IETF Logo Mail Archive

Re: [MLS] Removing ART; maybe adding partial-tree

Richard Barnes <rlb@ipv.sx> Fri, 05 October 2018 21:05 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A201286D9 for <mls@ietfa.amsl.com>; Fri, 5 Oct 2018 14:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p8m4LledZ2kd for <mls@ietfa.amsl.com>; Fri, 5 Oct 2018 14:05:12 -0700 (PDT)
Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D04E1277D2 for <mls@ietf.org>; Fri, 5 Oct 2018 14:05:12 -0700 (PDT)
Received: by mail-oi1-x243.google.com with SMTP id y81-v6so11501586oia.6 for <mls@ietf.org>; Fri, 05 Oct 2018 14:05:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KwkUew0XRp9nY2hKeEd/9DNbdaqjn44lIasFHTzP4z4=; b=AIdFdVtv1NMNmHGOGQIsXCD0Wxd7K7M7EVScAr2jmKRjr9M4EkS2R2gYM986qLDQb/ 05sHIRNY2A2pyjUzBsr2wxgT4Fds2iWJ77n4cMBFVwm4QsxxwAIMU7HY1nSAg1scuJgm TLGnVdMxFhB+WV01RH//IcOG7NLcDzVp8z3vdClB1iDqF/hMj/kQKN3BaHhSmnFhsRi/ KTznmC1AvfCz+xCR1QhJBk3Y4WrvEoDnBoI5y6B4rj5L6adNMjZdMomtCnY3E1UGTTlN Li6jdUaW20pIpSIksM9XjpQYZdGIlWBEzpllTWDSNyrGhtQspGMeZFrt2AktXhqlwCD7 ZqRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KwkUew0XRp9nY2hKeEd/9DNbdaqjn44lIasFHTzP4z4=; b=hHtZXxXXgeTL/+b+BlGKflcARQsZ3pzFXluIJ6kDwbECxamMMTP77kmaXKDpYQhmo2 NTISpobMJBm33evGQiUrMW70asuhVdCoESHFXAnSFneDFkTdIzppVsuttI3JuqBorIz2 60PuECKbsPz88m7C3I2cZe2xkkSitHozyx2BHp/uMfJglLci7dWGRZWjD2RhW9dGYd9X HdNA/p9631pV6ke6oAglfkEJPZlXt4UY/+y02w5UbrcZrbmjHyDZZPpYS696jNArgCQT DFK48uP0uBlQ1YbKsyuL3F4hEQuZASuLk8su7afxlcIhD53tr4MBb4O1FgjdxmQaYTQ/ C2Wg==
X-Gm-Message-State: ABuFfoi2x80+jfEfv1vGT6267j5ToP7gbIAyuWkuV2Ww1ocPIojgYjTk yHjnHlCpfZwIMyKbNj7cCBMOHTx5/t51/cBdmDsDfw==
X-Google-Smtp-Source: ACcGV61aMt7Hn1s1MSQe+mnI2opXRA8yuQMXGUoY5yN7wWnYX26ZoYsmtNi26r6cYIM4m822JiudbYyyyStXyfN4d+U=
X-Received: by 2002:aca:3c56:: with SMTP id j83-v6mr348571oia.155.1538773511546; Fri, 05 Oct 2018 14:05:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSBCnjNMBHa7iJWqOYF_DNh8gUbGS4jsz57rO5=uAM1EA@mail.gmail.com> <CAKHUCzxJ-5UmvA-3_sqNvWApN=zbLMbHTrwwv+-R3m6nS1RXJw@mail.gmail.com> <CAL02cgSJbB5-8z3-PA8Tk3mC8j=uehHVf=p5bmayub=MFLK0bw@mail.gmail.com> <CABdrxL6q-xpdEsQdrsxg-YEPz4ZpSaGxosaDHVCvHm8cwSTMYg@mail.gmail.com> <CAL02cgTTKttbV18DFkhik2jno15qbPu0A-YcjB3aFdwq8Lu9-w@mail.gmail.com>
In-Reply-To: <CAL02cgTTKttbV18DFkhik2jno15qbPu0A-YcjB3aFdwq8Lu9-w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 05 Oct 2018 17:04:59 -0400
Message-ID: <CAL02cgTTi63KXm7jY1qhd75cRH=fT4jfU_2E3TvdOuZVbAXAsg@mail.gmail.com>
To: Cas Cremers <cas.cremers@gmail.com>
Cc: Dave Cridland <dave@cridland.net>, mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008bbcaa057781a074"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/8I4bfJAq41gEzX05Uw_ogDOqoss>
Subject: Re: [MLS] Removing ART; maybe adding partial-tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Oct 2018 21:05:16 -0000

