Re: [MLS] TreeKEM: An alternative to ART

"Katriel Cohn-Gordon" <> Thu, 03 May 2018 20:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB9EB12EACB for <>; Thu, 3 May 2018 13:35:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=LU190V5J; dkim=pass (2048-bit key) header.b=N9E5R6/o
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DkL1taV4KeI6 for <>; Thu, 3 May 2018 13:35:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 73423126CC7 for <>; Thu, 3 May 2018 13:35:47 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id B6B8620DB0 for <>; Thu, 3 May 2018 16:35:46 -0400 (EDT)
Received: from web3 ([]) by compute6.internal (MEProxy); Thu, 03 May 2018 16:35:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=cc:content-transfer-encoding:content-type:date:from :in-reply-to:message-id:mime-version:references:subject :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=+CI9Oo3Ga0I5jM h4OuzLkitTwc7wpW8wefZ+YfpxKJk=; b=LU190V5JsYLrdlEs+rY1b5cwzB63Hs vuqVwXx9Hlw+5FCugzDf89bT9fFnJ6E8OE1a+1NharwsOM9CVbvegie+YagFOltZ a3DieloKuaARmcYv1W6ALtPjJYCHaluyhFwzAHp/UU8CnNgtuODQ8ydRd0YakGwT sw/Zkcu6deTcI=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=+CI9Oo3Ga 0I5jMh4OuzLkitTwc7wpW8wefZ+YfpxKJk=; b=N9E5R6/osooLtnR4Ili7bBmrm ND/1BzvxFDFABSx3SdXl4Rf50aiuvT3hpmRoE6NIaA9J8SC9i+7rcaHqWhabMcM1 t5V7yPkFHqUFiDq1XR5X0AKwDbrTa5owvPaZd2MXVDdL5fTD3LR0iHVV3DIJ3VXh zPFyRL4loMC+oZe9cHz+K7eJMC8vhK855xMWSP3vjxj7I9bem5ftvtXJ72fox5V4 LWj/rlaHl44hMf6lSXT37GZA5u3wF05JQs4WCNIRwSXE4DpGEzfRGWF2kJULlFfH YYu3Onp9MHbJq8WjT6AgBh3CGjsokf9QTYF3ULSg5l9WH/7nOENc85d0/Hayw==
X-ME-Sender: <xms:onLrWlUnS3lnzWpHaJwO8a9NpGvwYqLae9hKrHQhaV6sEaLEmBVRxw>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 648339E371; Thu, 3 May 2018 16:35:46 -0400 (EDT)
Message-Id: <>
From: "Katriel Cohn-Gordon" <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_15253797468250040"
X-Mailer: Webmail Interface - ajax-62b61488
References: <> <> <>
Date: Thu, 03 May 2018 21:35:46 +0100
In-Reply-To: <>
Archived-At: <>
Subject: Re: [MLS] TreeKEM: An alternative to ART
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 May 2018 20:35:51 -0000

Thanks for this, it seems like a solid proposal and has a lot of good
points! A couple of things I particularly like:
 * using an abstract KEM instead of DH arithmetic is a nice, clean
 * it could well be more amenable to formal analysis, particularly for
   symbolic tools which can struggle with complicated DH trickery

One thing I would like to understand better is how the PCS guarantees
interact with merged updates.  I think (please correct me if I am
wrong!) that a key insight is that the tree is  not really part of the
update process at all. Instead, the PCS guarantees seem to come from the
fact that  each agent's update  hashes a fresh secret value N into the
master secret chain, and the tree is kind of like a broadcast encryption
scheme for distributing N.
If that's correct, it might be a good separation to make in the
design/analysis, and perhaps even a good idea to separate out the fresh
value that gets hashed into the master secret chain from the keys used
in the tree.  (I am a little worried about attacks whereby an adversary
manages to receive and decrypt say h^2(k), and then derive h^5(k) and
hash it into the master secret to break PCS. Having agents generate one
set of keys for the tree and another key for the master chain might help
a compositional proof.)

One other minor nit: I think TreeKEM, like ART, might need a function
mapping bitstrings to KEM keypairs. This could be the same i as in ART
if the encryption is something like ECIES.

