Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
Chris Brzuska <chris.brzuska@aalto.fi> Sat, 25 July 2020 23:01 UTC
Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 549A43A0B85 for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 16:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seZznPFNl5Gq for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 16:01:09 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (smtp-out-02.aalto.fi [130.233.228.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92EF33A0B9E for <mls@ietf.org>; Sat, 25 Jul 2020 16:01:07 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 5EDFB271579_F1CB9AFB; Sat, 25 Jul 2020 23:01:03 +0000 (GMT)
Received: from exng3.org.aalto.fi (exng3.org.aalto.fi [130.233.223.22]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng3.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id D66E727156E_F1CB9AEF; Sat, 25 Jul 2020 23:01:02 +0000 (GMT)
Received: from exng6.org.aalto.fi (130.233.223.25) by exng3.org.aalto.fi (130.233.223.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sun, 26 Jul 2020 02:01:02 +0300
Received: from [192.168.1.116] (130.233.0.5) by exng6.org.aalto.fi (130.233.223.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sun, 26 Jul 2020 02:01:02 +0300
To: Richard Barnes <rlb@ipv.sx>
CC: Messaging Layer Security WG <mls@ietf.org>
References: <682de0fe-41c2-9b96-067b-6cb4b08e1e7c@aalto.fi> <7028_1594089739_5F03E109_7028_154_1_B0D017EB-1A15-4C96-84C8-1E202A5A51EF@nps.edu> <4ceb1790-ef66-0113-0f59-023ab1e713e7@aalto.fi> <CAL02cgTLkZrUBAD3LLKtgwfg+eNZKWMn0qEJ7=H98pRM=gzYxQ@mail.gmail.com> <5754afd7-f05f-2844-5656-4f4572b49fab@aalto.fi> <CAL02cgTQonKgoh4trxpQxY9ONVvM_b6U+hFif+9Tahf7or9rmg@mail.gmail.com> <0c22bb51-6ef2-a55c-0c3a-14e0b590d7c7@aalto.fi> <064ad211-9f5f-7254-aa48-d7aea0ca2c7f@aalto.fi> <CAL02cgQrHK4-Hv1MQCDt_GcDQ-Rz2mQMCzdprink5jTfetdSAw@mail.gmail.com> <7c3c0f7f-58d2-acfb-d5d6-e8e5e80299da@aalto.fi> <CAL02cgRVdoKoY8WkneWpA5=ELBsJMfNZF+96VcZ+YBkV6eKH=A@mail.gmail.com>
From: Chris Brzuska <chris.brzuska@aalto.fi>
Message-ID: <b921f021-9888-580f-b940-7ad1aca780a5@aalto.fi>
Date: Sun, 26 Jul 2020 02:01:01 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgRVdoKoY8WkneWpA5=ELBsJMfNZF+96VcZ+YBkV6eKH=A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------063327395B6BD17B4FD9A920"
Content-Language: en-GB
X-Originating-IP: [130.233.0.5]
X-ClientProxiedBy: exng5.org.aalto.fi (130.233.223.24) To exng6.org.aalto.fi (130.233.223.25)
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=subject:to:cc:references:from:message-id:date:mime-version:in-reply-to:content-type; s=its18; bh=7BlEh7yxzRVugc17QuWfsQEQzRCVKdVv3h0tRONczS4=; b=JcPvbum92aF8Z+OYGFthsKBwHF6RfsP9Iy55LAmSf9PJhgw4zura7NiUX8rnytbtH/kmcMHQaoOBUJFaqstMz/UulbwJFRYBpaJl15IEcetBwkZiBqMJ1WZSTDJpZm3rNMseTqNKmYkj6+45o1R2ZOZnaL5or/TY0xAW96kcvN3YTjSKBEfatFcaGfOZgW2thjwynSxvYWWfJG3cdyy2RgGVKkaQ/cVDH0ybeOOy4LUoBZPAGz8BYv4MdNiV4MpM+4vorlLm9mN+jLD3yQA1ehBlA0IBCAzuFmJj+TtkVhoWCmWfjk/j/gpO7zV0igH9UcsUnIs3dnURgq9Ulwdbmw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/B2twzfpLg3tvF5X9OSLF6NrR7i0>
Subject: Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jul 2020 23:01:20 -0000
Right - so, I guess, I have another misunderstanding/confusion. I thought that the GroupSecrets, too, are only encrypted once under a single symmetric key, and then, this symmetric key is encrypted to all new members using HPKE. But I guess I misunderstood and this is not the case (why not?), because else, we could just use this same symmetric key to encrypt the GroupInfo, too. Chris On 26/07/2020 01:01, Richard Barnes wrote: > Correct, it’s for efficiency. It lets you encrypt one copy of the > GroupInfo and send it to many new joiners. If the group is large and > the Welcome carries the tree, this is a significant savings, > especially if you’re adding multiple new members in the epoch. > > > On Sat, Jul 25, 2020 at 17:36 Chris Brzuska <chris.brzuska@aalto.fi > <mailto:chris.brzuska@aalto.fi>> wrote: > > Thanks! > > Another clarification question: I am confused about why GroupInfo > and GroupSecrets are not encrypted using the same key? Since the > welcome_secret can be derived from the GroupSecrets, the use of > the welcome_secret does not seem to add security. Is