Page MenuHome GnuPG
Create Task
Maniphest T7014

agent: Enhancement of PKDECRYPT for KEM interface
Testing, WishlistPublic
Actions

Description

Currently (as of GnuPG 2.4.5), PKDECRYPT computation for ECC is a bit different to the computation of RSA (or DSA).
It is basically only a part of computation of decryption for ECC (that is, (only), ECDH computation with private key to get shared secret).
Although the both data of e (ephemeral key) and s (encrypted session key) are sent to gpg-agent, gpg-agent only use e to get shared secret.
(And it is actually client of gpg-agent to get the session key (by decryption of AESKEYWRAP) from encrypted session key using the result of gpg-agent.

It would be good to enhance PKDECRYPT command (say, by adding option --kem for ECC) to support computation including decryption by AESWRAP. This way, ECC computation of PKDECRYPT is aligned to the one of RSA and DSA.

This makes sense in the context of PQC, which uses hybrid KEM.

The enhanced PKDECRYPT would go like this:

  • SETKEY <KEYGRIP-of-ECC>
  • SETKEY --another <KEYGRIP-of-Kyber> ; new option for SETKEY command
  • PKDECRYPT --kem <KEM_ID>; new option for PKDECRYPT command
    • gpg-agent inquires CIPHERTEXT (e and s in S-expression)
    • gpg-agent inquires OPTION (for optional data, KDF parameter in the term of RFC 6637)
    • compute decaps with KEYGRIP-of-ECC key, using ECC part in the e part of CIPHERTEXT (KEM_ID should match the ECC key)
    • compute decaps with KEYGRIP-of-Kyber key, using Kyber part in the e part of CIPHERTEXT (KEM_ID should match the Kyber key)
    • determined by KEM_ID, compute KEM combiner using OPTION, results --> KEK
    • compute AESKeyUnwrap using the KEK and s part of CIPHERTEXT, results --> session key

Revisions and Commits

rG GnuPG
rG61717fb0a775 agent: Add more diagnostics to PQC decryption.
rG172d53d63689 agent: Fix PQC decryption.
rG03d53c88ccf5 gpg: Allow to create a Kyber key from keygrips.
rG131dd2a35145 agent: Add initial support for hybrid ECC+PQC decryption with KEM.

Related Objects
Search...

Event Timeline

gniibe triaged this task as Wishlist priority.Feb 26 2024, 8:31 AM
gniibe created this task.
werner added a parent task: T6815: PQC encryption for GnuPG.Feb 26 2024, 10:41 AM
werner awarded a token.
gniibe added a comment.Mar 7 2024, 7:37 AM

As a first experiment, let us use CIPHERTEXT in the format of (enc-val(ecdh(s%m)(e%m)(k%m))) (s: encrypted-session-key, e: ecc ephemeral key, k: kyber ephemeral key).

gniibe added a comment.EditedMar 18 2024, 7:20 AM

I extracted data from https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc-02 and compose x25519 key and MLKEM768 key. Here they are.
x25519 :

DE1AB1D22899CEC7DBB1A7863F34E6E92BFB7756.key205 BDownload

MLKEM768 :
1C4D98ABD3BD87C0C505A9FE97BB766EAB38B87F.key7 KBDownload

In the test vector of v4 PQC subkey (in A.2. V4 PQC Subkey Artifacts), the data seems broken;

# off=500 ctb=c7 tag=7 hlen=3 plen=3657 new-ctb
:secret sub key packet:
	version 4, algo 105, created 1372636800, expires 0
	unknown algorithm 105
  • IIUC, the size should be 3654 (instead of 3657). 6-octet: [version=4] [created-time-4-octet] [ALGO=105] 32-octet: public ecc key 1184-octet: public mlklm768 key 32-octet: secret scalar of ecc 2400-octet: secret of mlklm768
  • (6+32+1184+32+2400) = 3654

I see an octet of 00 after mlklm768 public key.
I see two octets of 6c39 after secret of mlklm768.

