Network Working Group                                          D. Ochkas
Internet-Draft                                              H. Le Bouder
Intended status: Informational                                  A. Pelov
Expires: 25 July 2025                                     IMT Atlantique
                                                         21 January 2025


                    Ascon-AEAD128 for JOSE and COSE
                       draft-ochkas-cose-ascon-01

Abstract

   This document describes JSON Object Signing and Encryption (JOSE) and
   CBOR Object Signing and Encryption (COSE) serializations with Ascon
   which received a lot of attention in the area of lightweight
   cryptography.

   In 2019, as a part of CAESAR competition, Ascon-128 and Ascon-128a
   were selected as the first choice for the lightweight authenticated
   encryption [asconv1.2-caesar].  After, in 2023, National Institute of
   Standards and Technology (NIST) selected Ascon family of
   cryptographic algorithms to be the standard for lightweight
   cryptography [asconv1.2-nist].  This recognition makes it
   particularly interesting to use Ascon with COSE and JOSE structures.

   This document does not define any new cryptography, only
   serializations of existing cryptographic systems described in
   [NIST.SP.800-232].

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 25 July 2025.






Ochkas, et al.            Expires 25 July 2025                  [Page 1]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Ascon algorithms  . . . . . . . . . . . . . . . . . . . . . .   3
   4.  IV Header Parameter . . . . . . . . . . . . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
     6.1.  Additions to Existing Registries  . . . . . . . . . . . .   5
       6.1.1.  New COSE Algorithms . . . . . . . . . . . . . . . . .   5
       6.1.2.  New JOSE Algorithms . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  Examples . . . . . . . . . . . . . . . . . . . . . .   7
     A.1.  COSE  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
       A.1.1.  Simple Ascon-AEAD128 Encryption . . . . . . . . . . .   7
       A.1.2.  Direct Ascon-AEAD128 Encryption with HKDF-SHA-256 . .   8
     A.2.  JOSE  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
       A.2.1.  Direct Compact JWE structure using Ascon-AEAD128  . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Constrained networks such as Internet of Things (IoT) networks most
   of the time are characterized by the limited computational power and
   autonomy.  In this context, the choice of suitable cryptographic
   algorithms that provide robust security without consuming large
   amount of resources is essential.  As a winner of the lightweight
   cryptography standardization process conducted by NIST, Ascon family
   of cryptographic algorithms is a perfect candidate for the described
   situation.





Ochkas, et al.            Expires 25 July 2025                  [Page 2]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


   Ascon-Based Lightweight Cryptography Standards for Constrained
   Devices [NIST.SP.800-232] introduces a suite of algorithms to provide
   Authenticated Encryption with Associated Data (AEAD), a hash
   function, and two eXtendable Output Functions (XOFs).

   This document focuses on the AEAD part of Ascon standard.  It enables
   the usage of Ascon-AEAD128 with JOSE and COSE for content encryption.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Ascon algorithms

   In the scope of this document, only the authenticated encryption
   Ascon is allowed for.  Ascon's encryption and decryption algorithms
   are parametrized by the key length k, the rate r, and the internal
   round numbers a and b.  [NIST.SP.800-232] specifies the Ascon-AEAD128
   algorithm with the following parameters:

    +===============+=========+===================+===================+
    | Key Length, k | Rate, r | Outer permutation | Inner permutation |
    |               |         | rounds, a         | rounds, b         |
    +===============+=========+===================+===================+
    | 128           | 128     | 12                | 8                 |
    +---------------+---------+-------------------+-------------------+

                     Table 1: Ascon-AEAD128 parameters

   COSE encryption and decryption with Ascon-AEAD128 is done in
   accordance with Section 5.3 of [RFC9052].

   Thus, this document requests the registration of the Ascon-AEAD128
   algorithm in [IANA.cose]:

     +===============+================+=============================+
     | Name          | alg            | Description                 |
     +===============+================+=============================+
     | Ascon-AEAD128 | TBD (requested | CBOR Object Encryption      |
     |               | assignment 35) | Algorithm for Ascon-AEAD128 |
     +---------------+----------------+-----------------------------+

                    Table 2: COSE Algorithms for Ascon




Ochkas, et al.            Expires 25 July 2025                  [Page 3]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


   In COSE, keys may be obtained from either a key structure or a
   recipient structure [RFC9052].

   When using a COSE key for this algorithm, the following checks are
   made:

   *  The "kty" field MUST be present, and it MUST be "Symmetric".

   *  If the "alg" field is present, it MUST match the Ascon-AEAD128
      algorithm being used.

   *  If the "key_ops" field is present, it MUST include "encrypt" when
      encrypting.

   *  If the "key_ops" field is present, it MUST include "decrypt" when
      decrypting.

   Also, this document requests the registration of the Ascon-AEAD128
   algorithm in [IANA.jose]:

      +===============+===============+=============================+
      | Name          | enc           | Description                 |
      +===============+===============+=============================+
      | Ascon-AEAD128 | Ascon-AEAD128 | JSON Object Encryption      |
      |               |               | Algorithm for Ascon-AEAD128 |
      +---------------+---------------+-----------------------------+

                     Table 3: JOSE Algorithms for Ascon

   Implementations that are encrypting or decrypting MUST validate that
   the key type, key length, and algorithm are correct and appropriate
   for the entities involved.

4.  IV Header Parameter

   Unlike some common AEAD algorithms, Ascon distinguishes between the
   notion of initialization vector (IV) and nonce (N).  While N is the
   input argument for the Ascon encryption/decryption functions, IV is
   the constant defined for each Ascon algorithm and is based on its
   parameters.

   However, [IANA.cose] does not define a separate header parameter to
   specify Nonce.  Thus, in COSE, whenever Full Initialization Vector
   Header Parameter (Name: IV, Label: 5) or Partial Initialization
   Vector Header Parameter (Name: Partial IV, Label: 6) is specified it
   MUST refer to the N argument of the corresponding Ascon function.





Ochkas, et al.            Expires 25 July 2025                  [Page 4]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


   On the other hand, JSON Web Signature and Encryption Header
   Parameters registry at [IANA.jose] defines both Nonce Header
   Parameter ("nonce") and Initialization Vector Header Parameter
   ("iv").  However, the "nonce" parameter is intended to be used only
   for signatures.  That is, in JOSE, "iv" parameters MUST refer to the
   N argument of the corresponding Ascon function.  There SHOULD NOT be
   "nonce" parameters specified while using Ascon for content
   encryption.  In case "nonce" parameter is specified it MUST be
   ignored.

5.  Security Considerations

   The security considerations for [RFC7516], [RFC7517] and [RFC9053]
   apply to this specification as well.

   According to the most recent security analysis publications, Ascon
   did not show any security vulnerabilities so far and the best attacks
   target the initialization of Ascon reduced to 7 (out of 12) rounds,
   concluding that Ascon has a security margin of 5 rounds (42 % of the
   12 rounds).

   Refer to the Ascon's List of Published Analysis section at
   [asconv1.2-nist] for more details.

6.  IANA Considerations

6.1.  Additions to Existing Registries

6.1.1.  New COSE Algorithms

   IANA is requested to add the following entries to the COSE Algorithms
   Registry.  The following completed registration templates are
   provided as described in [RFC9052] and [RFC9053].

6.1.1.1.  Ascon-AEAD128 for COSE

   *  Name: Ascon-AEAD128

   *  Value: TBD (requested assignment 35)

   *  Description: CBOR Object Encryption Algorithm with Ascon-AEAD128

   *  Capabilities: [kty]

   *  Reference: FIPS XXX

   *  Recommended: Yes




Ochkas, et al.            Expires 25 July 2025                  [Page 5]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


6.1.2.  New JOSE Algorithms

   IANA is requested to add the following entries to the JSON Web
   Signature and Encryption Algorithms Registry.  The following
   completed registration templates are provided as described in
   [RFC7518].

6.1.2.1.  Ascon-AEAD128 for JOSE

   *  Algorithm Name: Ascon-AEAD128

   *  Algorithm Description: Ascon-AEAD128 as described in FIPS XXX.

   *  Algorithm Usage Location(s): enc

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): FIPS XXX

   *  Algorithm Analysis Documents(s): n/a

7.  References

7.1.  Normative References

   [IANA.cose]
              IANA, "CBOR Object Signing and Encryption (COSE)",
              <https://www.iana.org/assignments/cose>.

   [IANA.jose]
              IANA, "JSON Object Signing and Encryption (JOSE)",
              <https://www.iana.org/assignments/jose>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC7516]  Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
              RFC 7516, DOI 10.17487/RFC7516, May 2015,
              <https://www.rfc-editor.org/rfc/rfc7516>.

   [RFC7517]  Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015,
              <https://www.rfc-editor.org/rfc/rfc7517>.




Ochkas, et al.            Expires 25 July 2025                  [Page 6]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


   [RFC7518]  Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
              DOI 10.17487/RFC7518, May 2015,
              <https://www.rfc-editor.org/rfc/rfc7518>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC9052]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Structures and Process", STD 96, RFC 9052,
              DOI 10.17487/RFC9052, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9052>.