On Thu, 3 May 2018, at 3:36 PM, Richard Barnes wrote:
> Just for context: Note that TreeKEM, like ART, is an "inner loop" /
> "subroutine" for MLS.  It handles the establishment of a key that's
> confidential to the group members.  There's still a need for more
> mechanism to provide authentication.> 
> Speaking of protocol, in protocol terms, TreeKEM, while we haven't
> elaborated a precise protocol, if you look at the very basic sketch
> that's in the repo EKR linked, the protocol looks very similar to what
> we have for ART now.  Basically, where ART sends public keys, TreeKEM
> needs to send (public key, PKE ciphertext) pairs.  So there's a bit of
> additional communications overhead, but not a dramatic reworking of
> the messages.> 
> Having spent some time with this approach, I appreciate that it can be
> kind of hard to digest; it has a few more moving parts than ART.  I
> would be happy to set up a call sometime if people wanted to talk this
> through.> 
> --Richard
> On Thu, May 3, 2018 at 10:33 AM Eric Rescorla <> wrote:
>> Oops. I forgot to attach the paper.
>> On Thu, May 3, 2018 at 7:26 AM, Eric Rescorla <> wrote:
>>> Hi folks,
>>> Several of us (Karthik, Richard, and I) have been working on an
>>> alternative to ART which we call TreeKEM. TreeKEM parallels ART in
>>> many ways, but is more cryptographically efficient and is much
>>> better>>> at handling concurrent changes. The most common behaviors (updating>>> ones own key) can be executed completely concurrently, merging
>>> all the>>> requested changes.
>>> We've attached a draft technical paper describing the details, and
>>> some slides, but here's a brief overview of TreeKEM.
>>> Code:,
>>>>>> Explainer slides:
>>> As with ART, TreeKEM addresses the scaling problem by
>>> arranging nodes>>> in a binary tree. In the steady state, each node i has a key
>>> pair but>>> instead of having two siblings do DH to determine their shared
>>> key, we>>> derive the shared key by hashing the key of the last node to update.>>> As before, each node knows all the keys to its parents.
>>> Imagine we have the four node tree a, b, c, d which was constructed>>> in that order. The private keys at each vertex are shown below.
>>>        H^2(d)
>>>       /     \
>>>     H(b)    H(d)
>>>     / \     / \
>>>    a   b   c   d
>>> Now say that b wants to update its key to b', giving us the tree:
>>>        H^2(b')
>>>       /     \
>>>     H(b')   H(d)
>>>     / \     / \
>>>    a   b'  c   d
>>> This requires providing 
>>>   - a with H(b') -- note that a can compute H^2(b') for itself.
>>>   - c and d with H^2(b')
>>> Recall that you can encrypt to any subset of the tree by just
>>> encrypting to the appropriate set of parent nodes. So, we can
>>> do this by sending:
>>>   - E(pubkey(a), H(b'))
>>>   - E(pubkey(H^2(d)), H^2(b'))
>>> Where pubkey(k) gives the public key derived from private key k.
>>> As with ART, you then mix the new tree root (H^2(b')) into the
>>> current>>> operational keys and use the result to derive the actual
>>> working keys.>>> 
>>> The big win in TreeKEM is that you can handle an arbitrary number
>>> of concurrent updates, just by applying them in order. Again,
>>> consider our starting tree, but assume that b and c both try to
>>> update at once. a thus receives two updates
>>>   - E(pubkey(a), H(b'))       [b's update]
>>>   - E(pubkey(H(b)), H^2(c'))  [c's update]
>>> If we apply these in order b, c we get the tree:
>>>        H^2(c')
>>>       /     \
>>>     H(b')   H(c')
>>>     / \     / \
>>>    a   b'  c   d
>>> a can easily compute this.
>>> In order to make this work, we need two things:
>>> 1. a needs to keep a copy of its current tree around until it has
>>>    received all updates based on that tree
>>> 2. there needs to be an unambiguous ordering of updates
>>> The way to handle (1) is probably to have some defined "window"
>>> of time during which an update can be received. The node needs
>>> to hold onto its old key until that window has passed. (2) can
>>> be handled by having the messaging system provide a consistent
>>> order and then agreeing to apply updates consecutively. If we
>>> want to concurrently apply other changes, we may need to sort
>>> based on change type within the window.
>>> ADDS
>>> In order to add itself to the group (USERADD), a node merely puts
>>> itself at the right position in the tree and, generates a
>>> random key,>>> and then sends the appropriate keying material to everyone in
>>> its path>>> to the root.
>>> In order to add another node to the group (GROUPADD), the adding
>>> node does exactly the same thing as with a USERADD, but also sends
>>> a copy of the new key to the node being added.. Note that this
>>> creates>>> a double-join, which we will cover later.
>>> In order to remove another node from the tree, the removing node
>>> sends the same message that the evicted node would have sent if
>>> it had sent an update, but with a new key not known to the evicted
>>> node (note that this naturally omits the evicted node, because you
>>> encrypt to the co-path). This also creates a double-join, where the>>> removing node knows the dummy key.
>>> In order to receive messages, a node need only keep its secret keys,>>> which range between 1 key (if it was the last to update) and log(N)>>> keys (in the worst case).
>>> In the best case, in order to update, a node needs to also know
>>> the public keys for everyone on its co-path. However.
>>> In order to be able to do deletes, a node also needs to be able
>>> to get the public key for any node in the tree (leaf or internal).
>>> It's easy to see this by realizing that to delete a node you need
>>> to encrypt a new key to its sibling, and so to delete any node,
>>> you need to be able to access every node's public key. However,
>>> a node need not store this information, but can retrieve it
>>> on demand when it needs to delete another node.
>>> The paper contains more details. but generally TreeKEM is somewhat
>>> more efficient in terms of asymmetric crypto operations than ART.
>>> Like ART, TreeKEM has double-join problems whenever one group member>>> provides a service (or a disservice, in the case of remove) for
>>> another>>> group member. In the case of GROUPADD, the double join will resolve
>>> itself>>> as soon as the added node updates its key. However in the case of
>>> REMOVE, this cannot happen, and so double join needs to be
>>> dealt with in some other way.
>>> One option is to have selective updates: each node keeps track of
>>> extra tree state and uses it to control its updates. For instance,
>>> if we never send updates to deleted nodes, than as soon as a deleted>>> node's sibling sends an update, the double-join will be resolved.
>>> In a more sophisticated -- but also more expensive to implement --
>>> version, we track which nodes control the keys of other nodes and
>>> REMOVE all affected nodes when we do a delete.
>>> -Ekr
> _________________________________________________
> MLS mailing list