[MLS] ART Ideas in TreeKEM
"M.A.L. Weidner" <malw2@cam.ac.uk> Mon, 25 February 2019 21:37 UTC
Return-Path: <malw2@cam.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DB0131132 for <mls@ietfa.amsl.com>; Mon, 25 Feb 2019 13:37:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=universityofcambridgecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHDhlRDyQ_hY for <mls@ietfa.amsl.com>; Mon, 25 Feb 2019 13:37:26 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on072a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1F661310E6 for <mls@ietf.org>; Mon, 25 Feb 2019 13:37:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=UniversityOfCambridgeCloud.onmicrosoft.com; s=selector1-cam-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=42r8v1n6i5QdqllszHwh/Sy32zESwOtf4Ao/MiPhjsA=; b=fKMMl8SjZOYUJXtxchPKZCyuffDt64dzmikZv7uPi67QPEwr76VggzgBNqiDcR1W1Y2KBmXmTuN5JjRuw7p4hIaDurnT5Io3B98JqzWYngTyXfoVQe/MIssqc6tSKO9aob+a15hKA2qurfanwBPlO4QEE5nCdGv69/iEHO9l4RE=
Received: from VI1PR0801MB1296.eurprd08.prod.outlook.com (10.167.197.146) by VI1PR0801MB1375.eurprd08.prod.outlook.com (10.167.198.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.14; Mon, 25 Feb 2019 21:37:21 +0000
Received: from VI1PR0801MB1296.eurprd08.prod.outlook.com ([fe80::99a3:16d:d203:82ea]) by VI1PR0801MB1296.eurprd08.prod.outlook.com ([fe80::99a3:16d:d203:82ea%3]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 21:37:21 +0000
From: "M.A.L. Weidner" <malw2@cam.ac.uk>
To: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: ART Ideas in TreeKEM
Thread-Index: AQHUzVJJoSxk3lmKTky1XqgDJ73oyA==
Date: Mon, 25 Feb 2019 21:37:21 +0000
Message-ID: <CADSARUs6Qt5srOTYGe6otaVfUZQK56+HZgVJpzhssh8ad1Ux+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM5P189CA0033.EURP189.PROD.OUTLOOK.COM (2603:10a6:206:15::46) To VI1PR0801MB1296.eurprd08.prod.outlook.com (2603:10a6:800:3a::18)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=malw2@cam.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-gm-message-state: AHQUAubUjof3Aw6q+a1NA16F7BW/NwfIAq4GcJpRBouV/0vz4G0mrvxi WByKHVqadiOY7sE5WybOIxiTiFDYHtIpd2fB4Ws=
x-google-smtp-source: AHgI3Iaz7wCfRa1BExwByTh4/qQI2EJFvWVVpnTcsiXwbep3Wd2Hu9RHEwQxrt6QwiUF/coXchXyJyb8Ele/sNLaCJc=
x-received: by 2002:adf:f7c9:: with SMTP id a9mr14839710wrq.39.1551130639477; Mon, 25 Feb 2019 13:37:19 -0800 (PST)
x-gmail-original-message-id: <CADSARUs6Qt5srOTYGe6otaVfUZQK56+HZgVJpzhssh8ad1Ux+w@mail.gmail.com>
x-originating-ip: [209.85.221.45]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 08becc09-011a-4238-f584-08d69b696c13
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1375;
x-ms-traffictypediagnostic: VI1PR0801MB1375:
x-microsoft-exchange-diagnostics: 1;VI1PR0801MB1375;23:N0litETn0eqnexDCLcuycDlCDCJjj7i0FUMkP7LjJB+CSqgNMJ2KsaOpsPR7M/bRPwhnMIh54DdAt5A4ZwONT97HGfgqaswWVtnwYJm9scUbrOfjoVmpZ9+4wgdtBETeM71DmowENrq0dO/K2DqFk9dkzo6OYDXFfOWcV5jK9Kif1zOMUvUtvBW/Qo18j89EvfDrau22FJhUnbscPCWPHqEEZJri1Xv55+5IV4Qg39+brSJdTJvDbahHdH5U86PjDJv32sFMfbBPxKrAf/9uEO4IsKRqitzX9CsaBkYE74EOSswoz76avyFTfyelXRxi9VuAQKpfc76LMxFxAYnlWEC24rZbLd7qb6qWwgsF6QwrPfg+r72vdkzwYLCUzvfdsGoo1CafJxVZpeDV7vxvWae5EHS8jUYYw8ILIAyAXPqdj3dFZH0WapPfmi6av0m+gp82Xlz0IIlSa2JRr8qaNCx3nXxgp98lyj/EkVfv/M3B2LmBPeLKG6HmEL+o9gCsZT2PrG0XdG4MtP8xp5JyQi/ydhCqBdJCSZXWVaooorNT24oDApKggmJYokwWXat4bLCq5xxWUWj/MLalZylqPasBxIKKZ5iC5F9NwwxK7ATA6md2MuMNdmw554la0ew14rt8c4zs9jzx+w+k73hHBRn/OvkA7N5snffEE2clIS7aJVNq23+W7L5lfvTkTr24MBsVWNGP2beVB+wuhc3DV55NE4DIvGv7+Ea4ZInOvUiZihG1e8IS7W/LYORx268tCY9r6LQgKBEOdKnPbsIrBiIXvTtrthIRdTLFMaMtNB4QDphISd/kbHqzHXxtxr1QWIQcw8yrcaLTYqIdT5/YWux9yHf32kLARS9nAPlRjLYeDqOOJ62wj5otNIrCuXlstatwKwJquTTifPfI1vSn4y/9z5J/lq+hMVLmTRQ8jMg92+IeamZgj4hGpgqH66+ow8oY26hfMfwNknr6/yeq+3iGOwocT4hIBOgGSy2UuX4TFPMSTZbTHCT8DmkBT/wnVLDm7ree6nZovyBQGioJAQREHZm/QSNqWMuwRj/9pfGUiTBoApNo08kxNm10aV8uNm/lFKR1p5E21V5M98jXMwEGZxTPD/0JdYnobR+A4JR3k6avCq0QZSTYDDuMmFg0QkE1weXjGfx0HaUH9eo+vnFv3fk32+09MdqIQ0qqDVu6alu4iJot/I9UzEvepsY56MQrc4NL3AZD0Yj5pbRlLMif3UpFUNSSZWV2KQhtesGq+jxSTRgPRj23qpMleb9f+DOC30Xepg010Y8rTuITOyrf8yFzzDODUc2Y9Rp7yRbGrSHmdoLZf2+Qxvr786YzMscD80BQoM66J8knrxqDxWi8ezysMAh9ihIjDaYuGX8=
x-microsoft-antispam-prvs: <VI1PR0801MB13751D92407D1793655C2EFAAC7A0@VI1PR0801MB1375.eurprd08.prod.outlook.com>
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(376002)(136003)(396003)(346002)(52314003)(189003)(199004)(71190400001)(25786009)(8676002)(71200400001)(86362001)(66066001)(106356001)(486006)(105586002)(2351001)(97736004)(476003)(61266001)(1730700003)(61726006)(81156014)(81166006)(305945005)(7736002)(256004)(14444005)(2906002)(74482002)(2501003)(53936002)(186003)(8936002)(26005)(95326003)(478600001)(102836004)(14454004)(498394004)(316002)(786003)(6506007)(52116002)(9686003)(6512007)(68736007)(5660300002)(3846002)(6116002)(6436002)(99286004)(5640700003)(54896002)(6486002)(386003)(6916009)(3480700005)(55446002); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR0801MB1375; H:VI1PR0801MB1296.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cam.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ojv+ir1SlwjVzcXPGcJ02XIpCex8cZmezMetvZOUpS4s5eoNKI2pV+4emlcqUSoCsG9sLwJe9PG0H793UKq4tLJIIqDigEkGYbLZl0nVTqh5PNR2OHXMp0aYxI8vLBCo8MhIaJXLrgkprVuY/JWlnsws/wg/xEs5GfGIzrUm3H2Am6fq0POcLlKSrDZpDdOhsTI43sT65quA6gg4duy1JKXid0FYsXDN9Ev1TPPEPlRJ/DjlFU4vFIVQL+synbOiT0K5qJNz/4clOc3dZ3xkhJdue4a62GS68SnkjKYEQzN5lw2m9n/c3JD/hYAmZTLPEnWkcQqB/rCLMRWw0pufSRaA4zUm+lPq5cTPQCovcOqYnG/PdtsLxDHbcZ9yCOpaCRanx3zTjZR0BNYZOp1wagqmnbtyQMXwZ+G8sqNlIUg=
Content-Type: multipart/alternative; boundary="_000_CADSARUs6Qt5srOTYGe6otaVfUZQK56HZgVJpzhssh8ad1Uxwmailgm_"
MIME-Version: 1.0
X-OriginatorOrg: cam.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 08becc09-011a-4238-f584-08d69b696c13
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 21:37:20.6612 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 49a50445-bdfa-4b79-ade3-547b4f3986e9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1375
