Re: [MLS] Why give the root a pk/sk?

Raphael Robert <raphael@wire.com> Mon, 11 May 2020 21:21 UTC

Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E309C3A0D1D for <mls@ietfa.amsl.com>; Mon, 11 May 2020 14:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hpaNzJTUZ-b for <mls@ietfa.amsl.com>; Mon, 11 May 2020 14:21:20 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 957643A0D1B for <mls@ietf.org>; Mon, 11 May 2020 14:21:20 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id w19so6253973wmc.1 for <mls@ietf.org>; Mon, 11 May 2020 14:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=g8XN6q/favfZLopOaYPWHvynkfnTEl+ZnNH9skdHzIo=; b=fE+SIM76zoemz/HFMHIChiFfDs7YB9fyVT3O9/K26GO+UJen/og79SQuk+KyKQnBgD bDOPoRT9E4d+YA+A9xbQ1EOzkVN9EiU0b6sM2kUzIwQt9dKG+dRbAkyIW8fsdKWzxzm1 5KPlop7KCiKlQkKeUBsO3VpHvnc1FU03ncfmTFdbYDoxoSUfx/5OwNjVbTaqmt8zevbp kydoLI2JA9JFGDIfj/q6IZ1GxyJGXXhKKXQPv2Bs/Ai0ZjijPrnWTRbiGhOkeRs02hbt vGZMLqZK8Rq9xEuqIZMZ7f8qtf3Pd8MSkkV1uuEEEwU55WDz2bQBQIti8hpDj3lKvhDr EsVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=g8XN6q/favfZLopOaYPWHvynkfnTEl+ZnNH9skdHzIo=; b=AFyFUqeU/B8tp+gJBMj0hbftYatMvwizt7uyFC3srrecF0lopJte/EneZLRMWmmhrQ tKGHYgY3cbNweHZ3VwCAU5wUGtihnTftaraFVXXnrfzHBGddjQZVCDu3HldMdcYrswGu QpSsEV0kQAORhuCbp/1Efe7ZCHC9n/4pH3VfbgK5gOJoIdxnTkr5bWBtAg/uXyw14bzM iaf84rUNZ7kOa8BZQPbsdPOjjlKpp0dPOU9swmIsHcheIO7j0qArBayGdXWcXzYmc6zU kn0yJP52sGvbiFogbWV0BcU70qCAuqsw9RGnK0Uj7i+G7MyOX8nSCXl/kfjO/MzY+6oB DkcA==
X-Gm-Message-State: AGi0PuY6ps2SlGBd4W5q9yyq6igTdgkNbZ46lsF+11OFf5LeWc/si8MN giKbG6csvQFIo7CRCJes9E68eQ3qH5Q=
X-Google-Smtp-Source: APiQypI+kapgZ2wAsuCSRSMkPnxUXbWyePeQLwdSNGAhFkbrZxd09NjCwmY+vk3Ivg9T6OErQEeuxA==
X-Received: by 2002:a1c:f312:: with SMTP id q18mr33397918wmq.175.1589232078714; Mon, 11 May 2020 14:21:18 -0700 (PDT)
Received: from rmbp.fritz.box ([134.3.30.253]) by smtp.gmail.com with ESMTPSA id a9sm27548917wmm.38.2020.05.11.14.21.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2020 14:21:17 -0700 (PDT)
From: Raphael Robert <raphael@wire.com>
Message-Id: <B92CE6CF-409A-49A9-95E5-FC680E17BF67@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8810F71D-E948-4444-A574-31B515AFA75E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 11 May 2020 23:21:16 +0200
In-Reply-To: <CAL02cgSA--nvdbM=2ho85YdQYxNntXaXiL0z9Y9W1AbXtjqUFw@mail.gmail.com>
Cc: Joel Alwen <jalwen@wickr.com>, Messaging Layer Security WG <mls@ietf.org>
To: Richard Barnes <rlb@ipv.sx>
References: <b52a9fa8-c09b-331b-0eb9-39a211190e96@wickr.com> <CAL02cgSA--nvdbM=2ho85YdQYxNntXaXiL0z9Y9W1AbXtjqUFw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/6ttAvJZ_u0YFej-Jhjz89I-I0OA>
Subject: Re: [MLS] Why give the root a pk/sk?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 21:21:23 -0000

I agree with that. Send-from-outside should be derived from the key schedule.

Raphael

> On 11 May 2020, at 22:22, Richard Barnes <rlb@ipv.sx> wrote:
> 
> I don't think it's necessary.  IIRC, the Go library doesn't do this, and it seems to implement the remainder of the spec just fine.
> 
> The only case where it might be useful is if we implemented a send-to-group-from-outside functionality, in support of Add initiated by the new joiner.  But even in that case, it would probably be better to derive a key pair off of the key schedule.
> 
> --RLB
> 
> On Mon, May 11, 2020 at 4:26 AM Joel Alwen <jalwen@wickr.com <mailto:jalwen@wickr.com>> wrote:
> Quick question for the list. Why assign a pk/sk to the root of the ratchet tree?
> (E.g. on Page 18 in the toy example root node G gets node_priv[1] and node_pub[1].)
> 
> The commit_secret is then derived HKDF-Expand-Label again on the path_secret for
> the root.
> 
> Isn't it true that the only thing we ever encrypt to a node's pk is its parent's
> path_secret? If so I'm not seeing the point of the pk/sk at the root and the
> extra call HKDF-Expand to get commit_secret. Am I missing something?
> 
> - Joël
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls