[MLS] Adapting Hierarchical Key Derivation for Ephemeral Signatures in MLS
Nadim Kobeissi <nadim@symbolic.software> Fri, 12 October 2018 19:46 UTC
Return-Path: <nadim@symbolic.software>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F0EA130E89 for <mls@ietfa.amsl.com>; Fri, 12 Oct 2018 12:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symbolic.software
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhjcYa_z-gsI for <mls@ietfa.amsl.com>; Fri, 12 Oct 2018 12:46:53 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101631286E3 for <mls@ietf.org>; Fri, 12 Oct 2018 12:46:53 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id z204-v6so14001316wmc.5 for <mls@ietf.org>; Fri, 12 Oct 2018 12:46:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symbolic.software; s=google; h=mime-version:from:date:message-id:subject:to; bh=SU5nV61COy4NOO7CJSewl4aTzfIZLYDmSVuyjwHOJNU=; b=ilgg5XefcWOmgsg3BSwddXZTjtiwrYUcETzMDyZ4B+2AwYCdFKP5aGPbUu2kMcI6KA ysnzQ/XWDT/UFD93FHCzUViTpMiL5nMt1GZAUXhriZzvRHF9Vbuo44B9cREqUJKPfZk7 gpGPT64u/kV4qA8S8WbYUZxXRj3Izp9jV7aVM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=SU5nV61COy4NOO7CJSewl4aTzfIZLYDmSVuyjwHOJNU=; b=Sx7CEiPslBLx2Cew5XN1FwaEQD3JO0Sc3Iopvd0BXGSramiDOczD4kVvZLFpUCpZP4 ANOZrDPa2IuoBzCVV7EuKDaRZrXWTGiddr7MRgyph3vJ8FFo9XHdrxCVnDAsy3a3B+zK 1XQhAKAJrEd1/i/9uzAiUEm7aRjendppdqODgj8EXDzyHjO6yM8NmUefqV3FPdbcS5p5 2qhS6b1zQ4KT2xvaUaXcfT3dH726Q+EoFg6ZGAzcumsQ3GK/3L8Pb4its6axUJobqswR hFRQD10N4zC1/mtuCpP+ClNLzk4NEucjcixsPWzH1qmQ+0uZzwpA688GqRBZkV2oQPKP H7fg==
X-Gm-Message-State: ABuFfohzNZSfm8piSLjpca0dQ9WD8Q2aYfLp2DdT960l8d3MvoOfXtST YSL1RLDeax4dT+czaUrq2qiI0p/695IAcGra7B9lIAjF5/xF/Q==
X-Google-Smtp-Source: ACcGV60pJiVe7SijiVZZfoG05tH7XN9St1W2oGBx8CZPl6aoQu0LAlKz19vcZ6ggIUlbp4IJP233R4NeO8Skq9O6Sik=
X-Received: by 2002:a1c:e5cf:: with SMTP id c198-v6mr6220707wmh.113.1539373610847; Fri, 12 Oct 2018 12:46:50 -0700 (PDT)
MIME-Version: 1.0
From: Nadim Kobeissi <nadim@symbolic.software>
Date: Fri, 12 Oct 2018 21:46:41 +0200
Message-ID: <CAJR2JpgwrgykbRGCCaEutou7x6-j4SGKFXurKah8rya=jMJ2cw@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000040669605780d59a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/4fByN0bur4CU3RzNDvfLyUsPyqY>
Subject: [MLS] Adapting Hierarchical Key Derivation for Ephemeral Signatures in MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 19:46:56 -0000
Hello everyone, I've been working on adapting Hierarchical Key Derivation (HKD) in order to obtain some kind of ephemeral signatures that may be useful in MLS. I've arrived at a point where I'm optimistic that this is a direction worth pursuing and might indeed be a solution to this problem. HKD was at some point a candidate for how signature keys are managed per epoch in the Tor Hidden Service design [0]. HKD logic has also been implemented in Bitcoin wallets for a while now [1]. HKD constructions can be also derived from existing popular fast signature algorithms such as Ed25519 with minimal changes [2], making them an easy fit for MLS. Very simply, the functionality that HKD signature schemes bring to MLS is the following: - Alice sends a public signing key to Bob during epoch n. - At the onset of epoch n+1, Bob is able to immediately calculate Alice's public signing key for epoch n+1 based purely on his knowledge of Alice's public signing key for epoch 0. Alice doesn't need to send new signing key information to Bob. - At this point, Bob can delete Alice's public signing key for epoch n. - More importantly, Alice herself can delete Alice's private signing key for epoch n, keeping only her private signing key for epoch n+1. The way that this could work in MLS would be heavily based on HDKeys-Ed25519 [2]. I'll resist paraphrasing the paper, and instead will point out the relevant sections (which are short, well-written and worth reading:) - Section 2 describes the original concept as used for Bitcoin wallet derivation. - Section 4 describes the modifications to Ed25519 to enable HKD constructions. - Section 5 describes how private and public child keys are generated (Fig. 1 is also helpful.) My questions: - How are we deriving epoch identifiers? Are they simply counters, or each epoch identified by a nonce that's communicated confidentially? If you read [2], you'll see why this can be important. - Performance impact seems to be negligible for Montgomery-based signing primitives, but I'm interested in more insight on this. - Is anyone else interested in having a standard HDKeys-Ed25519 implementation? I've been working on one in JavaScript and plan to eventually also write one in Go. Perhaps Richard would like to help with a C++ version? - I'm also interested in hearing your thoughts on this generally. During the interim meeting (as well as before it), it was frequently discussed how ephemeral signatures may be useful for MLS. This also appears to be slated as a discussion topic for IETF 103, so it would be great if we could continue the discussion there as well. References: [0] https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n1979 [1] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki [2] https://cardanolaunch.com/assets/Ed25519_BIP.pdf Nadim Kobeissi Symbolic Software • https://symbolic.software Sent from office
- [MLS] Adapting Hierarchical Key Derivation for Ep… Nadim Kobeissi
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Ted Hardie
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Nadim Kobeissi
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Nadim Kobeissi
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Raphael Robert
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Nick Sullivan
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Jonathan Hoyland