Re: [MLS] TreeKEM: An alternative to ART
Richard Barnes <rlb@ipv.sx> Thu, 10 May 2018 19:05 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BF81126E64 for <mls@ietfa.amsl.com>; Thu, 10 May 2018 12:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b92whPENUVoO for <mls@ietfa.amsl.com>; Thu, 10 May 2018 12:05:33 -0700 (PDT)
Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6EA126FB3 for <mls@ietf.org>; Thu, 10 May 2018 12:05:33 -0700 (PDT)
Received: by mail-ot0-x22a.google.com with SMTP id 15-v6so3502387otn.12 for <mls@ietf.org>; Thu, 10 May 2018 12:05:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=C5UD/sJGqnzu+KF25evy21YPdHlXxlD2lLnvBiM4n0Q=; b=OCi90aklBREj3pC/2Crue2RjuqSPsWeYaJdSbD5PoWwiyo9qjwPH27eVsRU1bvLMe6 NsEsrcZbqLgasrOKgCXvQx/YOuSjtzN3nyvYpnyoXKt2OuOkezcRZC8tDhd/8RFrcAvB cYnmBVuBoNaZI6rNzyYIDiRENMZU0iW87ojB7hGVUDkUhwUc2rTd3kWfucgLF+3HwahM Ke+0+mqP8V3nEFL5X1aXDXqUnbP1pVUyGWvVqzUw+XCzgzZwWTJuplf/7KOaX4GqW0Jx nxSxSQICeD09iU6jiMzY8kPZ0MognOs8Jnr6rswSlY05eqI/kPg8BgeqSnfSrckit/04 331A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C5UD/sJGqnzu+KF25evy21YPdHlXxlD2lLnvBiM4n0Q=; b=KeI3ZL861mGtgh+cgsHAUBnCJ42ZBQWC65O+J7UgQ6nI5HBIScE45lNv6lYvtvWAby cFMy7aJpGSVgvbx9B/8cz+BhjRjID/1+5Y5m4dAhSwJYNz3jUyTRDUmv4BPNbDFNBPvr hjVqYjogyqSyM10r3nQ6OPNNAfQAjxM0VWLoRf9YMYCAUFbaeKP5jO0JEik1VA+Ickvw pREd1/M8DYCNHY8LiEwjSVyxkl8ytc3ZVuB4+DSH2vps1AyEmgwUG4va9uc2thBOzzKn V132CbPedX8NBaw90/pd1g4fux3ZwQNNRUxKDLcaiLdffBTxGe9MXOuQRFbjYztQfC/4 PiDw==
X-Gm-Message-State: ALKqPwdQeYiRpEN//0YykvBeV5ZxpXF8qernWTscBsGN/pw3rAdh+RLS EyvVy8CX3WSu2vup2z1eotf6+3Ftkre4uzopKeSn1g==
X-Google-Smtp-Source: AB8JxZolXEC09APNvQaGoEQQPIxC/LFjB9i1qg60tzz5Dx3Shjb1FJNh2UEp1cgQ/bePyaE5j+x3F4K/+NJVrqzH24o=
X-Received: by 2002:a9d:310b:: with SMTP id e11-v6mr1897020otc.84.1525979132356; Thu, 10 May 2018 12:05:32 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOGJTYTGqYLhqafM=yE9hCZP06KbjKfBqMVTr=yoUYUrw@mail.gmail.com> <CABcZeBOTTe=8mw3q7FXNLWD7pe=XTuKj3P3C1=-GXHZSFQybzw@mail.gmail.com> <CAL02cgRn6wHMDoCL+UCaHtD8GV30=+aSrvCY+Jf64tKtqkfV2Q@mail.gmail.com> <70623E37-4A6D-4B73-A97B-DF754D9DBBCE@vigilsec.com>
In-Reply-To: <70623E37-4A6D-4B73-A97B-DF754D9DBBCE@vigilsec.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 10 May 2018 19:05:21 +0000
Message-ID: <CAL02cgQwv4owGnoUHwY2s9fdiQNnusD3KGYP-yDru1XjLeYKPQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Sean Turner <sean@sn3rd.com>, Nick Sullivan <nick@cloudflare.com>, mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001e87d0056bdeb411"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Di-1sjcVRpfRVQ0RV-AT3vlcVl0>
Subject: Re: [MLS] TreeKEM: An alternative to ART
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 19:05:36 -0000
Fortunately, we're not a WG yet, so we're not bound by the rules for virtual interims :) Here's a Doodle to see if there's a time that looks good to folks: https://doodle.com/poll/u84kpg2i4vfvnmsz On Thu, May 10, 2018 at 2:01 PM Russ Housley <housley@vigilsec.com> wrote: > I think that a virtual interim to go through a tutorial of TreeKEM would > be very useful. > > Russ > > > On May 3, 2018, at 10:36 AM, Richard Barnes <rlb@ipv.sx> wrote: > > Just for context: Note that TreeKEM, like ART, is an "inner loop" / > "subroutine" for MLS. It handles the establishment of a key that's > confidential to the group members. There's still a need for more mechanism > to provide authentication. > > Speaking of protocol, in protocol terms, TreeKEM, while we haven't > elaborated a precise protocol, if you look at the very basic sketch that's > in the repo EKR linked, the protocol looks very similar to what we have for > ART now. Basically, where ART sends public keys, TreeKEM needs to send > (public key, PKE ciphertext) pairs. So there's a bit of additional > communications overhead, but not a dramatic reworking of the messages. > > Having spent some time with this approach, I appreciate that it can be > kind of hard to digest; it has a few