[MLS] Removing members from groups

Jon Millican <jmillican@fb.com> Mon, 12 February 2018 11:01 UTC

Return-Path: <prvs=5581f93cbe=jmillican@fb.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D2D4B1275C5 for <mls@ietfa.amsl.com>; Mon, 12 Feb 2018 03:01:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=O/kx88mi; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=AsuRnz0U
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id hsUPnmZ95Fj2 for <mls@ietfa.amsl.com>; Mon, 12 Feb 2018 03:01:38 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E49151275FD for <mls@ietf.org>; Mon, 12 Feb 2018 03:01:36 -0800 (PST)
Received: from pps.filterd (m0001303.ppops.net []) by m0001303.ppops.net ( with SMTP id w1CAv8g3030761 for <mls@ietf.org>; Mon, 12 Feb 2018 03:01:35 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : content-type : mime-version; s=facebook; bh=11vVgUrEzmf76i1ImQ9GUOHm1YuZyM1OkKa4dw/C9bQ=; b=O/kx88mik05xJHCzyMFW++JaVRqQSs7BknPV8gyhbxuWF8UDIUtezWAv2iPZ8TAKLBqV xYA1on2gffkIge/r2RJ2iekrsc7qdxboWqZoobBoq2aovE7y/Hg131DObmqKRNF4PDI3 n9UV30uxC67ph5jvHVkIm0BAGcRBQpukPk0=
Received: from maileast.thefacebook.com ([]) by m0001303.ppops.net with ESMTP id 2g30n88tb9-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT) for <mls@ietf.org>; Mon, 12 Feb 2018 03:01:35 -0800
Received: from NAM02-BL2-obe.outbound.protection.outlook.com ( by o365-in.thefacebook.com ( with Microsoft SMTP Server (TLS) id 14.3.361.1; Mon, 12 Feb 2018 06:01:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=11vVgUrEzmf76i1ImQ9GUOHm1YuZyM1OkKa4dw/C9bQ=; b=AsuRnz0Uzu+xn7BnDG+Ere8Xr80vDHVFBQroo5JFHl0ZciaZArZltrCEqFh+lUiqPVZd/hemtd4NURtMVAq7+pdzA+etaRbXrsMSrSqSeFSq9I8KBGjaPiDEZKHft+uMsnZ7fBeP/Hzuq5vPegaKsqSmxbv1Aprp3E5Njm4Qsno=
Received: from CY4PR15MB1751.namprd15.prod.outlook.com ( by CY4PR15MB1255.namprd15.prod.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.10; Mon, 12 Feb 2018 11:01:33 +0000
Received: from CY4PR15MB1751.namprd15.prod.outlook.com ([fe80::3028:3f8c:6eeb:3256]) by CY4PR15MB1751.namprd15.prod.outlook.com ([fe80::3028:3f8c:6eeb:3256%17]) with mapi id 15.20.0485.015; Mon, 12 Feb 2018 11:01:32 +0000
From: Jon Millican <jmillican@fb.com>
To: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: Removing members from groups
Thread-Index: AQHTo/DX/lElM66x7kOt9p+HMOD2bw==
Date: Mon, 12 Feb 2018 11:01:32 +0000
Message-ID: <86011555-DAF3-485C-91BB-77884FE6B549@fb.com>
Accept-Language: en-US
Content-Language: en-GB
x-originating-ip: [2620:10d:c092:200::1:9a9c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR15MB1255; 7:BX+0xevmlUtTshx5CEnHOYNJvApuv0RYxIdHXASHeGJ1Pps7xWy6GASA5PY2yGeRpC9D8mubFXXT/J6XiLa6Fj8n5tJfkCmVXuWXe55+nHJK+P6n3Anhl6kSWj8ICFG2Qk5n9zDlwCa3K5yh3UrKW3xAVP9PISLiyRcB61cWkT1c2u1OqrOjvZ+44416ubGgOuQjLU9655YXPcv+mhFFIELKcfrNSGryqENSi+VpcEskfCubmKMATnchU/WocgVs; 20:99nKQrExB7Nxx4DmsU41PfyJNo941YYA/Dig3V327OGTGmjiUV+mwRjLuFCM4JtAZSJjeK+V1MWL9dGNjAVdqL6e37/1ilM9aXiwWVcKDWzRBL5zD9cbFer/BGUe9USYcw5b/44cTg6vbHPStyNzldDWsJ5czGV712bJLKj+3z8=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: aac689da-6406-459e-4426-08d57207fa0a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:CY4PR15MB1255;
x-ms-traffictypediagnostic: CY4PR15MB1255:
x-microsoft-antispam-prvs: <CY4PR15MB1255AE98990EC3A87BA799D0DAF70@CY4PR15MB1255.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(788757137089)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(3231101)(11241501184)(944501161)(6041288)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011); SRVR:CY4PR15MB1255; BCL:0; PCL:0; RULEID:; SRVR:CY4PR15MB1255;
x-forefront-prvs: 0581B5AB35
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(396003)(346002)(366004)(39380400002)(52314003)(199004)(189003)(53754006)(3660700001)(82746002)(6512007)(68736007)(2501003)(25786009)(54896002)(6306002)(53946003)(478600001)(2900100001)(7736002)(6486002)(6916009)(561944003)(36756003)(5640700003)(33656002)(6436002)(81166006)(6116002)(97736004)(5660300001)(3280700002)(3480700004)(105586002)(106356001)(6506007)(8936002)(8676002)(53936002)(5250100002)(102836004)(99286004)(83716003)(186003)(2351001)(14454004)(59450400001)(2906002)(81156014)(86362001)(316002)(1730700003)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR15MB1255; H:CY4PR15MB1751.namprd15.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: TOMBl+RfJ3ZNDNumFsXy7oL/wp5oQZlmvCNDIArwF02B3AdRPUGETBNtacXKva6qHN+zMUajfFFFIJQzUI6geQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_86011555DAF3485C91BB77884FE6B549fbcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: aac689da-6406-459e-4426-08d57207fa0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2018 11:01:32.7326 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR15MB1255
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-12_05:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/4-gvXpc-LGbWoUS7DKGYG65lkxs>
Subject: [MLS] Removing members from groups
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 11:01:41 -0000

Hello all,

Before we made the drafts public, our informal group spent a lot of time discussing the various alternatives for how a member can be safely removed (or deleted) from a group. With everything now public, I wanted to present the main options that we were thinking about at the time, and present a new variant that I've been thinking about over the past few days.

The two main contenders that we considered were:

1. Replace-then-blank.
2. Mix in secret from punctured tree.

For all of these examples, I'll use this example tree, notating a node by the list of members who know its private key:

          /        \
         /          \
        /            \
       /              \
     ABCD            EFGH
    /    \          /    \
   /      \        /      \
  AB      CD      EF      GH
/  \    /  \    /  \    /  \
A    B  C    D  E    F  G    H


This is perhaps the most natural way to use ART for deletion. The intuition is that you want to simply remove the evictee's leaf node from the ratcheting tree; but if you can't perform this yourself, you instead just replace their leaf key with one that they don't know, which will remain there until somebody who is capable performs the actual removal.

The mechanism for removing E works as follows:

If the deleter is F, G or H, they simply send an update to the tree that marks E as blank. These three can trivially do this, as they can perform the calculation DH(F, GH). This immediately and permanently locks out E, who now knows nothing about the tree. Nobody else is in a privileged position either; so this is ideal.

          /        \
         /          \
        /            \
       /              \
     ABCD            _FGH
    /    \          /    \
   /      \        /      \
  AB      CD      _F      GH
/  \    /  \    /  \    /  \
A    B  C    D  _    F  G    H

If the deleter is A, B, C or D; they cannot compute DH(F, GH), so must instead *replace* E with a key X that they must generate and then immediately destroy. This allows them to compute and transmit E's full path, and thus the tree can continue to be used, but E is again fully removed with no further knowledge of the contents of the tree.

