Adding new public key KEM API

NIIBE Yutaka gniibe at fsij.org
Fri Nov 24 08:29:28 CET 2023 

Hello,

NIIBE Yutaka <gniibe at fsij.org> wrote:
> I encounter this exact issue when I did an experiment for DHKEM(X25519,
> HKDF-SHA256).  Currently, it computes public key from secret key.
>
> My experiment is here:
>
>     https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Fkem2/
>
> This is the branch on top of master.

For next experiment, I added GCRY_KEM_OPENPGP_X25519.  My target use
case in mind is using this KEM for OpenPGP.

For this use case, I need to supply KDF parameter to the API, so, I
added optional argument for the API for this experiment.

    gcry_error_t gcry_kem_keypair (int algo,
                                   void *pubkey,
                                   void *seckey);

    gcry_error_t gcry_kem_encap (int algo,
                                 const void *pubkey,
                                 void *ciphertext,
                                 void *shared_secret, const void *optional);

    gcry_error_t gcry_kem_decap (int algo,
                                 const void *seckey,
                                 const void *ciphertext,
                                 void *shared_secret, const void *optional);

In the tests/t-kem.c of my branch of experiment, it is used like:

  const uint8_t kdf_param[N_TESTS_OPENPGP][56] = {
    {
                                /* Curve OID of Curve25519 in OpenPGP v4.  */
      0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55,
      0x01, 0x05, 0x01,
      /**/
      0x12,                     /* ECDH algo in OpenPGP */
      /**/
      0x03, 0x01, 0x08 /*SHA256*/, 0x07 /*AES128*/,
      /**/
      0x41, 0x6e, 0x6f, 0x6e, 0x79, 0x6d, 0x6f, 0x75,
      0x73, 0x20, 0x53, 0x65, 0x6e, 0x64, 0x65, 0x72,
      0x20, 0x20, 0x20, 0x20,   /* "Anonymous Sender    " */
      /**/
      0x25, 0xd4, 0x45, 0xfa, 0xc1, 0x96, 0x49, 0xc4,
      0x6a, 0x6b, 0x2f, 0xb3, 0xcd, 0xfc, 0x22, 0x19,
      0xc5, 0x53, 0xd3, 0x92    /* public key fingerprint */
    }
  [...]
      err = gcry_kem_decap (GCRY_KEM_OPENPGP_X25519, seckey[testno],
                            ciphertext[testno], kek2, kdf_param[testno]);


I investigated how this API can be used in GnuPG.  I realized that in
the current GnuPG implementation, gcry_kem_decap with
GCRY_KEM_OPENPGP_X25519 cannot be used directly; We need to change the
demarcation between gpg and gpg-agent, beforehand.

In the current GnuPG implementation:

	gpg-agent does: ECDH
	gpg does: KDF, key unwrap, and symmetric decryption

If gcry_kem_decap with GCRY_KEM_OPENPGP_X25519 is used, it will be:

	gpg-agent does: KEM decapsulation (ECDH and KDF)
	gpg does: key unwrap and symmetric decryption

This means that, gpg-agent will need to know (a part of) OpenPGP public
key, to do gcry_kem_decap operation.  Possibly, we need to enhance
gpg-agent protocol so that PKDECRYPT command can optionally inquire (a
part of) OpenPGP public key to gpg frontend.
--

More information about the Gcrypt-devel mailing list