gniibe added a comment.Mar 25 2024, 8:04 AM

On March 11 and 18, the private key file DE1AB1D22899CEC7DBB1A7863F34E6E92BFB7756.key was wrong.
I updated on March 25. Now, the endian is GnuPG (d is big endian).

gniibe added a commit: rG131dd2a35145: agent: Add initial support for hybrid ECC+PQC decryption with KEM..Apr 5 2024, 7:21 AM
gniibe added a comment.Apr 5 2024, 8:22 AM

I use this for testing:

encrypted-sexp.txt2 KBDownload

And do:

gpg-connect-agent --hex <<EOF
/definqfile CIPHERTEXT encrypted-sexp.txt
SETKEY DE1AB1D22899CEC7DBB1A7863F34E6E92BFB7756
SETKEY --another 1C4D98ABD3BD87C0C505A9FE97BB766EAB38B87F
PKDECRYPT --kem
/bye
EOF
werner added a subscriber: werner.EditedApr 5 2024, 4:09 PM

I created a pubkey (actually a subkey) for your above test keys:

DE1AB-pubkey.asc2 KBDownload

sec   ed25519 2024-04-05 [SC] [expires: 2027-04-05]
      32179C7139EB35A53B44F1B54BC54B6BF4AA1839
      Keygrip = EF3CE1515B032A51E997362FDD79356B7EC0EC0E
uid           [ultimate] pqc-test-april-4
ssb   ky768_cv25519 2024-04-05 [ER]
      0535BE6FD96A057D5F73E4E496CAE428C91EBA41DBDEBB05A67C9D3E51DCB666
      Keygrip = DE1AB1D22899CEC7DBB1A7863F34E6E92BFB7756,1C4D98ABD3BD87C0C505A9FE97BB766EAB38B87F

(There is still the Renc bug T7072 in the used code base)

Update: The fingerprint computation was wrong - fixed and updated listing.

werner added a commit: rG03d53c88ccf5: gpg: Allow to create a Kyber key from keygrips..Apr 5 2024, 4:16 PM
gniibe added a comment.Apr 9 2024, 7:21 AM

In the current code, just for testing against the test vector in m https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc-02, there are specific value in the key combiner KDF.
Namely, the value 105 for fixedInfo is defined in the draft (and it will be changed).

This kind of dependency to the protocol specification can't be avoided, because it is intentionally specified for domain separation.

Later, let me change the value for LibrePGP, or let us invent some method to specify the value by gpg-agent command line.

gniibe added a comment.Apr 10 2024, 5:57 AM

I merged the change by Werner to get the value from frontend.

Here is the updated file for testing, which uses a single octet of 105 (hex 69) for FIXED_INFO.

encrypted-sexp-69.txt2 KBDownload

gniibe added a comment.Apr 11 2024, 8:21 AM

I had wrong interpretation about symmetric cipher algorithm identifier in the draft. It specifies symmetric cipher for the following Symmetrically Encrypted Data Packet (I was wrongly interpret as if it were specifying algo for AES keywrap).

I modified the SEXP in the gpg-agent protocol as:

	(enc-val(pqc(c%u)(e%m)(k%m)(s%m)(fixed-info&)))
        c: cipher identifier (symmetric)
        e: ECDH ciphertext
        k: ML-KEM ciphertext
        s: encrypted session key
        fixed-info: A buffer with the fixed info.

Here is the updated file for testing.

encrypted-sexp-69-id.txt2 KBDownload

gniibe added a commit: rG172d53d63689: agent: Fix PQC decryption..Apr 11 2024, 8:30 AM
werner mentioned this in T6815: PQC encryption for GnuPG.Apr 11 2024, 4:00 PM
werner added a commit: rG61717fb0a775: agent: Add more diagnostics to PQC decryption..Apr 11 2024, 4:01 PM
gniibe changed the task status from Open to Testing.Apr 15 2024, 3:19 AM
gniibe added a project: gnupg26.
werner moved this task from Backlog to WIP on the gnupg26 board.Apr 24 2024, 10:04 AM