         /        \
         /          \
        /            \
       /              \
     ABCD            XFGH
    /    \          /    \
   /      \        /      \
  AB      CD      XF      GH
/  \    /  \    /  \    /  \
A    B  C    D  X    F  G    H

The problem here though is that we have now put A in a privileged position, in that A could have been dishonest and failed to delete X. This isn't necessarily a problem if A is honest themself - or indeed if A continues to be in the tree - as they therefore already have access to the tree's contents; but we don't want the protocol to rely on both of these being true. Indeed, if X were to remain in the tree without ever being rotated, we could - if nothing else - suffer from weakened Post-Compromise Security.

The first mitigation here is to lazily perform the above blank operation next time a capable party (F, G and H in this situation) performs their own update.

The second is to ensure that *if A is deleted, any nodes which A was privileged over must also be re-replaced*. So, say, if B were to now delete A (which B can do directly), they would also have to generate an eviction key Y, to put in place of X, to make certain that A cannot still compute the tree's root key.

          /        \
         /          \
        /            \
       /              \
     _BCD            YFGH
    /    \          /    \
   /      \        /      \
  _B      CD      YF      GH
/  \    /  \    /  \    /  \
_    B  C    D  Y    F  G    H

This whole process ends up requiring a little extra book-keeping. It's not too complex, and I have a draft algorithm description for this, but having the book-keeping is something of a downside.

Advantages of replace-then-blank:
* It's a very natural way of using ART. Easy to understand.
* It seems to reasonably straight-forwardly maintain post-compromise security.

* Extra book-keeping somewhat increases protocol complexity.
* There are potential edge cases which could increase one-off delete cost to O(n). E.g. if A has deleted one of every leaf pair in a large tree, then somebody deletes A - they will also have to replace every one of A's siblings. This should be rare, and I'm pretty sure amortises away over many messages, but would still be a bad case.

Mix in secret from punctured tree.

This approach uses a neat trick that we figured out to get efficient (n-1) subgroups of trees. For an example, in the tree that we've been using - if A wishes to send a message to everybody apart from E, they can encrypt it each of the public keys in E's copath: ABCD, F and GH.

          /        \
         /          \
        /            \
       /              \
     ABCD*           EFGH
    /    \          /    \
   /      \        /      \
  AB      CD      EF      GH*
/  \    /  \    /  \    /  \
A    B  C    D  E    F* G    H

This operation has logarithmic efficiency, as the copath is sized log(n). The principle also extends to a more general concept of "punctured trees"; whereby you can send a message to any subset of the tree based on the smallest set of keys that none of the excluded members know. This eventually degrades to linear in the worst case (every second leaf node has been excluded), but again this likely feels more edge-casey.

I believe the proposal here was:

* Keep track of all nodes who have been deleted.
* When you wish to delete a new node, generate a temporary key K, then compute a completely unbalanced tree with K as the left-most node, and each node up its copath being one of the nodes from the punctured tree. The root secret here is then KDFd into the epoch secret; making the epoch now uncomputable to E.

            /        \
           /         GH
      /      \
     /        F
/     \
K     ABCD

A nice property to note about doing this is that the server is capable of generating such a delete message - as it relies on no private information - and this may be useful in certain circumstances.

We had a fair bit of discussion about the post-compromise security properties here, which we very scientifically deemed to be "weird PCS".

Specifically the issue here is that E isn't necessarily removed from the tree at any point. They can still compute the tree root - but don't know the epoch secret, and so cannot compute any subsequent epoch secrets (due to their chaining). This means that if E were to compromise some other tree member, and therefore learn the epoch secret, E would effectively have reinserted themselves as an observer to the group, as they can compute all future operations.

To clarify, the reason that this is weird is that we tend to think of PCS as "PCS with respect to X". So if the protocol were to have PCS with respect to any individual participant - you would expect that after this participant has updated their own leaf key, anybody who had previously compromised them would be locked out again (I don't think this is a strict definition, but it's close enough as an intuition for a sensible mode of operation for PCS). However, in this situation, we don't have PCS with respect to anybody; so long as the attacker knows the leaf key for a deleted member.

