Re: [MLS] question about group contexts and deriving epoch secrets

Raphael Robert <raphael@wire.com> Tue, 09 February 2021 09:56 UTC

Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C3063A0D47 for <mls@ietfa.amsl.com>; Tue, 9 Feb 2021 01:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFEVyv4OpuRG for <mls@ietfa.amsl.com>; Tue, 9 Feb 2021 01:56:40 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 709A93A0D2F for <mls@ietf.org>; Tue, 9 Feb 2021 01:56:40 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id w1so30206161ejf.11 for <mls@ietf.org>; Tue, 09 Feb 2021 01:56:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7DdYV+cjgB/nVv/a3jqVDBXSeRvLKFtV9B6pOWPk0oc=; b=d/75Tdc+PGmoIUwF/3ohV6sEIo8Y+fMyAOZckVDiuK5yn6VTFgTtmx6s1nDns2gOEz Tm6R+lPGnk+KwCo2O4kYgWQBQiEf//TOH9kcMCfd8Gp/PvAt8cADhGRjP6L6a9r4fjMI iNqs0sUsLNdlSs8piS3064aW1h7FbVU4UzAfrU6PRlTPch4AUdO2O8Rb2OSB1Vxx7sHe zaLAigNqiyFj4VeEm3SkailpqGE2GDnUc/CUdFh5IyA/RK9429Pl3B07z9l63UYtCLwe LhWr1KIudWNJQGJSWoQgU6m7DfnIs+E95ejv0IiyiKJYJJmUMO4CFNNo/BAztYvjQUdr xy9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7DdYV+cjgB/nVv/a3jqVDBXSeRvLKFtV9B6pOWPk0oc=; b=KwJcvKl1w0hk1U97IfdZrErTgXWp3AAVmoq7XSl7ueXSo05YfLIcvyFGIUe6z7Eqyh CgV6utnzSK6qFPNCMAS1qdHWiq0N61YLGSTrDWkqpNLKq1ebfb2yLid5RPUf0czHUSXF YOX3hC9IFWtKTeT2byt+PIvLpsmZ+emnnxJEf6+zvBeQjy/brEvbJDLmYVbhjBTVxGZs tNZAZpG1yY0/c6DFBUURdYECoPTPR7bft4WSURZh1qDw55BX7C3heaUGsSSbGiBrlUpf GD9yAs3rY02EW0NWIsg//TRfKJLprBHlWIdwR7EdTlhZt+z/zHUj4IocaK8R5ZvZ9pu7 erXw==
X-Gm-Message-State: AOAM532ybXO9ASmc4NnQjgNSPOVcsgh4vS9GhaL44DaBoQHZYKRoo9Ac +ytDCC3WZvB/FEoXnwSggR/xMA==
X-Google-Smtp-Source: ABdhPJx4oz8TFeEUlyKAf2cEehUoDoCb2uQDCcVXLslV5VhUdsNeJHMNE14hK31DYHZFvjQ7mHMTqA==
X-Received: by 2002:a17:906:7d9:: with SMTP id m25mr21249366ejc.473.1612864598722; Tue, 09 Feb 2021 01:56:38 -0800 (PST)
Received: from [192.168.178.21] ([37.209.98.242]) by smtp.gmail.com with ESMTPSA id f6sm7227645edm.15.2021.02.09.01.56.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Feb 2021 01:56:38 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.20.0.2.21\))
From: Raphael Robert <raphael@wire.com>
In-Reply-To: <107abb03-e620-43ed-ac75-034ab6ed1ff4@www.fastmail.com>
Date: Tue, 9 Feb 2021 10:56:07 +0100
Cc: mls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E3FEF5E-F5B5-4B58-A5BD-2464383C245A@wire.com>
References: <107abb03-e620-43ed-ac75-034ab6ed1ff4@www.fastmail.com>
To: Hubert Chathi <hubertc@matrix.org>
X-Mailer: Apple Mail (2.3654.20.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/HAuRU_YQFwopbjxj8TAMWbxuXvc>
Subject: Re: [MLS] question about group contexts and deriving epoch secrets
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 09:56:42 -0000

I think “new GroupContext” and “provisional GroupContext” are synonyms.

Creating the Commit:
 - Use the confirmed transcript hash (old intermediate transcript hash combined with new commit content from current MLSPlaintext)
 - Create new provisional GroupContext with new provisional epoch (old epoch  + 1), new tree hash (after proposals were applied to old tree) and confirmed transcript hash from above

Applying a Commit as an existing member:
 - Same as creating a Commit

Joining a group from a Welcome message:
- Create GroupContext with epoch from GroupInfo, tree hash from GroupInfo and confirmed transcript hash from GroupInfo

Does that answer the question?

If you think the spec is wrong/confusing feel free to file a PR.

Raphael

> On 9. Feb 2021, at 00:45, Hubert Chathi <hubertc@matrix.org> wrote:
> 
> When deriving the epoch secret, you do "ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh)", so you need a GroupContext.  As far as I can tell, there appears to be a contradiction about which GroupContext to use: in the "Key Schedule" section (Line 1404), it says to use "The GroupContext object for current epoch", but in the "Commit" section under the part talking about a group member who applies a Commit message (Line 2660), it says to use the provisional GroupContext.  (The part talking about the group member who creates the Commit message doesn't say which GroupContext to use.)  If we are supposed to use the "new" GroupContext (after applying both the proposals and the update), but if we are supposed to use the provisional GroupContext, then I don't think that a new member has access to the tree_hash or confirmed_transcript_hash to create the GroupContext needed to derive the epoch secret.  So it seems like the "new" GroupContext should be correct, but Line 2660 is pretty expli
> cit about using the provisional GroupContext.
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls