Re: [MLS] Idea for Issue #33
Nick Sullivan <nick@cloudflare.com> Thu, 24 January 2019 17:13 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02378131255 for <mls@ietfa.amsl.com>; Thu, 24 Jan 2019 09:13:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvfI2nIEI7Tl for <mls@ietfa.amsl.com>; Thu, 24 Jan 2019 09:13:26 -0800 (PST)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C057E131250 for <mls@ietf.org>; Thu, 24 Jan 2019 09:13:22 -0800 (PST)
Received: by mail-ot1-x32e.google.com with SMTP id s5so5891673oth.7 for <mls@ietf.org>; Thu, 24 Jan 2019 09:13:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VmUxehPstHRS1Intd2gbf2BymTtfSDQwFuaV5BfL26U=; b=Hui8KDO+NETjjtn5nAnAMfBW7M66eVFySYamXwvGpx50/22Uq1/Dkl4FWv90ot6y1c 1FlztvZiH11Vs6jZim8sffDKVIaiDDBSc4lowzboQixayJNFu0wkuBFxXGDIxM+azMvk DznHyGaIXX9nWitiEsabp+9CShFDPiV0c6qI0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VmUxehPstHRS1Intd2gbf2BymTtfSDQwFuaV5BfL26U=; b=s5zVlh1ohma3/O3fjwFmfrdeVcVz2zxSq/wG+V9ZmTGxPxoSzaBvhTak5nazhgXdlP uHPq+KtEsFciq/wFhE1CZYl8VjaxEOik87y3sKmvo/3AU75itBho40aWsH4xeI84Ho8R uaUVt2WOhvUkf5FYjILiNLBiN0vuPHFmxEBD9ubxZ5SgMsylgYENYO+luXViFxjipUFN CZvMii898VL6lx+ax0sVD/sJaAgNhj6YeqUNcENVhcFcvLjV+EM/ly4OhKqqnV6bKfqj H8gEg7+Ycx0ToTECO9fsKvpPCSQu3tG3yrXEZ9zaqO7jwBhAD4zcDLrHayfm4idB//J7 feIA==
X-Gm-Message-State: AJcUukeiVAxlKdc/QgnjuDFc/WJ31CZijHn7T4HabLfrJejKPvcOvlrb QnI7BLZP0iBt3gPNQT9wHfQM1Tc8VhZGMJmA7mgtFR/yCCI=
X-Google-Smtp-Source: ALg8bN6+9ror/HWSIozbpa5xwb5zdXHLZMcoRdzBGNoiIuCEKGo+P0xKIO74zfVb+923TXi58oD33P0EDfI2Ft7ZKrk=
X-Received: by 2002:a9d:3f7:: with SMTP id f110mr5254172otf.171.1548350001763; Thu, 24 Jan 2019 09:13:21 -0800 (PST)
MIME-Version: 1.0
References: <CAFDDyk8Onmkmn=BeK27X5cXVsN1ardw745vX2QqxYhwYnAC-RA@mail.gmail.com> <CAMvzKsgHxpU6wjH29DsjSBSGaMc-Cy2_QAx0QYq+_-0cN6D1oQ@mail.gmail.com>
In-Reply-To: <CAMvzKsgHxpU6wjH29DsjSBSGaMc-Cy2_QAx0QYq+_-0cN6D1oQ@mail.gmail.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 24 Jan 2019 09:13:11 -0800
Message-ID: <CAFDDyk_R4YbqKbzobss=7MWPy8nQyzbD5f=K5O669+=Dp_CWZQ@mail.gmail.com>
To: Yevgeniy Dodis <dodis@cs.nyu.edu>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d7fa030580375311"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/DCEKbsnoRKmFTmCuMT-rHIfDapA>
Subject: Re: [MLS] Idea for Issue #33
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 17:13:30 -0000
On Wed, Jan 23, 2019 at 7:02 PM Yevgeniy Dodis <dodis@cs.nyu.edu> wrote: > Hi Nick. > > As I told Jon and you in Mountain View, this is a really nice idea. > > A couple of concerns regarding the specific proof of DLEQ by the > receiver. Effectively, a malicious sender > can send a ciphertext of the form <Q, garbage> for any value Q of its > choice (not necessarily the one where he > knows r such that Q = rP, and the receiver will "complain" by opening > the value aQ. In crypto terms, this corresponds > to CDH (computational diffie-hellman) oracle: given (P, P' = aP) fixed > and any value Q, return aQ. > > There is an old paper of Maurer and Wolf which shows CDH and discrete > log (DL) are polynomially equivalent in certain groups: > ftp://ftp.inf.ethz.ch/pub/crypto/publications/MauWol99b.pdf > I think standard groups we use do not fall there, but I did not check > the paper in more detail. > > Of more immediate concern, this opens the following simple chosen > ciphertext attack. Malicious sender wants > to decrypt some old valid ciphertext (C=rP, D). He wants to obtain D / > xC, so suffices to compute xC. > He generates random r', and submits ciphertext (C' = r' C, garbage). > Receiver will complain by opening > x C' = r' (xC), from which can raise to 1/r' to recover xC, and hence > D/xC. > > Is this chosen ciphertext attack possible? What might save us is that > the only people who encrypt to node with public > key aP, are the nodes in the subtree rooted by the sibling of a, since > only then a is on the co-path. And these nodes anyway should be > allowed to decrypt all ciphertexts encrypted using aP to the subtree > rooted at a. But I