One potential mitigation here would be to follow a delete with a blank operation - as in replace-then-blank. Otherwise what we seem to probably have is a protocol with forward secrecy, and "weird PCS".

Advantages of this approach with the mitigation in place:
* Much less book-keeping required: we never put anybody in a privileged position.
* Delete can be performed by non-group-members.

* Weird - or at worst weaker - post-compromise security.
* After many deletions, deletion time complexity may degrade to linear.

Of these approaches, we went with replace-then-blank for the initial draft due to its better (or, at least, more obvious) PCS properties.

Over the past few days I thought of a new approach based on punctured trees, that I believe may tolerate less book-keeping then replace-than-blank with better PCS with punctured tree mixins. I'm not fully sure of its merits or disadvantages, so I'd really appreciate feedback on whether it makes sense.

Eviction-path public key mutations.

The problem with replacing a non-(sibling or cousin) node is that you cannot compute the value of a parent node without knowing the secret value at one of its child nodes. The above deletion approaches are therefore based on the idea that you cannot change the private values in another branch of the tree without inserting yourself into a privileged position. This assumption, however, *may* not be entirely correct.

What we need here is the ability to mutate somebody else's public key to something for which they - and only they - can compute the private key. Fortunately, I believe that Diffie-Hellman itself directly provides this.

For DH private key x, the public key is g^x. If we take a different private key k, we can perform the DH operation on it to get g^(xk). So far, this is standard DH - with g^(xk) typically being used as a shared secret. We could, however, instead treat xk as the new private key, and g^(xk) as its public key. This then means that if you can securely transmit k to everybody: they can all compute g^(xk); but only the original private key owner actually knows the private key xk - by the discrete logarithm problem. NOTE: I DO NOT KNOW IF MY REASONING HERE IS QUITE CORRECT. This definitely requires input from real cryptographers.

So, let's combine this mutation with punctured trees. Now, when A wants to delete E, they compute a new secret k, and transmit it to the punctured tree excluding E - ensuring that everybody apart from E knows it. Everybody applies the mutation to every node in E's path, and immediately deletes k, resulting in the tree:

          /        \
         /          \
        /            \
       /              \
     ABCD           (EFGH)k
    /    \          /    \
   /      \        /      \
  AB      CD     (EF)k    GH
/  \    /  \    /  \    /  \
A    B  C    D  Ek   F  G    H

(Here we are actually breaking an invariant that used to hold from ART: specifically that a parent is directly calculated as KDF(DH(children)). This will mean that nodes need to cache their entire path, as they can't directly derive them, but this feels fine in practice: it's only logarithmic in size anyway, and we likely would want to cache it in real-world usage to avoid extra recalculations.)

This has the nice property that E no longer knows any private key in the tree; including their own. This could potentially allow us to never even bother to blank it out, but unfortunately we still have a slightly weird PCS property: if E had compromised anybody shortly *before* being deleted from the tree they could learn k when it is transmitted, and thus permanently reinsert themself into the tree. It's a much smaller compromise window than in the previous solution - which is any time in the future - but it's enough that we would probably still want to include blanking when the sibling or cousin next updates. We could also periodically send a new k until the node has been blanked to improve the mitigation (which, indeed, we could also do in the above solution).

Advantages of this approach:
* Same minimal book-keeping requirements as in "Mix in secret from punctured tree".
* Deletes can, again, be performed by non-group members.
* Deletes could always be logarithmic (without periodic re-keying).
* Small pre-emptive compromise window for evictees to be able to weaken PCS (without periodic re-keying).

* Still weaker PCS than replace-then-blank.
* Weird usage of DH which I'm not confident to assert is safe.

So, these are the options; please let me know if any of it isn't clear. I'd love to gather people's thoughts, and any alternative approaches you can think of - particularly as everything we've thought of so far involves certain compromises!