IETF Logo Mail Archive

Re: [MLS] Proposals for handling concurrent messages

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Fri, 22 March 2019 05:00 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F191311DD for <mls@ietfa.amsl.com>; Thu, 21 Mar 2019 22:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ts4yx_Zuob2p for <mls@ietfa.amsl.com>; Thu, 21 Mar 2019 22:00:40 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FC81130E90 for <mls@ietf.org>; Thu, 21 Mar 2019 22:00:40 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id d17so847712wre.10 for <mls@ietf.org>; Thu, 21 Mar 2019 22:00:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kderfGb5DJJ4AXdBAd57l/MfOOxhsmdwyvdtD+d6rjg=; b=Cfyz4R2um7kY4aYCaNrR6U3WAMDHwuK4Gz9glTYXPHJDUFopim4CqvVyDPrxY9m6v0 g3w7Gj3rfW7sWOdiqSRxB/vkdgXbO4VfqXdBIQtYIT7WUH1Z2CFx5rCK8E0mylIlNppU 46ZowmRyCgWVRpu52iZ++s/YMOh3M8gTMhYfDjTf5nvh2KQJPqoAPoJTaFSCneMUf00y hxGuqUX1L5RStIpCs1Mw26o8nPqSiGuFj7vFZfM+FX+iEiT7t0G3jM1jrsj6jbXUlZFN yD+2zEJuM7eNWIBPb49ahroHJh6gHqjuN98ZiOsff8OduGWcharFi/3gwdi8kLKzLstV B9JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kderfGb5DJJ4AXdBAd57l/MfOOxhsmdwyvdtD+d6rjg=; b=g0yfbeKC6VW8cokaRo0LX9Z6YoTYwX6hQc1Ju40vcNjj9q5cfANPF9+pPX85xyiyNt Orfv0p/9CiLlyjnWyxDIY+0OEWJs7ukrP6gF3CH7fjQr6aoahqL6JizDiwlsi2ffGXR1 dzOVxqVigYjZ57Ou42KT+K0goCih8lQO5spOYSzD8etjTQ9eNsNIXQ5Z/CIWvWXnJr0k SSMlRx9Jk+h4BfkPMJGRhBg3ydv0TRq/pL0Kd8Xxo7A51Plt2pTB/XWjXW7TkpPRvviq qzeHwvJCl2219qmuHZWmP7SWbeFQuRel6KFMiTA63AEAUCOTrtxFIDvS8P0b7AMf8sYW bZLA==
X-Gm-Message-State: APjAAAV5wYig7EEz6aRYpKQ1PlqwvRczIqNa43UZKwWPb7EUIBd13nvU TN/IIqmnQhbtPh0xoeJgERo=
X-Google-Smtp-Source: APXvYqy8RA0sxCi8K/pp7IAXCbqhs+2hnbdJgBvlN9U8WqHAJbTrkVmLaBwkPYMC4oukXpR0PQs+cA==
X-Received: by 2002:adf:8367:: with SMTP id 94mr5204471wrd.46.1553230838518; Thu, 21 Mar 2019 22:00:38 -0700 (PDT)
Received: from [192.168.0.61] (89-156-93-25.rev.numericable.fr. [89.156.93.25]) by smtp.gmail.com with ESMTPSA id a9sm8515064wrt.29.2019.03.21.22.00.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Mar 2019 22:00:37 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <A67EBF41-A045-44CB-94EB-2F37257B533E@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_74EBC976-0EB4-4980-B10D-6D8F9FD13EE0"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Fri, 22 Mar 2019 06:00:36 +0100
In-Reply-To: <CAL02cgQ-2gR9VK=_LthYO7fSGnDoaYei6dhuFjjdZQ7-aMSBaA@mail.gmail.com>
Cc: "M.A.L. Weidner" <malw2@cam.ac.uk>, "mls@ietf.org" <mls@ietf.org>
To: Richard Barnes <rlb@ipv.sx>
References: <CADSARUtSRJGW=z=9Spi=D87mOG34NCTswEcQMeeftv9x6gathQ@mail.gmail.com> <CAL02cgQ-2gR9VK=_LthYO7fSGnDoaYei6dhuFjjdZQ7-aMSBaA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/HbFcflhaxfobZugCGI-jDLPDvGM>
Subject: Re: [MLS] Proposals for handling concurrent messages
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 05:00:44 -0000

Hello Matthew,

Thanks for the note. Concurrent updates was indeed one of the driving motivations for TreeKEM, so it is great to see this fleshed out.
It is also important to explicitly talk about causal ordering, I feel we have been missing discussions on this, not just for the TreeKEM part,
but also for data message transcript consistency.