   [RFC9053]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
              August 2022, <https://www.rfc-editor.org/rfc/rfc9053>.

7.2.  Informative References

   [asconv1.2-caesar]
              Dobraunig, C., Eichlseder, M., Mendel, F., and M.
              Schläffer, "Ascon v1.2, Submission to Round 3 of the
              CAESAR competition", 2016,
              <https://competitions.cr.yp.to/round3/asconv12.pdf>.

   [asconv1.2-nist]
              Dobraunig, C., Eichlseder, M., Mendel, F., and M.
              Schläffer, "Ascon v1.2, Submission to Final Round of the
              NIST Lightweight Cryptography project", 2021,
              <https://csrc.nist.gov/CSRC/media/Projects/lightweight-
              cryptography/documents/finalist-round/updated-spec-doc/
              ascon-spec-final.pdf>.

   [NIST.SP.800-232]
              Turan, M. S., McKay, K. A., Kang, J., and J. Kelsey,
              "Ascon-Based Lightweight Cryptography Standards for
              Constrained Devices", DOI 10.6028/NIST.SP.800-232, 2024,
              <https://doi.org/10.6028/NIST.SP.800-232.ipd>.

Appendix A.  Examples

   This appendix provides some examples of various Ascon-AEAD128
   Encryptions with COSE and JOSE

A.1.  COSE

A.1.1.  Simple Ascon-AEAD128 Encryption




Ochkas, et al.            Expires 25 July 2025                  [Page 7]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


{
  "plaintext": "546869732069732074686520636f6e74656e742e",
  "nonce": "00000000000000000000000000000000",
  "AAD": "8367456E637279707443A1010140",
  "CEK": "849B57219DAE48DE646D07DBB533566E",
  "Encrypt0": "d08344a1011823a1055000000000000000000000000000000000582436ba4da1fa787205e5fff06fd4b645c637c02b505046fb242984864e1f6875c4ae5c9557",
  "Encrypt0_diag": "16([h'A1011823', {5: h'00000000000000000000000000000000'}, h'36BA4DA1FA787205E5FFF06FD4B645C637C02B505046FB242984864E1F6875C4AE5C9557'])"
}

A.1.2.  Direct Ascon-AEAD128 Encryption with HKDF-SHA-256

{
  "plaintext": "546869732069732074686520636f6e74656e742e",
  "nonce": "00000000000000000000000000000000",
  "AAD": "8367456E637279707443A1010140",
  "CEK": "849B57219DAE48DE646D07DBB533566E",
  "key": {
    "kid": "6F75722D736563726574",
    "kty": "Symmetric"
  },
  "salt": "61616262636364646565666667676868",
  "Encrypt": "d8608444a1011823a105500000000000000000000000000000000058247b09f4de6d93b6779163d978efa2d7eaac699acad60a6a9779168b5569d57ef92d3102bf818343a10129a2044a6f75722d73656372657433506161626263636464656566666767686840",
  "Encrypt_diag": "96([h'A1011823', {5: h'00000000000000000000000000000000'}, h'7B09F4DE6D93B6779163D978EFA2D7EAAC699ACAD60A6A9779168B5569D57EF92D3102BF', [[h'A10129', {4: h'6F75722D736563726574', -20: h'61616262636364646565666667676868'}, h'']]])"
}

A.2.  JOSE

A.2.1.  Direct Compact JWE structure using Ascon-AEAD128

{
  "plaintext": "546869732069732074686520636f6e74656e742e",
  "nonce": "00000000000000000000000000000000",
  "protected": {
    "alg":"dir",
    "enc":"Ascon-AEAD128"
  },
  "CEK": "849B57219DAE48DE646D07DBB533566E",
  "jwe": "eyJhbGciOiJkaXIiLCJlbmMiOiJBc2Nvbi1BRUFEMTI4In0..AAAAAAAAAAAAAAAAAAAAAA.XjkRZmV9Dy0lpQp_4yUYIY1CGN8.zUqKLKMQnqjXFY258aNMgw"
}

Authors' Addresses

   Dmytro Ochkas
   IMT Atlantique
   Email: dmytro.ochkas@imt-atlantique.fr






Ochkas, et al.            Expires 25 July 2025                  [Page 8]

Internet-Draft       Ascon-AEAD128 for JOSE and COSE        January 2025


   Hélène Le Bouder
   IMT Atlantique
   Email: helene.le-bouder@imt-atlantique.fr


   Alexander Pelov
   IMT Atlantique
   Email: alexander.pelov@imt-atlantique.fr











































Ochkas, et al.            Expires 25 July 2025                  [Page 9]