feel we might concoct a scenario where this attack > could be relevant. Not sure now, just pointing out this concern. The hope was that by requiring the sender to create a Schnorr NIZK that they know r for rP that you couldn’t construct a Q for which revealing aQ does not reveal anything about a previous Q (=r’P without knowing r’). Is it really possible to do this without solving the DLP for Q with respect to P? I guess if the participant sending the bad update was the one to send r’ previously then they could construct this proof (for r’+1, for example) and force the target to reveal a previous group state. This is one of the downsides of TreeKEM’s non-contributiveness, I guess. > > > In general, one malicious insiders are allowed, my feeling is that we > need some kind of CCA protection, and basic ElGamal will not be > secure. > > Still, I love the idea, and hope we can make it work... > Yevgeniy > > > > > > On Wed, Jan 23, 2019 at 8:34 PM Nick Sullivan > <nick=40cloudflare.com@dmarc.ietf.org> wrote: > > > > Hello all, > > > > Relaying some ideas that I posted in the Github issue that allow a > participant that was maliciously removed from the group by a bad update > message to publicly prove that it was given an inconsistent update. This is > an idea based on lightweight zero-knowledge proofs. > > > > https://github.com/mlswg/mls-protocol/issues/21 > > > > Recall the following from ECIES: > > Say that you are encrypting a ciphertext X to a user with private key a, > public key A (= aP) and elliptic curve base point P. The ECIES ciphertext > is the pair (rP, c) where r is a randomly-chosen scalar and c is the > encryption of X with a key derived from k=KDF(rA)=KDF(raP). > > > > The key to this mechanism is revealing enough to prove to a third party > that an update received by the user is decrypted to an inconsistent X than > an update received by another participant, but without revealing the > private key a (which would compromise the confidentiality of previous > messages). > > > > Proposed modifications of the protocol: > > 1) Add a mechanism that allows a party with access to a supposed secret > value of a node to validate the consistency of the chain of hashed derived > from that secret. This could be implemented by creating a public value that > consists of a KDF of the secret value with a known public value for every > node that is being updated. To check a secret value, the validating party > needs to compute the KDF for every node up the tree to the root and compare > with the published values. > > > > The KDF acts as sort of a public integrity hash of to the node's secret > value. > > > > 2) Add a Schnorr NIZK of knowledge (RFC 8235) of the random value r with > every ECIES ciphertext. This proves that the r used in the ECIES encryption > is known to the updater and rP is not trivially derived from some other > previously sent r'P. > > > > For one participant to prove that they were given an update message that > did not include the correct node secret, that participant can reveal the > following: > > arP, DLEQ(arP:rP :: P:aP) > > > > Where a is the node's private key, and DLEQ is a discrete log > equivalence proof that shows that arP is rP multiplied by the private key a > of the user. > > > > > > So in summary, we would add: > > - Proof of knowledge of the randomness used in ECIES > > - Public KDF of each node's secret value > > and then a member could prove to an auditor that it was given the wrong > secret by revealing: > > - an intermediate calculation of the ECIES decryption, a DLEQ proof that > the right key was used > > > > > > I'm eager for this proposal to have some holes shot in it. > > > > > > Nick > > > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org > > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Idea for Issue #33 Nick Sullivan
- Re: [MLS] Idea for Issue #33 Richard Barnes
- Re: [MLS] Idea for Issue #33 Nick Sullivan
- Re: [MLS] Idea for Issue #33 Nick Sullivan
- Re: [MLS] Idea for Issue #33 Yevgeniy Dodis