Forgot to mention, I updated the PR to do this:

https://github.com/mlswg/mls-protocol/pull/67/commits/79f617200260682da5458d70f5972ef269babc7b

Also, with this change, you could really do Init as a pile of Adds stapled
together, with an Update tacked on the end if you want.

In a related vein, note that if you have a group and all you ever do are
Adds and Removes, then you basically have S/MIME / PGP with a degree of
forward secrecy; everything's linear and based on static keys.  Which
re-emphasizes the point that TreeKEM with partial trees supports a smooth
transition from that case to the full-tree, log(N) case.

On Fri, Oct 5, 2018 at 4:53 PM Richard Barnes <rlb@ipv.sx> wrote:

> One additional possibly-nice thing here: Adds can O(1) for existing
> members.
>
> Someone pointed out at the interim (I think Cas or Karthik) that in the
> Add case, there's no need for the existing members of the group to fold in
> new entropy into the group secrets, they just need to hash everything
> forward.  This means that the sender of an add doesn't need to encrypt any
> fresh entropy to the group, and the existing group members don't need to
> decrypt it.  The member sending the Add just needs to send the init_secret
> for the group to the new member and tell everyone to ratchet forward.
>
> Now, this doesn't mean that Adds are free.  It's just that instead of
> paying in units of computation to send/process the message, you pay in
> terms of future updates being more expensive, due to the ancestors of the
> new member being blanked.  If you have a tree of size N and do M adds, then
> the next Update/Remove will involve (log(N) + log(N) + M)
> encryptions/ciphertexts in the worst case.  (The extra log(N) comes from
> existing nodes being blanked out.)
>
> That said, if the new node updates quickly, then you're back to a whole
> tree and only log(N) operations.
>
> --Richard
>
> On Tue, Oct 2, 2018 at 5:52 AM Cas Cremers <cas.cremers@gmail.com> wrote:
>
>> Hi Dave and all,
>>
>> I would like to add one thing to Richard's explanation of the
>> rationale for dropping ART in favor of TreeKEM for now:
>>
>> An important implicit assumption is that TreeKEM doesn't seem to offer
>> less security guarantees than ART.
>>
>> However, given that the specification of protocols, threat models, and
>> properties isn't completely fleshed out, we don't really yet know if
>> this is true in any formal sense.  Analysis is continuing in parallel,
>> and we might need to backtrack in the worst case.
>>
>> This choice is not (and must not be) about efficiency alone.
>>
>> Best,
>>
>> Cas
>>
>> --
>> https://people.cispa.io/cas.cremers/index.html
>>
>> On Mon, Oct 1, 2018 at 11:15 PM Richard Barnes <rlb@ipv.sx> wrote:
>> >
>> >
>> >
>> > On Mon, Oct 1, 2018 at 10:34 PM Dave Cridland <dave@cridland.net>
>> wrote:
>> >>
>> >>
>> >>
>> >> On Mon, 1 Oct 2018 at 19:06, Richard Barnes <rlb@ipv.sx> wrote:
>> >>>
>> >>> Hey all,
>> >>>
>> >>> At the interim last week, there was agreement to remove the
>> discussion of ART from the protocol draft and focus on TreeKEM.  I have
>> implemented that change in the following pull request:
>> >>>
>> >>> https://github.com/mlswg/mls-protocol/pull/66
>> >>>
>> >>
>> >> I'm not objecting to the change - I lack sufficient cryptographic
>> knowledge to express an opinion - but it'd be very useful to read a
>> synopsis of the reasoning behind it, and a summary of the discussion. I
>> imagine future participants would find it useful too, and of course, all
>> decisions need to go by the list anyway.
>> >
>> >
>> > To recap the discussions at the interim, I think the reasons are
>> basically as follows, in descending order of importance:
>> >
>> > 1. ART requires each recipient of a message to do O(log N) DH
>> operations, where as TreeKEM only requires O(1).  This is a significant
>> difference for large groups / small devices.