this an > efficiency optimization? > > > Chris > > On 26/07/2020 00:14, Richard Barnes wrote: >> Think about the order of operations a new joiner goes through: >> >> 1. Decrypt the EncryptedGroupSecrets (including the >> joiner_secret) using the relevant HPKE private key >> 2. Compute the welcome_secret, welcome_key, and welcome_nonce >> 3. Decrypt the GroupInfo using the welcome_key and welcome_nonce >> >> My presumption is that the joiner will only know that it needs >> the PSK after step 3, when it can read the GroupInfo extensions. >> (See https://github.com/mlswg/mls-protocol/issues/367) That means >> that the welcome_secret can't depend on the PSK. >> >> On Sat, Jul 25, 2020 at 4:09 PM Chris Brzuska >> <chris.brzuska@aalto.fi <mailto:chris.brzuska@aalto.fi>> wrote: >> >> Hi Richard, >> >> I have a quick question: An additional change in your key >> schedule is that the welcome_secret is now derived *before* >> including the PSK. What is the motivation behind this? >> >> Thanks! >> >> Chris >> >> On 24/07/2020 22:18, Chris Brzuska wrote: >> >>> I see, thanks for clarifying. Obviously, with these >>> requirements, pull request #336 does not work as is. I think >>> that the conceptual issue of how to best combine two, three >>> keys and more keys, remains, now with an additional >>> requirement to combine two keys separately first. >>> >>> Will think about it, thanks for clarifying the requirements! >>> >>> Chris >>> >>> On 24/07/2020 21:47, Richard Barnes wrote: >>>> Your confusion is understandable -- the document is wrong >>>> right now! You are correct that the current design >>>> prohibits new joiners from participating in the PSK proof, >>>> but that's a bug, not a feature. The epoch secret should >>>> verify that *all members of the current epoch* know the >>>> PSK, not just the ones inherited from the last epoch. >>>> >>>> That's why #362 rearranges the key schedule as follows: >>>> >>>> init_secret_[n-1] (or 0) >>>> | >>>> V >>>> commit_secret -> HKDF-Extract = joiner_secret >>>> | >>>> +--> Derive-Secret(., "welcome") >>>> | = welcome_secret >>>> | >>>> V >>>> PSK (or 0) -> HKDF-Extract = member_secret >>>> | >>>> V >>>> GroupContext_[n] -> HKDF-Extract = epoch_secret >>>> >>>> (I also promoted the GroupContext to the main key >>>> schedule.) That's the context for my earlier comments. >>>> With that picture, the only thing you're coalescing with >>>> nPRF would be the latter two HKDF-Extract calls. >>>> >>>> Hope that helps, >>>> --Richard >>>> >>>> >>>> >>>> On Fri, Jul 24, 2020 at 2:32 PM Chris Brzuska >>>> <chris.brzuska@aalto.fi <mailto:chris.brzuska@aalto.fi>> wrote: >>>> >>>> Hey Richard, >>>> >>>> thank you for looking into this. I think, I need more >>>> explanation to understand the following point: >>>> >>>> >>> You can't add the commit secret and PSKs in the >>>> same operation, because you want new joiners to put in >>>> the PSK, but you don't want them to have to know the >>>> commit secret. >>>> >>>> The current draft sais the following about the PSK: >>>> "Groups which already have an out-of-band mechanism to >>>> generate *shared* group secrets can inject those in the >>>> MLS key schedule to seed the MLS group secrets >>>> computations by this external entropy. At any epoch, >>>> including the initial state, an application can decide >>>> to synchronize the injection of a PSK into the MLS key >>>> schedule. This mechanism can be used to improve >>>> security in the cases where having a full run of >>>> updates across members is too expensive or in the case >>>> where the external group key establishment mechanism >>>> provides stronger security against classical or quantum >>>> adversaries." >>>> >>>> As I understand this paragraph, the PSK is known by all >>>> group members and not related to new joiners. Maybe, >>>> the requirements and/or design changed in the >>>> meanwhile, and I am not aware of it. I interpreted the >>>> paragraph this way, since the current construction >>>> (posted below for convenience) also requires to know >>>> the commit_secret to derive the epoch_secret (from >>>> which the welcome_secret is derived). Where did I go wrong? >>>> >>>> Thanks! >>>> >>>> Chris >>>> >>>> init_secret_[n-1] (or 0) >>>> | >>>> V >>>> PSK (or 0) -> HKDF-Extract = early_secret >>>> | >>>> Derive-Secret(., "derived", "") >>>> | >>>> V >>>> commit_secret -> HKDF-Extract = epoch_secret >>>> >>>> >>>> On 24/07/2020 20:53, Richard Barnes wrote: >>>>> Hey Chris, >>>>> >>>>> I was looking again at the key schedule as I was >>>>> drafting #362 [1]. A couple of things occurred to me: >>>>> >>>>> 1. You can't add the commit secret and PSKs in the >>>>> same operation, because you want new joiners to put in >>>>> the PSK, but you don't want them to have to know the >>>>> commit secret. >>>>> >>>>> 2. The nPRF construction you propose has the same >>>>> number of HMAC invocations as the chained-HKDF-Extract >>>>> stuff that's in the current draft / 362. >>>>> >>>>> Given those observations, I wonder how much an nPRF is >>>>> really buying us. It's not saving us any HMAC calls, >>>>> and relative to #362, it would only coalesce two DPRF >>>>> calls into one nPRF call. >>>>> >>>>> Maybe there's some benefit if there are multiple >>>>> PSKs? But even then, it seems like you could add a >>>>> layer, computing a synthetic PSK from the multiple >>>>> ones, and keeping the main key schedule simple. >>>>> >>>>> At this point, given the above and the novelty of the >>>>> nPRF construction, I'm inclined to just stick with >>>>> HKDF and merge #362 instead of #336. >>>>> >>>>> --Richard >>>>> >>>>> >>>>> [1] https://github.com/mlswg/mls-protocol/pull/362 >>>>> >>>>> On Tue, Jul 7, 2020 at 5:30 AM Chris Brzuska >>>>> <chris.brzuska@aalto.fi >>>>> <mailto:chris.brzuska@aalto.fi>> wrote: >>>>> >>>>> Thank you for the pointer to Carter-Wegman MACs. >>>>> >>>>> >>> This style of combing hash outputs does affect >>>>> collision resistance [4], and some discussion on >>>>> relation to that would be nice to see. >>>>> >>>>> That's an excellent point. In addition to >>>>> pseudorandomness, we prove the >>>>> collision-resistance of our construction. I.e., >>>>> assuming that no unique value is used twice and >>>>> assuming that HMAC is collision-resistance, then >>>>> the final Expand operation guarantees unique >>>>> outputs. I.e., by including the unique value into >>>>> the final Expand operation after the xor, the >>>>> construction recovers from any collisions incurred >>>>> by the xor. >>>>> >>>>> Chris >>>>> >>>>> On 07/07/2020 05:41, Hale, Britta (CIV) wrote: >>>>>> >>>>>> This is an interesting proposal. It is closely >>>>>> related at a high level to Carter-Wegman MACs >>>>>> (i.e. for random seed r, MAC((k1, k2), m) = >>>>>> PRF(k1, r) XOR MAC(k2, m)). Quite a few MACs fall >>>>>> into this category in practice. Considering the >>>>>> use of a MAC-based KDF and the proofs of [3] on >>>>>> DPRFs, there is an overlap between NPRFs and >>>>>> extrapolation of the above (based on iteration of >>>>>> the PRF guarantees). >>>>>> >>>>>> This is worth noting from an assurance >>>>>> standpoint: there was discussion at the virtual >>>>>> interims with respect to the current formulation >>>>>> of MLS key derivation, which has a “TLS >>>>>> precedence”, yet this proposal is not without >>>>>> precedence itself. Ergo, such a change should not >>>>>> necessarily be concerning based on differing from >>>>>> current practice. >>>>>> >>>>>> This style of combing hash outputs does affect >>>>>> collision resistance [4], and some discussion on >>>>>> relation to that would be nice to see. >>>>>> >>>>>> Britta >>>>>> >>>>>> [1] Carter, Wegman. Universal classes of hash >>>>>> functions. >>>>>> >>>>>> [2] Carter, Wegman. New hash functions and their >>>>>> use in authentication and set equality. >>>>>> >>>>>> [3] Bellare and Lysyanskaya. Symmetric and Dual >>>>>> PRFs from Standard Assumptions: A Generic >>>>>> Validation of an HMAC Assumption. >>>>>> >>>>>> [4] Bernstein. What output size resists >>>>>> collisions in a xor of independent expansions? >>>>>> >>>>>> *From: *MLS <mls-bounces@ietf.org> >>>>>> <mailto:mls-bounces@ietf.org> on behalf of Chris >>>>>> Brzuska <chris.brzuska@aalto.fi> >>>>>> <mailto:chris.brzuska@aalto.fi> >>>>>> *Date: *Tuesday, June 9, 2020 at 10:32 AM >>>>>> *To: *"mls@ietf.org" <mailto:mls@ietf.org> >>>>>> <mls@ietf.org> <mailto:mls@ietf.org> >>>>>> *Subject: *[MLS] Key Schedule: Replace DPRF with >>>>>> multi-input PRF (NPRF) >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I