Re: [MLS] Formal proof for PR 713 / "Improve parent hash guarantees"
Raphael Robert <ietf@raphaelrobert.com> Wed, 08 June 2022 13:30 UTC
Return-Path: <ietf@raphaelrobert.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 656FAC14F72D for <mls@ietfa.amsl.com>; Wed, 8 Jun 2022 06:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=raphaelrobert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOcuFOoHsF_x for <mls@ietfa.amsl.com>; Wed, 8 Jun 2022 06:30:11 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A62A3C14F72B for <mls@ietf.org>; Wed, 8 Jun 2022 06:30:11 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id 67-20020a1c1946000000b00397382b44f4so11110772wmz.2 for <mls@ietf.org>; Wed, 08 Jun 2022 06:30:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raphaelrobert.com; s=rr; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=dKNWk+vvrTC7N67zlqdgmOSOqcI0yV4NwUeTtopE3Ls=; b=Eq8DgTVLtuil4qTrdXfK7Zd0JtE5WqRMAzyjZ+SbH5DS5ANqPNTdESd5IUcZnih/FD R7rtUvOpum+X7YRPC3BuXwQyGP3OUa9A4fi+PBmTY+83AOfi8aJq5M/G/0D5cftvdy7E jRN7Nmw15RcqwwtIkeF01WRmXl6f67mJvYB/k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=dKNWk+vvrTC7N67zlqdgmOSOqcI0yV4NwUeTtopE3Ls=; b=y5OvYviPa6yhYgD1LRCmA1Smcv69x+HG54tcnS4jxsWgJhiMsWnozZTjE7tvz0Bclx 4yTD3Kg1idQgzuo8cJ0OQkkJXMkx1BqXVyYyMpKnLcwyS9x0JFrLQNvEilieGpwBWLhi VtWXwIZ+ZZMfqmjfoDEmD1RiVRohBAOITg/TgDgZgMTdwwQ5dfwhi/uf26SIIsXQJxOO 6h+jVOMHHavPI7c4dFN1LFWojmdC+tVzfqLGgvU6hdWkcaehD1U0i1XWsVwMdfNzPDfq 2q2VvTRUAxRhqAwtv5QRb3li/QfJd6WMyN8y+J8XOtGX/pAMkkIARTx2fRgte0VQkp6Y 6WaA==
X-Gm-Message-State: AOAM5306j94KOD1aX1ahL6vqPM6Uj2BO6UZCqd2Ex/NUCk+ia/strHy/ t0vKmK4ZJcLjZbfcEv4J2rwt6A==
X-Google-Smtp-Source: ABdhPJyGyof+D8L3wGwNF38XHhrqq3ynPXyrb4DqsCozeo943XOvgb8WwmPOEs58LgxcD7leh6NDZA==
X-Received: by 2002:a05:600c:1e2a:b0:39c:51f8:80d4 with SMTP id ay42-20020a05600c1e2a00b0039c51f880d4mr15766167wmb.192.1654695009300; Wed, 08 Jun 2022 06:30:09 -0700 (PDT)
Received: from smtpclient.apple (ip-095-208-241-080.um33.pools.vodafone-ip.de. [95.208.241.80]) by smtp.gmail.com with ESMTPSA id n20-20020a05600c501400b003971fc23185sm3705018wmr.20.2022.06.08.06.30.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jun 2022 06:30:08 -0700 (PDT)
From: Raphael Robert <ietf@raphaelrobert.com>
Message-Id: <0C9D51C1-3A5C-458D-B442-01A6AE62FC95@raphaelrobert.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5C0B092B-7EBD-49D7-8297-DF59421B68F4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Wed, 08 Jun 2022 15:30:07 +0200
In-Reply-To: <CAL02cgTT=A7cgK3UKzAGLci+Q2rSixBSAptAdh70+5pdr8-YGA@mail.gmail.com>
Cc: Théophile Wallez <theophile.wallez@inria.fr>, Messaging Layer Security WG <mls@ietf.org>
To: Richard Barnes <rlb@ipv.sx>
References: <7e5a8152-ef25-7ab4-b265-8e2e27756038@inria.fr> <CAL02cgTT=A7cgK3UKzAGLci+Q2rSixBSAptAdh70+5pdr8-YGA@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/3XYFPwhk_H4Ie6jTuN9JgjulLfQ>
Subject: Re: [MLS] Formal proof for PR 713 / "Improve parent hash guarantees"
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2022 13:30:15 -0000
Thanks Théophile for doing that work! @Richard: I’d like to join please. Raphael > On 8. Jun 2022, at 15:21, Richard Barnes <rlb@ipv.sx> wrote: > > I've got a calendar invite going with Webex coords. Let me know if you'd like to join. > --RLB > > On Wed, Jun 8, 2022 at 4:14 AM Théophile Wallez <theophile.wallez@inria.fr <mailto:theophile.wallez@inria.fr>> wrote: > Hello All, > > During the last interim, when discussing PR 713, people raised concerns > that this PR might introduce bugs in MLS, because the parent-hash is a > complex thing and contained many bugs in the past. > > During the last days, I formalized a small part of MLS in F*, and proved > that the invariants checked in the "Verifying Parent Hashes" section are > actually invariants of the protocol. > > Of course I can't just say "believe my I have a formal proof". I also > can't just send my model as-is and expect everyone to decipher the F* > code without explanations. > Richard therefore proposed to meet during one hour before the next > interim, for the people interested, during which I will explain my > model, hoping that afterwards: > - you will agree that my code faithfully models the parts of MLS dealing > with parent-hashes, > - you will agree that the theorem I proved actually state that the new > invariants are preserved. > The only prerequisite will be to be a bit familiar with functional > programming (no need to know super fancy stuff, just algebraic datatypes > / pattern matching / recursion should be enough). > > Richard will take care of setting up a Webex link. > > Cheers, > Théophile. > > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls> > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls
- [MLS] Formal proof for PR 713 / "Improve parent h… Théophile Wallez
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Richard Barnes
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Raphael Robert
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Carsten Bormann
- Re: [MLS] Formal proof for PR 713 / "Improve pare… dbnisbe@uwe.nsa.gov
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Raphael Robert