more moving parts than ART. I would > be happy to set up a call sometime if people wanted to talk this through. > > --Richard > > On Thu, May 3, 2018 at 10:33 AM Eric Rescorla <ekr@rtfm.com> wrote: > >> Oops. I forgot to attach the paper. >> >> >> On Thu, May 3, 2018 at 7:26 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> >>> Hi folks, >>> >>> Several of us (Karthik, Richard, and I) have been working on an >>> alternative to ART which we call TreeKEM. TreeKEM parallels ART in >>> many ways, but is more cryptographically efficient and is much better >>> at handling concurrent changes. The most common behaviors (updating >>> ones own key) can be executed completely concurrently, merging all the >>> requested changes. >>> >>> We've attached a draft technical paper describing the details, and >>> some slides, but here's a brief overview of TreeKEM. >>> >>> Code: https://github.com/bifurcation/treekem, >>> https://github.com/bifurcation/treekem >>> Explainer slides: >>> https://docs.google.com/presentation/d/1myiQ22ddxHAcF8uCJBXk9cdJMvAQfAw9nmKiqE5seJc/edit?usp=sharing >>> >>> As with ART, TreeKEM addresses the scaling problem by arranging nodes >>> in a binary tree. In the steady state, each node i has a key pair but >>> instead of having two siblings do DH to determine their shared key, we >>> derive the shared key by hashing the key of the last node to update. >>> As before, each node knows all the keys to its parents. >>> >>> Imagine we have the four node tree a, b, c, d which was constructed >>> in that order. The private keys at each vertex are shown below. >>> >>> H^2(d) >>> / \ >>> H(b) H(d) >>> / \ / \ >>> a b c d >>> >>> >>> UPDATES >>> Now say that b wants to update its key to b', giving us the tree: >>> >>> H^2(b') >>> / \ >>> H(b') H(d) >>> / \ / \ >>> a b' c d >>> >>> This requires providing >>> >>> - a with H(b') -- note that a can compute H^2(b') for itself. >>> - c and d with H^2(b') >>> >>> Recall that you can encrypt to any subset of the tree by just >>> encrypting to the appropriate set of parent nodes. So, we can >>> do this by sending: >>> >>> - E(pubkey(a), H(b')) >>> - E(pubkey(H^2(d)), H^2(b')) >>> >>> Where pubkey(k) gives the public key derived from private key k. >>> >>> As with ART, you then mix the new tree root (H^2(b')) into the current >>> operational keys and use the result to derive the actual working keys. >>> >>> >>> CONCURRENT UPDATES >>> The big win in TreeKEM is that you can handle an arbitrary number >>> of concurrent updates, just by applying them in order. Again, >>> consider our starting tree, but assume that b and c both try to >>> update at once. a thus receives two updates >>> >>> - E(pubkey(a), H(b')) [b's update] >>> - E(pubkey(H(b)), H^2(c')) [c's update] >>> >>> If we apply these in order b, c we get the tree: >>> >>> H^2(c') >>> / \ >>> H(b') H(c') >>> / \ / \ >>> a b' c d >>> >>> a can easily compute this. >>> >>> In order to make this work, we need two things: >>> >>> 1. a needs to keep a copy of its current tree around until it has >>> received all updates based on that tree >>> 2. there needs to be an unambiguous ordering of updates >>> >>> The way to handle (1) is probably to have some defined "window" >>> of time during which an update can be received. The node needs >>> to hold onto its old key until that window has passed. (2) can >>> be handled by having the messaging system provide a consistent >>> order and then agreeing to apply updates consecutively. If we >>> want to concurrently apply other changes, we may need to sort >>> based on change type within the window. >>> >>> >>> ADDS >>> In order to add itself to the group (USERADD), a node merely puts >>> itself at the right position in the tree and, generates a random key, >>> and then sends the appropriate keying material to everyone in its path >>> to the root. >>> >>> In order to add another node to the group (GROUPADD), the adding >>> node does exactly the same thing