Re: [MLS] Why give the root a pk/sk?

Richard Barnes <rlb@ipv.sx> Mon, 11 May 2020 20:22 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BDB23A0CD2 for <mls@ietfa.amsl.com>; Mon, 11 May 2020 13:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9QBwqSTdTSz for <mls@ietfa.amsl.com>; Mon, 11 May 2020 13:22:15 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1B33A0C6D for <mls@ietf.org>; Mon, 11 May 2020 13:22:15 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id a4so2027091qvj.3 for <mls@ietf.org>; Mon, 11 May 2020 13:22:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6bCcZRiLCuwVvHWMeSF32+WCUddowmx8dUnG49krOD0=; b=PIQdwypbmz9gxE+gRhX1namgysCAtWR6qyttkMmSKQrnutpqEWicPOCqQDm8YeWFjk hor5G5XdXpsj2zgzQYbMkZf7rYoyhPhSbTplatroTDM7wLaeWpVbyzOLbZO4hQgDJTbF odS1lYz+G2wJ9YjB0xrrXDOWj7JTSlXPz4iOM9FtxdAXsIuylf9W26ESOZsnTw0q2fnI AxTLyaEW2V9p9pVX/wf79QM/mvxIHrHvMSVgyZbzmIsGCi6p8lznTB5WN7bKBuJeHxD1 4RdAEJU6GBLgF3WRrcUJqTbs+l4S53StOrxtzvjqvLFzAZNuh+Frzr2bJpAwn9fBKz7z QEAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6bCcZRiLCuwVvHWMeSF32+WCUddowmx8dUnG49krOD0=; b=fg5ZHQLDTQHFL/ht3lJxeHc0SQUyegO591qW/K30TgSTrwVG401xvviSuZmxQfGfCQ NnZOpGLRzpwBFtDWuBAj8S5ZT+ZPspgLcosvXJgOxKr2EcFbh6KhSoc11wPNnoCG6Ife KMErDbuJBVUDmzYsj0Rhg3lu5ywW6PE16rEnvIG6n6LVraGQns6rZdw1uG3ee4PkTlIz fKmUi5h2Ds5Rg8mYQtar/PEHU0al93jddFabiw5hQHD6+6gyzX+gttcBOHG5VWQDyJTg vrEtx0Tu0bYklinVndhtl5F9uMvQMXT0Dt9FWWQDMrhzNVkti3+OmXW0YxMX9pUlt0fz BKZg==
X-Gm-Message-State: AGi0PubTd8Bu0LcM1EaEgXOhZpAo9hkaAPHNi5dm8PlDrytUdxdD98+n 9HlkIeuV7e40Zv31pxdaswT6PML+LZox9LDJ7xbG3w==
X-Google-Smtp-Source: APiQypKASXVWByuzDhEkJYT/z+B7I+GP7Ce27QNgOkitp95YL2bb5jXsPm3B9o6JLsZvzm3r45iMfEC0DkQVJGzYfTY=
X-Received: by 2002:a0c:e850:: with SMTP id l16mr17832137qvo.43.1589228533990; Mon, 11 May 2020 13:22:13 -0700 (PDT)
MIME-Version: 1.0
References: <b52a9fa8-c09b-331b-0eb9-39a211190e96@wickr.com>
In-Reply-To: <b52a9fa8-c09b-331b-0eb9-39a211190e96@wickr.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 11 May 2020 16:22:00 -0400
Message-ID: <CAL02cgSA--nvdbM=2ho85YdQYxNntXaXiL0z9Y9W1AbXtjqUFw@mail.gmail.com>
To: Joel Alwen <jalwen@wickr.com>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003c5a9305a5651ac4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/3_nfQeUSW6FexeyxJW1FIz8r6u0>
Subject: Re: [MLS] Why give the root a pk/sk?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 20:22:17 -0000

I don't think it's necessary.  IIRC, the Go library doesn't do this, and it
seems to implement the remainder of the spec just fine.

The only case where it might be useful is if we implemented a
send-to-group-from-outside functionality, in support of Add initiated by
the new joiner.  But even in that case, it would probably be better to
derive a key pair off of the key schedule.

--RLB

On Mon, May 11, 2020 at 4:26 AM Joel Alwen <jalwen@wickr.com> wrote:

> Quick question for the list. Why assign a pk/sk to the root of the ratchet
> tree?
> (E.g. on Page 18 in the toy example root node G gets node_priv[1] and
> node_pub[1].)
>
> The commit_secret is then derived HKDF-Expand-Label again on the
> path_secret for
> the root.
>
> Isn't it true that the only thing we ever encrypt to a node's pk is its
> parent's
> path_secret? If so I'm not seeing the point of the pk/sk at the root and
> the
> extra call HKDF-Expand to get commit_secret. Am I missing something?
>
> - Joël
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>