would like to open a discussion on a suggestion >>>>>> for a change in the key schedule. In the current >>>>>> draft, we use the Extract function twice as a >>>>>> dual pseudorandom function (DPRF) when combining >>>>>> 3 keys (*) and interleave them with an Expand call. >>>>>> >>>>>> The suggestion [1] is to replace these 3 calls by >>>>>> a multi-input PRF (NPRF) which is especially >>>>>> designed to return a pseudorandom key when at >>>>>> least one of the input keys is pseudorandom. The >>>>>> new suggestion relies on standard PRF security >>>>>> rather than DPRF-security of Extract. >>>>>> >>>>>> You can find the accompanying paper with >>>>>> pictures, discussion and security reduction for >>>>>> the design principle here [2]. I include a >>>>>> summary of the main points in the end of this eMail. >>>>>> >>>>>> Please comment/share your opinion. Thanks! >>>>>> >>>>>> Chris >>>>>> >>>>>> (*) commit_secret, PSK and init_secret >>>>>> >>>>>> [1] Pull >>>>>> Request:https://github.com/mlswg/mls-protocol/pull/337 >>>>>> >>>>>> [2] Paper: http://chrisbrzuska.de/2020-NPRF.html >>>>>> >>>>>> *--------------------------------------------------------------------------------------------------------------------* >>>>>> >>>>>> *Summary of main points:* >>>>>> >>>>>> The current key schedule >>>>>> - uses Extract as a dual pseudorandom function >>>>>> and assumes that HMAC is a dual pseudorandom function >>>>>> - applies Extract after Expand, i.e., after >>>>>> applying a function which generates a >>>>>> pseudorandom value >>>>>> - iterates Extract-then-Expand sequentially to >>>>>> combine more than 2 keys >>>>>> >>>>>> The pull request suggests to >>>>>> - replace the ad-hoc assumption that Extract is a >>>>>> dual pseudorandom function >>>>>> - remove Extract steps when applied after Expand >>>>>> - use a provably secure NPRF construction which >>>>>> allows to combine more than 2 keys and is based >>>>>> on a standard PRF assumption and statistical >>>>>> properties of xor. >>>>>> >>>>>> Efficiency: >>>>>> - The suggested construction has higher parallel >>>>>> efficiency. It increases the overall number of >>>>>> HMAC evaluations by 1. >>>>>> >>>>>> Assumptions: >>>>>> - HMAC is a standard PRF. >>>>>> - Relies on a unique value, the group_context was >>>>>> suggested. >>>>>> >>>>>> Construction: >>>>>> (1) Use unique value to expand each key and xor >>>>>> the result >>>>>> (2) expand resulting key, including unique value >>>>>> into the context again >>>>>> >>>>>> Security argument: >>>>>> - Pseudorandomness: unique value ensures that >>>>>> each outcome of Expand in (1) is used only once >>>>>> in a xor combination, thus allowing on one-time >>>>>> pad argument of xor. >>>>>> - Uniqueness of resulting keys: (2) ensures that >>>>>> if HMAC is collision-resistent, then the result >>>>>> is collision-resistent. >>>>>> >>>>>> Variants: >>>>>> - It is possible to use an NPRF variant called >>>>>> NameNPRF [2] which has 3 HMAC evaluations more >>>>>> and relies less on the unique value. I.e., >>>>>> NameNPRF is secure in the same scenarios as DPRF: >>>>>> Keys only repeat if the input keys repeat *and* >>>>>> the group context repeats. >>>>>> >>>>>> Questions/Comments that came up: >>>>>> - Barnes, MacMillion suggested group_context as >>>>>> unique value >>>>>> - MacMillion wondered about removal of Extract: >>>>>> One can add an extract operation for the psk. For >>>>>> other input keys, it does not seem needed, since >>>>>> they were returned from Expand. >>>>>> - Wood: Can we replace HMAC by arbitrary PRF? >>>>>> Yes. For uniqueness of output keys, the PRF needs >>>>>> to be collision-resistant, too. >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> MLS mailing list >>>>>> MLS@ietf.org <mailto:MLS@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/mls >>>>> _______________________________________________ >>>>> MLS mailing list >>>>> MLS@ietf.org <mailto:MLS@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/mls >>>>>
- [MLS] Key Schedule: Replace DPRF with multi-input… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Hale, Britta (CIV)
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Konrad Kohbrok
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes