[MLS] Double-use of the same key

Chris Brzuska <chris.brzuska@aalto.fi> Thu, 20 August 2020 18:40 UTC

Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B9FC53A12C5 for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 11:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id uxCSGQOs5BwY for <mls@ietfa.amsl.com>; Thu, 20 Aug 2020 11:40:20 -0700 (PDT)
Received: from smtp-out-01.aalto.fi (smtp-out-01.aalto.fi []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7CF93A12C4 for <mls@ietf.org>; Thu, 20 Aug 2020 11:40:18 -0700 (PDT)
Received: from smtp-out-01.aalto.fi (localhost.localdomain []) by localhost (Email Security Appliance) with SMTP id 8F4E011590B_F3EC38EB for <mls@ietf.org>; Thu, 20 Aug 2020 18:40:14 +0000 (GMT)
Received: from exng3.org.aalto.fi (exng3.org.aalto.fi []) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng3.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-01.aalto.fi (Sophos Email Appliance) with ESMTPS id 67144115901_F3EC38EF for <mls@ietf.org>; Thu, 20 Aug 2020 18:40:14 +0000 (GMT)
Received: from exng6.org.aalto.fi ( by exng3.org.aalto.fi ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Thu, 20 Aug 2020 21:40:14 +0300
Received: from [] ( by exng6.org.aalto.fi ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Thu, 20 Aug 2020 21:40:13 +0300
To: Messaging Layer Security WG <mls@ietf.org>
From: Chris Brzuska <chris.brzuska@aalto.fi>
Message-ID: <504ca35e-ca0a-47db-a861-774867c169b9@aalto.fi>
Date: Thu, 20 Aug 2020 21:40:14 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------73C88BA9EDCDC5EE60A06117"
Content-Language: en-GB
X-Originating-IP: []
X-ClientProxiedBy: exng3.org.aalto.fi ( To exng6.org.aalto.fi (
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=to:from:subject:message-id:date:mime-version:content-type; s=its18; bh=GYUIi5yBm2npr93eHq77eltct6CXi/oNr7KGUy6q6eE=; b=KfHpsgJTZUYtZpvOaC1sQoMR/+MhCA4Z1VhZ1DI+DX8SElHRriIVF5+6zE3NE5FqxIAc01J1ahshHJJGY+QCqrtSCSg0YQJdqzalHZzhz4lB8hSc55AaFxZ/yRSDn2+hQ6d+ViW43cuUIZ9e2Pvaxdv2Jdz0ySc2ynjZxysR7cywnNX2XECsF11nkXzBV9yrwDifSPCxSgUkhsdDC5RPpDxnyBjty0gmzfIbEkS10x7AUDOV7RygbBJMbllnNTpSqz4+R0NKL3y+1izJ0JbP78NgDidvEZ5P3qrM+N0c9uThZGOlTbJ6rbQ2HvQzEC+rv+rMqkYb4Gr/SV3bjZ7CUQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/EQLdrkuVBeB5ExDcFx4EMbJcpOg>
Subject: [MLS] Double-use of the same key
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 18:40:22 -0000

Hey all,

I realized that that path_secret is now used to key two different 
cryptographic primitives which violates key separation. Namely, the 
path_secret is used to key the two functions ExpandWithLabel and 


  * Violates the good crypto practice of key separation via HKDF.Expand
    which we use in other parts of MLS.
  * Moves MLS outside the scope of provable security, because crypto
    assumptions assume that a key is only used in one cryptographic
    primitive and not in two.


|path_secret[n] = ExpandWithLabel(path_secret[n-1], "path", "", KEM.Nsk) 
node_priv[n], node_pub[n] = KEM.DeriveKeyPair(path_secret[n])|