IETF Logo Mail Archive

Re: [MLS] New Parent Hash

Joel Alwen <jalwen@wickr.com> Fri, 01 January 2021 22:10 UTC

Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0338A3A0D3F for <mls@ietfa.amsl.com>; Fri, 1 Jan 2021 14:10:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xz2ZMpa55qt0 for <mls@ietfa.amsl.com>; Fri, 1 Jan 2021 14:10:07 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEEB83A0D3D for <mls@ietf.org>; Fri, 1 Jan 2021 14:10:06 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id b73so21058547edf.13 for <mls@ietf.org>; Fri, 01 Jan 2021 14:10:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=TxdDzJJRfY0hek/f6dDc4buAAKITrcfG0w7bb/89C2o=; b=R9XI1u4fBqE0TgGjs6fJEew/07QOepyFLX6+5R9PFAiSt2h+cjC74d0mwsCrCZd0B4 tYe5JkWFxi1h7GLyvelmIapIayDCsP+d5Za4pdC3vF3AGKtSv12lfl2WdAE/m7EQ9XvA DlhX2MocrxJr1+MwgCAteHsguE+FsUEJ2pcm1uZKqVgUrYAvgYgpRdIIN4X7csf2Fut1 RJdl95PWXepU0HXFIcV7JVVg2SpNOAqiaULkwIAQhqSsGlrRe45dfV/XsgbU5V/6soya cOtV15NO4Pup461d2UEQGYFqUtXdSkdEES5z3uG7y8wZUtOg0EIDl/e16n/ADbKWI5Ql MkUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TxdDzJJRfY0hek/f6dDc4buAAKITrcfG0w7bb/89C2o=; b=Giao4zXwgyWo0hlhaL1oI04Z30faC8lg3annhLPYdUVDh6guHV0wVYuVHa2B4Hlib1 1ad+10TOwnNVwNE8RO6d3lzXvEFeRHBW/mVfujCf7LYw2YCukGrpt605WVqJX4QsRGVl fyeavRxFlskLmFt8By7vp2Rvbw1hDmF3GkN+mvPSW2HqWfe9hIFGRJKqLwXhb3MGaegL DWEEK8aQklsGkvpHF9e1ux6gi/NITyH+buwTbdyT7iCWmRgEdEeS+8Sa3e6do1PX7oFF Cq37dgEpfVXrUcx+AKa1994oNB3XJihuE/+PcZcJ2DWM8RB1b+/zFbuDKMxh6MS0oIMx 9tcA==
X-Gm-Message-State: AOAM530qg/5GbQw/wZ+KHRcE0rWPz7CTQbdFMEWWZQ3Hafk5nsjpKgrQ VS+MipjlNz1I3SLy4Jr5Se5R0wiJKx8BVA==
X-Google-Smtp-Source: ABdhPJxTosU2Eupfu57kTg58BxmVW90eNxV8yYZzxmBMgvKu1UD1K9DfgeO0HwfczQZgDvfJa5ZrgA==
X-Received: by 2002:a05:6402:c83:: with SMTP id cm3mr60749334edb.189.1609539004542; Fri, 01 Jan 2021 14:10:04 -0800 (PST)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id h16sm21106142eji.110.2021.01.01.14.10.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Jan 2021 14:10:03 -0800 (PST)
To: Raphael Robert <raphael@wire.com>, Mularczyk Marta <marta.mularczyk@inf.ethz.ch>
Cc: "mls@ietf.org" <mls@ietf.org>
References: <68acccb2-9e5f-f52d-b32c-3b6e3195bc2d@wickr.com> <7A25FA3A-25E9-47AD-9D8F-112F24748062@wire.com> <c069219e-2738-4cd3-b796-9f695b95c729@www.fastmail.com> <32c5c409abbc4cf79ecf74c9e2a2befa@inf.ethz.ch> <8C2A0364-90BA-4789-9163-E31D8C5B5CB1@wire.com>
From: Joel Alwen <jalwen@wickr.com>
Message-ID: <1b6230e4-e634-18aa-cfe2-8c35f1b645c2@wickr.com>
Date: Fri, 01 Jan 2021 23:10:02 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <8C2A0364-90BA-4789-9163-E31D8C5B5CB1@wire.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/G8CmrdNjt4hnU1WT31yWFLfTm5w>
Subject: Re: [MLS] New Parent Hash
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jan 2021 22:10:10 -0000

Servus Raphael,

> Happy New Year

Same to you! Here's hoping the new one will be a tad happier than the last. ;-)

As for why "resolutions": The impetus to look for a new approach after our
initial proposal came from a comment in your email on the Fri, 23 October 2020
18:23 UTC in the thread "Weak vs. Strong Tree Authentication". There you wrote:

> Going for fully hashing the tree nodes as described locks down the whole
> tree structure, making any reshuffling impossible. Maybe there is a more 
> lightweight approach that would yield the same result without “provid[ing] 
> irrefutable evidence that the signing key's owner was in a group with (at 
> least some) of the other members in the group”, but I can’t think of
> anything right now.

That was an intriguing challenge and got us thinking. The result is the current
Parent Hash definition using resolutions. We realized that to buy wiggle room in
not locking down as much of the tree (especially, not locking down other members
identities into the hash) we could pay a "price" that actually doesn't harm the
security we've been aiming for. Namely, we can allow the adversary some more
tree manipulation but still only benign ones that dont actually allow her to
break the security property we've been aiming for.

In retrospect, a second reason to use resolutions is efficiency (though to fair,
that was really a coincidence rather than an explicit goal of the redesign).
Initially, we had been thinking of simply having parent hash include tree hash
as in the Benjamin-Karthik (BK) proposal of days yore. But we realized that
since then MLS had introduced Unmerged Leaves which meant that the tree hash of
some nodes can change between when they are assigned their HPKE key and later
when a new member wants to verify the parent hash of the node. In other words
the BK approach was broken by unmerged leaves. So, to make the "include the
whole subtree in parent hash" approach work, it seems new members would, for
each node being verified, traverse the nodes full sub-tree so as to weed out
those nodes that were added after the to-be-verified node got its HPKE key. (I
believe this is the O(n) time that Hubert is referring too?) In contrast, the
new version of parent hash (using resolutions) has the potential to be much
faster; it requires hashing less data but also visiting less of the tree. E.g.
when verifying near the root the difference can be as much as visiting order n
nodes vs. visiting 1 node in the new construction.

The more blanks & unmerged leaves in the tree the more the new construction
collapses to the old one. But only in the most extreme case do they actually
reach parity and the new approach is never slower than the old.

Needless to say, we didn't implement this stuff though, let alone benchmark the
2 approaches so any hard data elucidating what the actual difference is would be
very welcome. Still, the new approach can only be as fast or faster (but never
slower) than the new one. Nor do I think it's any more complicated to define or
implement. And from a security perspective they both let MLS meet our security
definition. So regardless of how small the speed up is (and ignoring the locking
in the tree discussion above) it's still not clear to me why we'd want to switch
back.

A meaningful attack that only works on the new but not old construction would be
one very quick way of changing my mind though! :-) But, I believe such an attack
would require either new adversarial capabilities and/or break a new security
property we didn't consider. (For the adversaries & security we considered,
there is no security loss with the new approach compared to the old one.)

- Joël

On 01/01/2021 17:30, Raphael Robert wrote:
> Thanks for the lengthy explanation!
> 
> I’m glad we are on the same page regarding the definition of the resolution. 
> I think I understand where the misunderstanding is coming from.
> 
> Initially you proposed a “strong hash” solution on the ML (on Oct 23 2020) 
> that was the following:
> 
> "strong parent_hash" : Define parent_hash to include tree_hash (and
> tree_hash to *not* include parent_hash). The tree_hash of a node covers all
> values in the subtree rooted at that node  (except the parent_hashes and
> signatures). So basically something like this: - leaf.tree_hash :=
> H(leaf.data) - node.tree_hash := H(node.data, node.lchild.tree_hash,
> node.rchild.tree_hash) - root.parent_hash := 0 - node.parent_hash :=
> H(node.parent.tree_hash, node.parent.parent_hash).
> 
> This definition did include the whole subtree and therefore I was assuming 
> that this would also end up in the spec change. As far as I now understand, 
> you went for a more lightweight approach where you say that just using the 
> resolution is enough, because pinning all nodes in the subtree is not 
> necessary and would only prevent “benign” attacks. I guess I missed the part 
> where you switched from one concept to the other.
> 
> What I discovered during implementation is that when you only use the 
> resolution approach and the tree has no blanks, you are not always able to 
> detect if the attacker has swapped two leaves. This might indeed just be a 
> benign attack in the sense that the tree invariant is not violated.
> 
> At this point I don’t have strong arguments for or against using the 
> resolution approach, I would have to think about it some more. Just as a 
> reminder for context, the original concept by Benjamin and Karthik was 
> “parent hash covers the tree hash”. That’s pretty much what you initially 
> proposed, except that it also covered the KeyPackage at the leaf level, not 
> just the HPKE public key.
> 
> My question right now would be: What is the benefit of the lightweight 
> resolution-based approach? If it’s just efficiency, we should look at whether
> there’s really that much to gain.
> 
> On efficiency: The parent hashes are verified in two instances: a) when a
> new member joins the group and validates the public tree it received and b)
> when a member receives a full Commit from another member.
> 
> Re a): The spec now says "Moreover, when joining a group, new members MUST 
> authenticate each non-blank parent node P. A parent node P is authenticated”.
> This means the effort is linear to start with. Depending on how you define
> the operation, it is even worse than linear. Say the tree has n leaves and
> therefore 2n-1 nodes. For every node, we need to iterate over at least a part
> of the subtree and collect public keys that we then concatenate. We end up
> only hashing once per node, but with a variable size payload. I think the
> cost of navigating the subtree and collecting the keys is O(log n) for the
> “resolution approach and O(n) for the “descendants" approach and the cost of
> hashing is linearly proportional to the size of the payload. If we assume
> that hashing is the most expensive operation, the total cost would be O(n *
> log n) for “resolution” and O(n ^ 2) for “descendants".
> 
> Re b): It is very similar to a), except that we only have to iterate over
> log n nodes of the direct path, not the whole tree. That means that the
> total effort is O(log n * log n) for “resolution” and O(n * log n) for 
> “descendants”.
> 
> There’s clearly a difference in terms of efficiency between the two 
> approaches. That being said, we should keep in mind that for small payloads, 
> hashing is a lot faster than other cryptographic operations like e.g. 
> producing and verifying signatures. Since a new joiner needs to also verify
> n signatures when joining a group, it could well be that the effort of 
> verifying the parent hashes is negligible compared to the cost of verifying 
> all signatures.
> 
> In summary: I still don’t have strong arguments against the “resolution” 
> approach, but I also have a feeling that the efficiency differences are not 
> dramatic either.
> 
> Happy New Year and thanks!
> 
> Raphael
> 
>> On 1. Jan 2021, at 15:48, Mularczyk Marta <marta.mularczyk@inf.ethz.ch 
>> <mailto:marta.mularczyk@inf.ethz.ch>> wrote:
>> 
>> Hi Raphael,
>> 
>> Thanks for explaining! Using "descendants" is definitely better for 
>> security, but also, as Hubert mentioned, less efficient.
>> 
>> Also we did understand “resolution” the same way as you when we proposed 
>> the strong parent hash (sorry for the confusion).
>> 
>> But we obviously really want to understand if/why using resolution is 
>> insecure. Ultimately, the security property we care about is that privacy 
>> and authenticity of application messages holds. The Parent Hash mechanism 
>> helps us ensure this holds also for epochs in adversarially generated 
>> groups, as long as the adversary does not control any leaves in this epoch 
>> (i.e. does not know the signing key of the leaf). So to really see if your 
>> examples break security, it would be good to see if they let us violate 
>> this security goal.
>> 
>> To see why we believe the new parent hash notion (i.e. with resolutions) 
>> achieves this, let us first clarify what technical property about (even 
>> adversarially produced) ratchet trees we want from verifying parent hashes.
>> It’s not that the adversary can’t produce manipulated trees at all. It’s
>> that the only manipulations she is able to do will not let her produce a
>> tree that violates the tree invariant. That’s because (in our model) when 
>> the tree invariant holds then we can show that the epoch is secure.
>> 
>> So some manipulations *are* possible. They are just “benign”. For example,
>>  suppose adversary A controls a leaf L with HPKE key pk in tree T (i.e. she
>>  knows the signing key of L’s owner). Then A can construct a new tree T’ 
>> identical to T but where leaf L has pk’ != pk (say, by performing a commit 
>> at leaf L to obtain T’). But for this, in T’ leaf L must still be 
>> controlled by A. We call this manipulation “benign” because even though A 
>> might now break privacy of application messages in epoch with tree T’ it 
>> doesnt violate our security goal because privacy is conditioned on A *not* 
>> controlling any leaves.
>> 
>> Conversely, one thing A can *not* do is the following. Say T’ has a node V
>>  with HPKE public key pk0 such that A knows corresponding sk0. Then for T’ 
>> to pass verification, it must contain a leaf controlled by A. This holds 
>> since for T’ to pass verification there must be a leaf in V’s subtree with 
>> a signature covering a hash that includes pk0. I.e. some leaf must
>> “attest” to having inserted pk0 into T’. (Recall that in our model the
>> adversary can’t just leak sk0 alone. They must leak a full state of some
>> client which also means leaking the client's signing key.)
>> 
>> So our question to you is the following. (Does this make sense? And) we’re 
>> not exactly sure what you have in mind when you say “swapping out two leaf 
>> nodes”. But we think it would only be a problem if it is not benign. Is 
>> this true for your attack? Could you expand a bit on what tree
>> manipulation you have in mind?
>> 
>> Best, Joël& Marta
>> 
>> --------------------------------------------------------------------------------
>>
>>
>> 
*From:* MLS <mls-bounces@ietf.org <mailto:mls-bounces@ietf.org>> on behalf of
>> Hubert Chathi <hubertc@matrix.org <mailto:hubertc@matrix.org>> *Sent:* 
>> Thursday, December 31, 2020 5:36:53 PM *To:* mls@ietf.org 
>> <mailto:mls@ietf.org> *Subject:* Re: [MLS] New Parent Hash
>> 
>> I think that if you use "descendants" as you define it, then calculating 
>> the parent_hash will become O(n) all the time, rather than O(log n) in the
>>  best-case, since the size of the descendants list will be O(n).  I'm not 
>> sure if there's a good way to maintain O(log n) and still provide the 
>> desired security.
>> 
>> On Thu, 31 Dec 2020, at 06:47, Raphael Robert wrote:
>>> Hi Joël, Daniel and Marta,
>>> 
>>> I just implemented the stronger parent hash scheme you proposed in the 
>>> way it is described in the spec now. The good news is that it is 
>>> implementable, the bad news is that is does not solve the problem you 
