Re: [MLS] UPKE for X25519/X448

Joel Alwen <jalwen@wickr.com> Tue, 22 October 2019 15:05 UTC

Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CA9120043 for <mls@ietfa.amsl.com>; Tue, 22 Oct 2019 08:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i_RAlgBn7hoj for <mls@ietfa.amsl.com>; Tue, 22 Oct 2019 08:05:28 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0D88120013 for <mls@ietf.org>; Tue, 22 Oct 2019 08:05:27 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id c22so7400370wmd.1 for <mls@ietf.org>; Tue, 22 Oct 2019 08:05:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Yd85EumD+Ip1AP8U/jWat5HQXJaU7NpknW8zRk1DQbQ=; b=eqrX+cBbRekOYeTYbasGTfICdqRD8wOexAjdzoGu8doz8DEe2uAOFfw5R8Vwv0Vs2/ ZCHBga7gFSkghte6t4PaX/nUuqxO+kpiddJasGP35mbYF3/cMb7pftj3arIU/yFpHq2l 3TeMRHJSl8bzHAwScqEcAHfkT+XOK/oCzuflFVnO2W/TZ9vrBrjHoq5vt5+YqRlNRE2X 5yTiaCDnzOqEv+eBQ8M95Xp8GEloPlji/Gncnsfzm7Fl+loHsM1UGJZ9UJbuGkYRHSuT 4xaOKOx4XXk0FwvHG90ct7H16uLLhpRJYi/QU5ebLnJA1cpVxKDEN4RwMT6ZycJ6HWDm SSxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=Yd85EumD+Ip1AP8U/jWat5HQXJaU7NpknW8zRk1DQbQ=; b=nShkVQZVj936U3hB3W0VJqbyv8DLjrQzJ76Do/smn7mgvp7PHf7i60phi4zmXmFmQb a4auK58I7a1N0H7B+3LhmZiFIqcylbdecl7YNO3gh/UMSXfrq+hS79B3Cs2P+z6Om02l g3Ms0hpyGEGKFxvab5y/zeUJe/NygfUpV9HxiKxrElMMv6/ZH2M+6gAt4ApgPUqUKyjX Yrj14QqlYGlYFLHGMEjiuOT3mTHzWKGOxFP0U0ARykPCBizRwRMtW0ttD/iNe9R3WnOv cON9mnku1AekoTgisSxFB1GAKalRwrS2sYo0kSH6hxxTZuS1CvheZ1i1ojG+N0KkJnxh 2W7w==
X-Gm-Message-State: APjAAAWv0JvuD2uM5QGygq5QWW+p0B0QkZleDCUZ0Iw7kie9Ow3QaApy PgdRmlRIilpibBVtr9fGVy09sgudm8M=
X-Google-Smtp-Source: APXvYqz9Wr2opUHqn2aIOaFRqUTBN5SeQejnQ/ExMXyuFRInTwmJiDPP4JyZW1mg9c2IdZ14rodjrw==
X-Received: by 2002:a1c:2c88:: with SMTP id s130mr3655624wms.66.1571756725580; Tue, 22 Oct 2019 08:05:25 -0700 (PDT)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id q66sm19494979wme.39.2019.10.22.08.05.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Oct 2019 08:05:24 -0700 (PDT)
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Cc: Messaging Layer Security WG <mls@ietf.org>
References: <71e63449-abba-854d-2962-eac3a64a80d0@wickr.com> <398CD178-3DB6-4D70-B230-3362BE63A3BE@gmail.com>
From: Joel Alwen <jalwen@wickr.com>
Openpgp: preference=signencrypt
Autocrypt: addr=jalwen@wickr.com; keydata= mQENBFyIZvABCAC65JupY1w7gzhhNo41ftIk09n7Lid9p31jDR8Jefv9R5sWL+HZFGDeABAY 1J1JvV6vOaMsfdy9iUFfGS1GhMJ3+mh799SIsB3JSfPq/eq6Jut57D2yPtILmc7ZbuJyBHg0 xuYfKCQQAYikW+v2LJQU1Y+BUDbVldpzxSc8Z3PPSfunWdzhY6qAAhyCv+Y8EzJlQivMwD5B f6737krf8SoBsjsqCHQrRo/r+BSj5Wtd5/K3FkmWLOUAFoYK23+cpoFntGJKZfss27gDPhyS gX9ibXcBGQqBEF4qDPEzEHK8iQmXTxLul5Y7lQ6ADf69xH15WM4GmRBeCvR3Uanxcr2/ABEB AAG0HUpvZWwgQWx3ZW4gPGphbHdlbkB3aWNrci5jb20+iQFUBBMBCAA+FiEEYFNg9IH2SV6e 03O3FR5tDZv8eygFAlyIZvICGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ FR5tDZv8eyjSywgApQNIRcL4IKTJ0I4XwcQRhICu1Bht3c2fUnG2YziJXjGf6DZ49uKKtuIu fk8mNS+vKRLoLZ7+u+Pv/Yjmk8jtrr6Saz1vnfsle3GgmXG5JaKOM5cOfeo5JnlNUP3QonR7 LMZwY1qVKg2mzNmwi0jG1zIGgQ5fiAwqe+YTNFli5bc/H1O9LcSmbrLV9OyucARq11DIiAvU fDknZ17OahQls+9mgfAXH5vZjzo296tYvzkOJQ2A6GPxdMHIXGbJM/vjuMe2QJl6C0zaqOtm JvFcx/HpNhmugYI9OsNAd7846HASDp8BKyfY5FYP7bn0/JBuCpg18Aykru6xyFjG3gv0L7kB DQRciGbxAQgA0Qx9LlxvJ0LGZlZRVyV8kPIxg8pNMmxJwJJ+JnTciW0LpfigfdAvGVf6PU0x 3V6SJKtz8D61c8KLyztxwPGRgJX2TRK3zvTlT5mqqnGYMAANttCF1+8DNpiYOMg3ibPRby46 4JPhMgWgvCJ1vHGu9cghjn1ttWIwBuKBXMc8HgACKYWsYZJiYtFEsnOdsD6aPWCg6NiImoc7 vRwNMKNNtDPxY95Yj4CRiLPVrZje3LyJlA9S+y2/p3w69R4AVLSRzAwDlupjXYs03QdNjGjP 2IR2u8RhstDgqW8+Bk3p7wjJ1kHTHgyox81/aHbnIRGKksPGPMPT3bvbpxevfqZ7ywARAQAB iQE8BBgBCAAmFiEEYFNg9IH2SV6e03O3FR5tDZv8eygFAlyIZvECGwwFCQHhM4AACgkQFR5t DZv8eygbLQf+OHSG6K9qiPdYxe61IR2kZdyogc2ArEGrl6AmcNzySXC8wlnreZo3FjfkD6xV CQWwWDxI7B0JPM86IcfCfn45ADeI8rwm6yYIs00B4ag9Mmo0GQ4kQd2aTy60/QaE2ZSrnEtt 0fuz1G8DGnhPnOnMyCnCnkSNuTNG20OlI0cn5EJSxBS4fXVeBMBaV91DEmvLU6DjL+fOBQPq CXIbFY7XffOmC4VxtAGhTadJ8WmUD8ZezXNs8c40Btpukr7j4piUshITfazPGEMXzTUTkimf fAhNX1QQBsfP9kjfjxBn6jDl+lDJY34mANWwEJ8BKjgr09P0sOz4zjjFL62GcFczQA==
Message-ID: <44b5f5f7-79e1-c9e3-cde0-d75074168469@wickr.com>
Date: Tue, 22 Oct 2019 17:05:23 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <398CD178-3DB6-4D70-B230-3362BE63A3BE@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/0Y-yIM4nIW6VwlGqZmfbCQ5XVlU>
Subject: Re: [MLS] UPKE for X25519/X448
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 15:05:30 -0000

Good question!

I'll see if I can think of anything intelligent to say about it. :-)

But one thing that comes to mind is that the sender gets to choose "only" d', not d. Instead d := HKDF(d') so to get d=0
you'd have to first invert HKDF.

- Joel

On 22/10/2019 17:02, Karthikeyan Bhargavan wrote:
> Sorry if this is already in the paper, but a question.
> 
>> - UPKE-Decrypt(sk, (c1, c2)):
>>  epk, context := HPKE.SetupBaseR(c1, sk, "")
>>  d' || m := context.Open("", c2)
>>  d := HKDF(sksize, d', "", "derive UPKE delta")
>>  sk' := Mult(sk, d)
>>  return (m, sk’)
> 
> I believe it is important for the recipient to do some validation before returning from UPKE-Decrypt.
> 
> For example, what if the (malicious) sender set d to “0” (whatever that means in the DH group).
> This would mean that the resulting key sk’ becomes “0” too, hence a non-member has been able to force the recipient group’s private key to a particular value, which is not ideal.
> What conditions should we add to avoid this kind of key-forcing attack from happening?
> 
> -Karthik
> 
> 
> 
>>
>>
>> References
>> ----------
>> [1] http:\\ia.cr\2019\1189.
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>