One case we have been concerned about, and the main reason I didn’t recommend merging concurrency into MLS, is the following.
What guarantees do we get when leaves A and B update concurrently?
In the merged state after both these updates have been received and incorporated by all nodes,  do we have PCS against the compromise of the old keys of A and B?

In vanilla TreeKEM, the answer is no: we get PCS against one of the two old keys being compromised but not both.
However, all is not lost, if any node in the smallest subtree that includes A and B were to send a “causally dependent” update that has seen both the updates to A and B, 
the state of the tree “heals” and we have PCS against all old keys. 

Now, what is the situation with causal TreeKEM? As far as I see, it also does not protect concurrent updates against the compromise of both old keys?
And the guarantees of definition 4.1 appear only to hold for causally ordered updates, not for concurrent ones?
Is that the case? If so, I’d like to see a crisper distinction between the extra guarantees that Causal TreeKEM provides over vanilla TreeKEM.

Best,
Karthik

> On 20 Mar 2019, at 16:23, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Hi Matthew,
> 
> Thanks for thinking about this.  The idea has come up a few times, but it's good to have such a thorough presentation to refer to.
> 
> I think this idea works fine if the DH / KEM group in question has a homomorphism of the character you describe.  There's a practical problem in that that is not universally true.  In particular, X25519 and X448 do not have such a homomorphism: Because of the "clamping" behavior prescribed in the RFC, it is the case that pk(a + b) != pk(a) + pk(b).  There was some discussion on the CFRG list (after I tried to implement such a scheme):
> 
> https://mailarchive.ietf.org/arch/msg/cfrg/JVg30dldjr4pcwZ1perpA1k-OGQ <https://mailarchive.ietf.org/arch/msg/cfrg/JVg30dldjr4pcwZ1perpA1k-OGQ>
> 
> That said, if this approach were important to people, it could probably be realized for curves that allow a homomorphism.  That would rule out X25519/X448, but I'm told that the Ristretto adaptation of those curves would work.  See Tony Arcieri's message on the above thread and:
> 
> https://ristretto.group/ <https://ristretto.group/>
> https://tools.ietf.org/html/draft-hdevalence-cfrg-ristretto-00 <https://tools.ietf.org/html/draft-hdevalence-cfrg-ristretto-00>
> 
> And in any case, I think good old traditional Weierstrass ECDH has this property (e.g., using the NIST curves).
> 
> I would be interested to hear folks' thoughts on whether the benefits of reduced synchronization would be worth the costs of limiting DH group selection (either old ECDH or new stuff without a lot of implementation).
> 
> Cheers,
> --Richard
> 
> On Tue, Mar 19, 2019 at 6:33 PM M.A.L. Weidner <malw2@cam.ac.uk <mailto:malw2@cam.ac.uk>> wrote:
> Dear MLS Working Group,
> 
> I've attached a document that details some proposals for how to better handle concurrent messages; see mainly Section 2.
> 
> The basic idea is to use some operator * which "combines" key pairs.  E.g., for Diffie-Hellman keys, (x, g^x) * (y, g^y) = (x + y (mod |g|), g^x g^y).
> 
> With this operator, we can combine concurrent updates.  E.g., if a updates with x and b updates with y, then the tree changes by: (embedded image)
> <causal_fig2.png>
> With some extra effort, I believe we can even support concurrent Adds (Section 3.3).
> 
> My apologies if there are mistakes or if this has been discussed before.
> 
> Best,
> Matthew Weidner
> MPhil Student
> Computer Laboratory, Cambridge
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.31.3 | Report a Bug | By Email | System Status