>>> initially describe. Specifically, swapping out two leaf nodes still goes 
>>> undetected.
>>> 
>>> I think it is due to a terminology conflict, but it would be great if
>>> you could validate that assumption. In 7.4 you introduce the notion of 
>>> “original child resolution” as " the array of HPKEPublicKey values of
>>> the nodes in the resolution of S”. The term “resolution” is defined in
>>> 5.2. It is essentially a way of dealing with blank nodes by substituting
>>> them with the first non-blank descendants you find when descending the
>>> subtree of a node. Here is my assumption: You probably thought the
>>> resolution would cover all non-blank descendants of a node, not just the
>>> first non-blank descendant. In that case we would need another function
>>> that does that (let’s call it “descendants”).
>>> 
>>> If we look at the example of 5.2:
>>> 
>>>  - The resolution of node 3 is the list [A, CD, C] - The descendants
>>> of node 3 is the list [A, CD, C, D]
>>> 
>>>  - The resolution of node 5 is the list [CD] - The descendants of node 
>>> 5 is the list [CD, C, D] (we just need to additionally filter out C, 
>>> because it is an unmerged leaf of node 5)
>>> 
>>> Here is a code snippet of what the “descendants” function would look
>>> like (sorry that it’s Rust, not Python):
>>> 
>>> fn descendants(x: NodeIndex, size: LeafIndex) -> Vec<NodeIndex> { if 
>>> level(x) == 0 { vec![x] } else { let left_child = left(x); let 
>>> right_child = right(x, size); [ descendants(left_child, size), vec![x], 
>>> descendants(right_child, size), ] .concat() } }
>>> 
>>> There’s a more efficient implementation of course, this is just to 
>>> illustrate.
>>> 
>>> In other words, the new “original child resolution” of S would be the 
>>> subtree under S, but with filtered-out blank nodes and unmerged leaves
>>> of S.
>>> 
>>> If my assumption is correct, I’ll follow up quickly with a PR since this 
>>> is currently a blocker for interop based on draft-11.
>>> 
>>> Thanks
>>> 
>>> Raphael
>>> 
>>> 
>>> 
>>>> On 12. Nov 2020, at 22:14, Joel Alwen <jalwen@wickr.com 
>>>> <mailto:jalwen@wickr.com>> wrote:
>>>> 
>>>> Hey people,
>>>> 
>>>> Just a quick heads up that Daniel, Marta and I put in a PR with a new 
>>>> version of strong parent hash to prevent the attacks from the earlier 
>>>> thread. We tried to make it as minimal as we could to help with 
>>>> deniability while still preventing the attacks permitted by weak
>>>> parent hashes.
>>>> 
>>>> In a nutshell, when computing parent_hash at node v with parent p and 
>>>> sibling w we include - p's HPKE pubkey - p's parent_hash value and - 
>>>> HPKE pub keys in the resolution of w except for those belonging to 
>>>> leaves unmerged at p.
>>>> 
>>>> As a sanity check, notice that as long as p's keys remain the same one 
>>>> can always recompute the same parent_hash value at v as was initially 
>>>> computed by the member that set p's keys. (In other words, new members 
>>>> can verify that the stored parent_hash values match whats in the
>>>> tree.) In particular, that's coz as long as p's keys are unchanged so
>>>> is the resolution of w. The only exception are leaves being added as
>>>> unmerged at w. But those leaves are also added as unmerged at p so they
>>>> are left out of the hash.
>>>> 
>>>> As for deniability, at least parent_hash only binds HPKE keys and 
>>>> nothing else (like, say, credentials or signatures). Its the best we 
>>>> were able to come up with for now...
>>>> 
>>>> - joël
>>>> 
>>>> _______________________________________________ MLS mailing list 
>>>> MLS@ietf.org <mailto:MLS@ietf.org> 
>>>> https://www.ietf.org/mailman/listinfo/mls
>> <https://www.ietf.org/mailman/listinfo/mls>
>>> 
>>> _______________________________________________ MLS mailing list 
>>> MLS@ietf.org <mailto:MLS@ietf.org> 
>>> https://www.ietf.org/mailman/listinfo/mls
>> <https://www.ietf.org/mailman/listinfo/mls>
>>> 
>> 
>> _______________________________________________ MLS mailing list 
>> MLS@ietf.org <mailto:MLS@ietf.org> 
>> https://www.ietf.org/mailman/listinfo/mls 
>> <https://www.ietf.org/mailman/listinfo/mls>
>

v2.23.0 | Report a Bug | By Email