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/GfPMqcZFjhc9CxBzqCQHzhF3Cyc>
Subject: [MLS] ART Ideas in TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 21:37:34 -0000
Greatings MLS Working Group! I have been studying the proposals for TreeKEM, and earlier, ART, and noticed a way to use ART's DH tree ideas in TreeKEM, without sacrificing the ability to merge updates or use blank nodes. My apologies if this has been discussed before or if there are any mistakes. My main motivation here is to reduce the size of update messages, since the key encrypted keys in addition to new public keys means that they are ~2x as large in TreeKEM as in ART. Basically, we use TreeKEM, but with ART's key derivation "as" H(X). That is, when a node C1 gets the new secret X, instead of H(X), its parent gets the new secret H2(DH(X, priv(C2))) = H2(pub(C2) ^ X) = H2(pub(X) ^ priv(C2)) where C2 is the neighbor of C1, for some hash function H2. Since TreeKEM is agnostic about H, we can "define" H(X) := H2(DH(X, priv(C2))) in this way without issue, noting that the only users who will have to compute H2(DH(X, priv(C2))) are descendants of C1 (who know X) or C2 (who know priv(C2)). We can merge updates as with "pure" TreeKEM, choosing one update to dominate at nodes where they conflict. This will cause the tree to cease being a DH tree, which is fine. Note that descendants of C2 will have to keep around priv(C2) for a short time after it is overwritten in case of simultaneous updates (so that they can compute the parent secret), but that is true for TreeKEM anyway, since any simultaneous update will send data encrypted under pub(C2). Blank nodes can be handled by reverting to pure TreeKEM: if a node with new secret X has a blank neighbor, set the parent's secret to H(X) and send that separately to every public key in the resolution. Now instead of including pub(X), Enc(pub(C2), H(X)) in the RatchetNode struct for node C2, we need merely include pub(X), saving bandwidth. Pros: - reduces the update message size by about 50% in the typical case (I think). - we can build a ternary tree using 3-party Joux DH (as with ART), giving a further log_3(2) ~ 0.63 scaling on update message size. (I think it's possible to do this with pure TreeKEM as well, by replacing the ephemeral DH exchange with a Joux DH when doing asymmetric encryption.) Cons: - forced to use a DH style cryptosystem (bad for post-quantum?) (as with ART). - need log(N) DH operations to compute the new key, instead of log(N) hashes (as with ART). So this is a bad deal if CPU cycles are more expensive than bandwidth. - can also reduce bandwidth by 2 just by ratcheting half as often. I hope you may find this interesting. Best, Matthew Weidner MPhil student, University of Cambridge
- Re: [MLS] ART Ideas in TreeKEM Richard Barnes
- [MLS] ART Ideas in TreeKEM M.A.L. Weidner
- Re: [MLS] ART Ideas in TreeKEM Raphael Robert
- Re: [MLS] ART Ideas in TreeKEM M.A.L. Weidner