>> > 2. TreeKEM offers the possibility of doing Add/Remove without double
>> join
>> > 3. TreeKEM offers the possibility of being able to merge Update messages
>> >
>> > While I don't think anyone has proved that (2) and (3) aren't possible
>> with ART, the fact that it's contributive makes them more difficult.
>> >
>> >
>> >>
>> >> I reviewed the PR for clarity/typos.
>> >>
>> >>>
>> >>> If a couple of folks could give a quick review, it would be
>> appreciated.  I also put together a PR describing how to do the "partial
>> tree" approach described at the interim and in my earlier message today.
>> >>>
>> >>> https://github.com/mlswg/mls-protocol/pull/67
>> >>
>> >>
>> >> Also reviewed for clarity/typos. I admit I'm mildly confused as to why
>> adding a node needs to blank the direct path, but at the same time I'm not
>> sure it makes any difference. (That is, here:
>> https://github.com/mlswg/mls-protocol/pull/67/commits/7a7cd37aec0ceff773600564b5c9619c3d06a115#diff-a87cc9081154f564150420544170f1c9R1113
>> ). That's probably just my lack of understanding somewhere.
>> >
>> >
>> > The reason is symmetric for Add and Remove.
>> >
>> > Recall that the invariant property the tree is supposed to have is that
>> a node's secret value and private key are only known to the holders of
>> leaves below that node in the tree.  For both Add and Remove, you need to
>> change the intermediate nodes above the target leaf, either to make it so
>> that the removed member doesn't know them or so that the added member
>> does.  The question is what relationship those intermediate nodes have to
>> the sender of the Add/Remove -- does the sender know the secret / private
>> key or not?
>> >
>> > On the one hand, if the sender does know the private key, then you have
>> a "double join" situation, where the sender knows something he's not
>> supposed to.  The phrase "double join" arises from the Add case, since the
>> relevant intermediate node secrets are known both to the new member and to
>> the sender of the Add.  Effectively, they both occupy the new member's
>> leaf, which complicates things quite a bit.  For example, if you now want
>> to evict the sender of the Add, you have to also evict the newly added
>> leaf, etc.  In the Remove case, the main impact of the double-join is that
>> you don't have a true Remove operation, you only have a Take-over
>> operation.  That makes it difficult to imagine how you would ever compact
>> the tree.
>> >
>> > On the other hand, if the sender doesn't know the private key, then the
>> node has to be blank..  In the Add case, there's no way (AFAIK) to set the
>> intermediate node values to something that is known to (a) the existing
>> members under those nodes and (b) the new member, without it also being
>> known to the sender of the add.  So the values that get decrypted to
>> intermediate nodes during the Add are only for the purpose of computing the
>> new root secret; the intermediate nodes can't have a non-blank value
>> without violating the tree invariant.
>> >
>> > It may be possible to avoid blanks in the Remove case, but we would
>> have to modify TreeKEM.  You could still do the "hash to the root" trick to
>> generate the fresh shared entropy for the epoch, but you couldn't just
>> overwrite the values of the intermediate nodes (as is done now).  You would
>> have to fold in some entropy only known to the existing members.  This is
>> probably worth some thought.
>> >
>> > Anyway, hope that helps,
>> > --Richard
>> >
>> >
>> >>
>> >>
>> >>>
>> >>>
>> >>> Feedback welcome!
>> >>>
>> >>> Thanks,
>> >>> --Richard
>> >>> _______________________________________________
>> >>> MLS mailing list
>> >>> MLS@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/mls
>> >
>> > _______________________________________________
>> > MLS mailing list
>> > MLS@ietf.org
>> > https://www.ietf.org/mailman/listinfo/mls
>>
>

v2.23.0 | Report a Bug | By Email