Re: [MLS] [Metadata encryption]

Benjamin Beurdouche <> Thu, 31 October 2019 15:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B3B93120811 for <>; Thu, 31 Oct 2019 08:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.203
X-Spam-Level: ***
X-Spam-Status: No, score=3.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=10, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ete_-exAfuJM for <>; Thu, 31 Oct 2019 08:32:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D1DA12081C for <>; Thu, 31 Oct 2019 08:32:31 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.68,252,1569276000"; d="png'150?scan'150,208,217,150";a="409819260"
Received: from (HELO pc54.home) ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 16:32:29 +0100
From: Benjamin Beurdouche <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E0F631DC-BFB8-4FA0-BB94-E419674A60D8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
Date: Thu, 31 Oct 2019 16:32:28 +0100
In-Reply-To: <>
Cc: ML Messaging Layer Security <>
To: Pascal Junod <>
References: <> <> <>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <>
Subject: Re: [MLS] [Metadata encryption]
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Oct 2019 15:32:35 -0000

> On Oct 31, 2019, at 3:42 PM, Pascal Junod <> wrote:
> Hi Benjamin ! Thank you for you answer. Actually, it does not really answer my initial question, so let me be more specific:
>  - starting from the sender_data_key (computed in a deterministic way from the group secret) and a randomly generated (for obvious nonce-reuse-related reasons) sender_data_nonce, we would like to encrypt sender metadata using the AEAD scheme (which is AES128-GCM in both currently supported ciphersuites). 
> - An AES-GCM API takes a key, a nonce, data to be encrypted, and additional data to be authenticated, but not encrypted.
> - The data to be encrypted are the ones contained in the MLSSenderData structure (senderID + generation)
> - The additional data to be authenticated are the ones contained in the MLSCiphertextSenderDataAAD structure (group_id, epoch, content_type and sender_data_nonce). 
> Why is the MLSCiphertextSenderDataAAD structure containing the sender_data_nonce ? That nonce will in any case "influence" the AES-GCM authentication tag, so there is no need to repeat it as attached data to be authenticated, isn't it ? What did I miss ?

Ah, ok sorry I am a bit exhausted…
Since we have to send the fresh nonce for the recipient to decrypt the encrypted sender_data
we place it in the header. If you look at the message format on the wire, we have the practice of
authenticating the entire prefix of what’s encrypted (because we can).

Hopefully the visualization will help here (don’t mind new field it is a thing we introduced in PR208).

The nice thing of doing that is that you don’t have to “construct” the AADs, they already are right there for you.

Does that help ? (Hopefully I understood this time xD... )