[Cfrg] Key Schedule in MLS: NPRF

Chris Brzuska <chris.brzuska@aalto.fi> Wed, 15 July 2020 14:57 UTC

Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2B9DA3A0D79 for <cfrg@ietfa.amsl.com>; Wed, 15 Jul 2020 07:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 7xc-OZwlbFZw for <cfrg@ietfa.amsl.com>; Wed, 15 Jul 2020 07:57:07 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (smtp-out-02.aalto.fi []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22A43A0D7D for <cfrg@irtf.org>; Wed, 15 Jul 2020 07:57:07 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (localhost.localdomain []) by localhost (Email Security Appliance) with SMTP id D15582715CA_F0F193EB for <cfrg@irtf.org>; Wed, 15 Jul 2020 14:57:02 +0000 (GMT)
Received: from exng3.org.aalto.fi (exng3.org.aalto.fi []) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng3.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id 4D5042715B3_F0F193EF for <cfrg@irtf.org>; Wed, 15 Jul 2020 14:57:02 +0000 (GMT)
Received: from exng6.org.aalto.fi ( by exng3.org.aalto.fi ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Wed, 15 Jul 2020 17:57:03 +0300
Received: from [] ( by exng6.org.aalto.fi ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Wed, 15 Jul 2020 17:57:02 +0300
To: <cfrg@irtf.org>
From: Chris Brzuska <chris.brzuska@aalto.fi>
Message-ID: <080b9ffa-69b5-1998-1d6f-78b07ea70c70@aalto.fi>
Date: Wed, 15 Jul 2020 17:56:55 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-Originating-IP: []
X-ClientProxiedBy: exng6.org.aalto.fi ( To exng6.org.aalto.fi (
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding; s=its18; bh=Vn9HXj1sGhs6D69b5vLH+8G38ZagcytZsqdwqrUijmQ=; b=camjmO0fjvH7egEqeDnFQL1A2fngxTqp9vr4EJS/sHsms3TcrOb/zkAWibzysfvDAvoKtfWIXFIuvjBmGPgM3YZPUn9hQcqiEdcGvGH3Ar/pItL8QDsdWFpSn0opBWTw2tn5klml2Xv8FpfSHhUDqaIJWme7yfzTxPg7qcoAmwHhInbuVWmOtk7Lhlj3HtMu3dl92xHa1r9fn/iSfYTxegSbfxXdqWj7krv0vQkz6eezc2a0DAHlSM7RVWvisW1Zm0j+rXCCIsYsuMzWa41/e6NQUdq+pjvzmwli4t+riLXxoZromfynV17h8ffBAw8NGU1vDZLiFBO+n9iJixSOSQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/P6UhcpA8VdkVWGOQDt-FBBWrnlI>
Subject: [Cfrg] Key Schedule in MLS: NPRF
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 14:57:09 -0000

Dear all,

if we have time in the meeting tonight, in the end, I would like to give 
a quick introduction to a change in the key schedule for Messaging Layer 
Security (MLS) which we are currently discussing in the MLS working 
group. It is a function - referred to as NPRF - to combine several keys 
such that the result is pseudorandom whenever at least one of the input 
keys is. This is different from how the key scheudle is currently 
implemented in TLS 1.3 and based on understanding emerging from 
analyzing the TLS 1.3 Key Schedule.

If you are curious, you can have a look here 
http://chrisbrzuska.de/2020-NPRF.html .

Specifically, I recommend Figure 7, Figure 8 and Figure 9.

Apologies for the short notice and for not following the standardized 
format of communication. I only learnt about the meeting yesterday in 
our MLS Working Group Meeting. I will join the meeting half an our 
before the end in case there is time for this MLS discussion in the very