. The list of 'key creation' functions is repeated about 8 times in the spec, and these are getting quite chunky now with over 10 such functions.

It might be worth reviewing those passages and simplifying the wording, and references to ALL of these APIs.

@athoelke athoelke mentioned this pull request Oct 22, 2024
Draft
@athoelke
Terminology alignment:
11801b7 
* Use "key-encapsulation algorithm"
@athoelke
Clarify explicit/implicit decapsulation failure:
334c6ca 
* Permit INVALID_SIGNATURE error for authentication failure
* Include probablistic failure as additional reason for non-guarantee (e.g. ML-KEM)
* Add note to NOT report padding errors in a distinct manner
@athoelke
Copy link
Contributor Author

Updated:

  • Decided to use "key-encapsulation algorithm" everywhere
  • Use "shared secret" when describing the result value of the encapsulation/decapsulation process
  • Use "shared output key" when describing the key object returned by psa_encapsulate() and psa_decapsulate()
  • Permit PSA_ERROR_INVALID_SIGNATURE for encapsulation data authentication failure
  • Describe failure possibility for probablistic algorithms (e.g. ML-KEM) as reason for non-identical output keys
  • Warn implementations against reporting padding validity errors

@athoelke
Reallocate the algorithm category for key-encapsulation
e7fcb5b 
Leave 0x0b for key-wrapping, and use 0x0c for encapsulation.
@athoelke
Copy link
Contributor Author

Decided that PSA_ENCAPSULATION_SIZE() and PSA_ENCAPSULATION_MAX_SIZE are suitable for the support macro names.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gilles-peskine-arm gilles-peskine-arm Awaiting requested review from gilles-peskine-arm

@ndevillard ndevillard Awaiting requested review from ndevillard

@MarcusJGStreets MarcusJGStreets Awaiting requested review from MarcusJGStreets

Assignees
No one assigned
Labels
API design Related the design of the API Crypto API Issue or PR related to the Cryptography API enhancement New feature or request
Projects
PSA Certified API development
Status: In Progress
Milestone
Crypto API 1.3
Development

Successfully merging this pull request may close these issues.
1 participant
@athoelke