as with a USERADD, but also sends >>> a copy of the new key to the node being added.. Note that this creates >>> a double-join, which we will cover later. >>> >>> >>> REMOVAL >>> In order to remove another node from the tree, the removing node >>> sends the same message that the evicted node would have sent if >>> it had sent an update, but with a new key not known to the evicted >>> node (note that this naturally omits the evicted node, because you >>> encrypt to the co-path). This also creates a double-join, where the >>> removing node knows the dummy key. >>> >>> >>> >>> STATE >>> In order to receive messages, a node need only keep its secret keys, >>> which range between 1 key (if it was the last to update) and log(N) >>> keys (in the worst case). >>> >>> In the best case, in order to update, a node needs to also know >>> the public keys for everyone on its co-path. However. >>> >>> In order to be able to do deletes, a node also needs to be able >>> to get the public key for any node in the tree (leaf or internal). >>> It's easy to see this by realizing that to delete a node you need >>> to encrypt a new key to its sibling, and so to delete any node, >>> you need to be able to access every node's public key. However, >>> a node need not store this information, but can retrieve it >>> on demand when it needs to delete another node. >>> >>> >>> EFFICIENCY >>> The paper contains more details. but generally TreeKEM is somewhat >>> more efficient in terms of asymmetric crypto operations than ART. >>> >>> >>> DOUBLE JOINS >>> Like ART, TreeKEM has double-join problems whenever one group member >>> provides a service (or a disservice, in the case of remove) for another >>> group member. In the case of GROUPADD, the double join will resolve >>> itself >>> as soon as the added node updates its key. However in the case of >>> REMOVE, this cannot happen, and so double join needs to be >>> dealt with in some other way. >>> >>> One option is to have selective updates: each node keeps track of >>> extra tree state and uses it to control its updates. For instance, >>> if we never send updates to deleted nodes, than as soon as a deleted >>> node's sibling sends an update, the double-join will be resolved. >>> In a more sophisticated -- but also more expensive to implement -- >>> version, we track which nodes control the keys of other nodes and >>> REMOVE all affected nodes when we do a delete. >>> >>> -Ekr >>> >>> >> _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls > > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] TreeKEM: An alternative to ART Eric Rescorla
- Re: [MLS] TreeKEM: An alternative to ART Eric Rescorla
- Re: [MLS] TreeKEM: An alternative to ART Richard Barnes
- Re: [MLS] TreeKEM: An alternative to ART =JeffH
- Re: [MLS] TreeKEM: An alternative to ART Eric Rescorla
- Re: [MLS] TreeKEM: An alternative to ART Katriel Cohn-Gordon
- Re: [MLS] TreeKEM: An alternative to ART Richard Barnes
- Re: [MLS] TreeKEM: An alternative to ART Eric Rescorla
- Re: [MLS] TreeKEM: An alternative to ART Daniel Van Geest
- Re: [MLS] TreeKEM: An alternative to ART Karthikeyan Bhargavan
- Re: [MLS] TreeKEM: An alternative to ART Cas Cremers
- Re: [MLS] TreeKEM: An alternative to ART Karthikeyan Bhargavan
- Re: [MLS] TreeKEM: An alternative to ART Alexey Ermishkin
- Re: [MLS] TreeKEM: An alternative to ART Richard Barnes
- Re: [MLS] TreeKEM: An alternative to ART Russ Housley
- Re: [MLS] TreeKEM: An alternative to ART Richard Barnes
- Re: [MLS] TreeKEM: An alternative to ART Stephen Farrell
- Re: [MLS] TreeKEM: An alternative to ART Benjamin Kaduk
- Re: [MLS] TreeKEM: An alternative to ART Benjamin Beurdouche
- Re: [MLS] TreeKEM: An alternative to ART Eric Rescorla
- Re: [MLS] TreeKEM: An alternative to ART Richard Barnes
- Re: [MLS] TreeKEM: An alternative to ART Peter Saint-Andre
- Re: [MLS] TreeKEM: An alternative to ART Richard Barnes
- Re: [MLS] TreeKEM: An alternative to ART Peter Saint-Andre