Encapsulation and ECIES (v2) #222
Conversation
athoelke
added
enhancement
athoelke
requested review from
MarcusJGStreets,
gilles-peskine-arm and
ndevillard
|
Another thing I am noticing in the additions for 1.3 - there are a lot of new key-returning functions. The list of 'key creation' functions is repeated about 8 times in the spec, and these are getting quite chunky now with over 10 such functions. It might be worth reviewing those passages and simplifying the wording, and references to ALL of these APIs. |
|
Updated:
|
|
Decided that |
gilles-peskine-arm
left a comment
gilles-peskine-arm
left a comment
There was a problem hiding this comment.
Looks mostly good to me, but with a few reservations, mostly about terminology.
doc/crypto/api/keys/policy.rst
Outdated
| - `PSA_KEY_USAGE_ENCAPSULATE` | ||
| - `PSA_KEY_USAGE_DECAPSULATE` |
There was a problem hiding this comment.
I wonder if ENCAPSULATE/DECAPSULATE are truly different usages from ENCRYPT/DECRYPT. We already have a precedent that ENCRYPT/DECRYPT covers symmetric encryption, AEAD and asymmetric encryption.
There was a problem hiding this comment.
This seems reasonable.
Although ECIES uses an ECC key - the permitted algorithm policy would ensure that ENCRYPT usage indicates permission for psa_encapsulate(), and not psa_asymmetric_encrypt(). This is similar to the way ENCRYPT usage on an AES key is qualified by the permitted algorithm policy.
There was a problem hiding this comment.
The [currently] last commit (145c376) has an implementation of this idea - removing the new usage flags and adding encapsulation and encapsulation to ENCRYPT/DECRYPT.
|
Addressed all of the issues raised - but one or two might benefit from validation and/or fine tuning. The removal of explicit encalsulation usage flags is a single commit that can be reverted if this does not turn out to be a better approach. |
gilles-peskine-arm
left a comment
gilles-peskine-arm
left a comment
There was a problem hiding this comment.
LGTM except for one confusing paragraph.
| Key-encapsulation algorithms are often referred to as 'key-encapsulation mechanisms' or KEMs. | ||
|
|
||
| In a key-encapsulation algorithm, participant A generates a key-pair: a private decapsulation key, and a public encapsulation key. | ||
| The public encapsulation key is made available to participant B, who needs to establish secure communication with the participant A. |
There was a problem hiding this comment.
“B, who needs to establish …” — the formulation is ambiguous: is this a goal of key encapsulation, or a prerequisite? It would be clearer to first state that the goal of key encapsulation is to establish a shared secret between A and B, before starting the description of the protocol.
There was a problem hiding this comment.
Good point. I patterned the current text on material elsewhere, but the motivation context will also allow me to make that sentence simpler.
There was a problem hiding this comment.
I've rewritten that paragraph into more of a flow:
In a key-encapsulation algorithm, participants A and B establish a shared secret as follows:
- Participant A generates a key-pair: a private decapsulation key, and a public encapsulation key.
- The public encapsulation key is made available to participant B.
- Participant B uses the encapsulation key to generate one copy of a shared secret, and some ciphertext.
- The ciphertext is transferred to participant A.
- Participant A uses the private decapsulation key to compute another copy of the shared secret.
Also provide ECIES algorithm.
* Use "key-encapsulation algorithm"
* Permit INVALID_SIGNATURE error for authentication failure * Include probablistic failure as additional reason for non-guarantee (e.g. ML-KEM) * Add note to NOT report padding errors in a distinct manner
Leave 0x0b for key-wrapping, and use 0x0c for encapsulation.
Fixing terminology for encapsulation API. This includes updating the ciphertext buffer sizing macros to be PSA_ENCAPSULATE_CIPHERTEXT_[MAX_]SIZE.
* Errors related to invalid key handles or policy failure * Errors related to creating a persistent key
athoelke
force-pushed
the
crypto-encapsulation-ecies
branch
from
145c376 to
e99d9e0
Compare
|
Rebased following merge of #221, and added improvement for the description of key encapsulation. |
2 participants
Starting from #220 - this PR:
Some open issues:The encapsulation data sizing macro names. On other APIs, we typically name these after the function and the output parameter - but that would result inPSA_ENCAPSULATE_ENCAPSULATION_SIZE()which seems somewhat repetitive. I have currently gone withPSA_ENCAPSULATION_SIZE(), as the variable name is pretty distinctive.Should we consistently call this 'Encapsulation', 'Key encapsulation', or 'Key encapsulation mechanism'? - currently the text is mostly a mix of the first two.The output key is variously referred to as 'output key', 'shared output key', 'shared secret', and 'shared secret key'. Is there a best/preferred term for this in this API?If a decapsulation algorithm has an explicit failure (returns an error if the decapsulation fails rather than the wrong key), what error code should we use? (INVALID_ARGUMENT, or INVALID_SIGNATURE, or something else?).This PR provides the API foundations for ML-KEM (#95).