IETF Logo Mail Archive

Re: [MLS] Re-randomized TreeKEM

Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Thu, 17 October 2019 14:37 UTC

Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79DEC12006B for <mls@ietfa.amsl.com>; Thu, 17 Oct 2019 07:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJAOPsIrtSa0 for <mls@ietfa.amsl.com>; Thu, 17 Oct 2019 07:37:32 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56B2412000F for <mls@ietf.org>; Thu, 17 Oct 2019 07:37:32 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.67,308,1566856800"; d="scan'208,217";a="406651919"
Received: from 89-156-101-160.rev.numericable.fr (HELO [192.168.0.62]) ([89.156.101.160]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Oct 2019 16:37:30 +0200
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Message-Id: <5673C061-B15D-4DD2-A90C-4F179E82C31A@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A6134B80-EA56-4FF2-9AFA-76C097731D2E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 17 Oct 2019 16:37:29 +0200
In-Reply-To: <CAMvzKsgMvLP5mmk8fOoTopKhFM6+EQzognv4Eq_FfMHSs9qwiA@mail.gmail.com>
Cc: mls@ietf.org
To: Yevgeniy Dodis <zaumka@gmail.com>
References: <5b1d9cb1-509a-da7d-1361-188dfe0f21d6@wickr.com> <4BEAE096-9597-4619-ADD4-CE13E899481B@inria.fr> <CAMvzKsgMvLP5mmk8fOoTopKhFM6+EQzognv4Eq_FfMHSs9qwiA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/15H0eEcIy3iPxHx1gat1G3sF8z4>
Subject: Re: [MLS] Re-randomized TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 14:37:36 -0000

Thanks Yevgeniy,

This helps a lot.

To further my understanding, another question:

>  Intuitively, the sender will not only encrypt the message, but also a random Delta value. It will change public key using homomorthism by multiplying with g^Delta (in specific DH based scheme), while the recipient will decrypt Delta (using old secret key), and add it to the old secret key to get there new one. So now corrupting (old sk plus Delta) will not help decrypting the ciphertext just decepted, emailing forward secrecy. 

I see that in the DH-based scheme, this Delta needs to be private, otherwise the adversary can compute sk once it knows sk+Delta.
But, in general, is it possible to conceive of a UPKE scheme where the recipient effectively “hashes forward” its symmetric key,
where this one way hash-forward function does not have to rely on an externally chosen secret value?

Best,
Karthik

> This is the high level, hope it makes sense.
> Thanks for your question,
> Yevgeniy
> 
> On Thu, Oct 17, 2019, 1:43 AM Karthik Bhargavan <karthikeyan.bhargavan@inria.fr <mailto:karthikeyan.bhargavan@inria.fr>> wrote:
> Hi Joel,
> 
> This looks very interesting. It is new to me since I was not at the interim.
> After reading the paper and the slides, I am still a bit fuzzy about what the recipient of an update needs to do.
> 
> For example, for the running example in your slide deck, it would help if I could see:
> - what secret keys does each leaf need to keep
> - how do these secrets change when an update from some other node is received.
> Just working this out for one update is enough.
> 
> I know that this is made precise in the eprint, but it would be faster if you could help us understand it :)
> 
> Best,
> Karthik
> 
> > On 16 Oct 2019, at 23:51, Joel Alwen <jalwen@wickr.com <mailto:jalwen@wickr.com>> wrote:
> > 
> > <FS-TreeKEM.pdf>
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>

v2.23.0 | Report a Bug | By Email