Re: [MLS] UPKE for X25519/X448

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Tue, 22 October 2019 16:29 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB07E120096 for <mls@ietfa.amsl.com>; Tue, 22 Oct 2019 09:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRvwrF5yO4Vw for <mls@ietfa.amsl.com>; Tue, 22 Oct 2019 09:29:54 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B00312004A for <mls@ietf.org>; Tue, 22 Oct 2019 09:29:54 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id t16so13658472wrr.1 for <mls@ietf.org>; Tue, 22 Oct 2019 09:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hYXSH5nhhTUOCZWDit0pNky3bAAPq/NwJ4+Al+UaIC8=; b=Hxk8z91lesp7XSsmz3aLJzH9go6/vGpqbkgFEPkV3ds733qKJ6HFw7yQ0TTlgO2g+c 310K15fzetLwHx/jZqgmhfydUS6tNKwqo7Xq5KZxdg6rPr6B8oqo9OOCo+n5hnZXigsO 5fd/GyDzj3RTt3FmF4NDA1jM3PXiUrnvHywyYecwRnSlfZhiLzhIrcJy4RKxH6ypTFFk Jx9fgLlDk2MFUt5utFfoy44FN110Plfz/Qo5NOJNjvOp50gx+/glnesSXL1hIlNFrPGY qD0TAZm7DWUyF089+3qhvV+ggShlK3mQpkiuv+6m/N0+YDEYQFqBhvfcLRnyi0TZVMx/ DXVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hYXSH5nhhTUOCZWDit0pNky3bAAPq/NwJ4+Al+UaIC8=; b=jPJKu2Eo5uxFPPjrcpjuCXr+BWoHjIMQhRJAI0QE1omUdeB6UT16tlIENn9+C1K9ik rbU0qZhTqON7Vzi+kzJyg/yZi1QvOFuXZFhYPPFVrdkXiGEeqU5WoK6Eo54RTcQ6FBkL xo2mm3x2xADuk7em8A9pm+5VTyCi26S4g5OgISmQhZsT/lbASh8b+iD0gY3so09TQ56s JuCVEMWyRfJfNf/uEAOevKU5Jw/HlRtKRARqS8QAre8erej/ZH2P8NwT4vhT/h/cZtds QRqDx/PPwxjm/sKr75fwDxy9cnkdPDcY+wLr/YKs8fN3xQFCnB3i2tnKqU7s3lEWruQK X61Q==
X-Gm-Message-State: APjAAAV8xiaOJJaKrfJD1QivYyudAMQBubXF8YyFHzKlTAF28JZTPfcQ zRZkIijDCEb8DwsPyejw40M=
X-Google-Smtp-Source: APXvYqxpWxpah8NoJlRjVaUbTrTowdCWfWjFUNFa+JGmcX9/sDDSqScQx3v17+yRDJFjG/DVAF3XtA==
X-Received: by 2002:adf:828c:: with SMTP id 12mr4264864wrc.40.1571761792530; Tue, 22 Oct 2019 09:29:52 -0700 (PDT)
Received: from wifi-pro-83-029.paris.inria.fr (wifi-pro-83-029.paris.inria.fr. [128.93.83.29]) by smtp.gmail.com with ESMTPSA id z13sm21879761wrm.64.2019.10.22.09.29.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Oct 2019 09:29:51 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <44b5f5f7-79e1-c9e3-cde0-d75074168469@wickr.com>
Date: Tue, 22 Oct 2019 18:29:50 +0200
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5DAAF42C-C4CE-4631-A6E3-A5A5C1D0143A@gmail.com>
References: <71e63449-abba-854d-2962-eac3a64a80d0@wickr.com> <398CD178-3DB6-4D70-B230-3362BE63A3BE@gmail.com> <44b5f5f7-79e1-c9e3-cde0-d75074168469@wickr.com>
To: Joel Alwen <jalwen@wickr.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/FJ3gdPFV1K50-1rGEvIWDPaHlR0>
Subject: Re: [MLS] UPKE for X25519/X448
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 16:29:57 -0000

Yes, the sender would have to find a “d’” such that HKDF(sksize, d', "", "derive UPKE delta”) falls in a small set of values.
This is a small risk, but it can be further reduced if we used epk in the derivation.
E.g. why not define:

d := HKDF(sksize, d’, epk, “derive UPKE delta”)

This way, the attacker has to choose d’ based on the node’s old public key, which makes it harder for it to do malicious things.

-Karthik


> On 22 Oct 2019, at 17:05, Joel Alwen <jalwen@wickr.com> wrote:
> 
> Good question!
> 
> I'll see if I can think of anything intelligent to say about it. :-)
> 
> But one thing that comes to mind is that the sender gets to choose "only" d', not d. Instead d := HKDF(d') so to get d=0
> you'd have to first invert HKDF.
> 
> - Joel
> 
> On 22/10/2019 17:02, Karthikeyan Bhargavan wrote:
>> Sorry if this is already in the paper, but a question.
>> 
>>> - UPKE-Decrypt(sk, (c1, c2)):
>>> epk, context := HPKE.SetupBaseR(c1, sk, "")
>>> d' || m := context.Open("", c2)
>>> d := HKDF(sksize, d', "", "derive UPKE delta")
>>> sk' := Mult(sk, d)
>>> return (m, sk’)
>> 
>> I believe it is important for the recipient to do some validation before returning from UPKE-Decrypt.
>> 
>> For example, what if the (malicious) sender set d to “0” (whatever that means in the DH group).
>> This would mean that the resulting key sk’ becomes “0” too, hence a non-member has been able to force the recipient group’s private key to a particular value, which is not ideal.
>> What conditions should we add to avoid this kind of key-forcing attack from happening?
>> 
>> -Karthik
>> 
>> 
>> 
>>> 
>>> 
>>> References
>>> ----------
>>> [1] http:\\ia.cr\2019\1189.
>>> 
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>> 
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls