Re: [MLS] KDF instead of hashing up the tree
Richard Barnes <rlb@ipv.sx> Wed, 23 January 2019 15:48 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A708130E25 for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 07:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0xS5HVOg_GP for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 07:48:02 -0800 (PST)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D241130E78 for <mls@ietf.org>; Wed, 23 Jan 2019 07:48:02 -0800 (PST)
Received: by mail-oi1-x231.google.com with SMTP id v6so2169667oif.2 for <mls@ietf.org>; Wed, 23 Jan 2019 07:48:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JaA7JPIgoczveuW6bo97H7V5EIsq3b01iUT8ESaD7OE=; b=pz/xQsNQukVTojZGh7u396Wl4BQN3nqVfLRvYpepyifxAXDmXw1aXfiTDZtORIapi0 z/HW6yuIuscjBbvELDozkTlNWc8NIk2c1dKHrvetW50HzvcbfXU9Dp55d5qMJUZfX4nx +J22kVvC+SrW8qMWX4pv5yGJJHw6ERdBgr15zQb6t7tzYpKg0OhM5lYC5FdjtxFweFtf rkLg4sBe+EX/Rrv/Wo+R4xCfYnMLsLJAji0V7AJYMgXMI5ZswLfzx13vePaQvW9APj8E cHj0++1sWPv+tCwzasbUwLUY/DlxHDVS0BnFwkyAHokEroLUKtlyeSXG0OR0TItcd3yZ WKDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JaA7JPIgoczveuW6bo97H7V5EIsq3b01iUT8ESaD7OE=; b=lst0GzH/cmZmpXrgQZWGCt24QA8ficeGvzdFYDYBf0S5d8DKgJYSRicOrIp+/B6B9N vxOjZayoozj5UZYLYdRN86c7xKEZ9Pw19Y+l7Kl9CVWiKfrHUd3RBt+1mcQxAx9xgvVI Gizpz7b2I3BKElUwxEcUchs+owws3TS//ONVkLHySgTBkS6ttutu6rPTyEIDNVdqWPuS IaUCAsyQqJhbVILm7pJUkQKL6sDwN/XX0WVw/Sj0TH5H7mRSLteGmqRjnPQKGmhya06A Wj4e9/1Kg9obLhU39mDm0Pgn2arYNI+G6Ha90aYSvPKfX5nVeiwX1gphGacJaTxEwT4G 8b7w==
X-Gm-Message-State: AJcUukfa4tix8VbhdWuYWu8E3/CtMH1Vt5gV8H2muqAGecRHIg8PZ9NI CSbZzFv4QKGM+7QBfcj44Av0ajMB1bvmbQqUY7A8Tg==
X-Google-Smtp-Source: ALg8bN6fQDB+vHkyoRSYrU6dC9MzJeWderx2RQCU/xH7C5Lv+oAQiNpIJHn7o7lDy8FEQgeCwrKtkJdWHrwCTzwz7uQ=
X-Received: by 2002:aca:d64d:: with SMTP id n74mr588191oig.199.1548258481423; Wed, 23 Jan 2019 07:48:01 -0800 (PST)
MIME-Version: 1.0
References: <dc702cea-d780-216b-ab8e-1eba99a2bace@datashrine.de> <CAL02cgTdx7_=t9jfZj2iFULFK4x-RSL+J5LrqRN=3co1nSKS7A@mail.gmail.com> <DB120F33-B500-42F2-8117-8883B396B278@gmail.com> <7507c820-d574-a570-6aba-c469366cc9c5@datashrine.de>
In-Reply-To: <7507c820-d574-a570-6aba-c469366cc9c5@datashrine.de>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 23 Jan 2019 10:47:49 -0500
Message-ID: <CAL02cgSsoi5JiEpLf4PCP0MufS2qAJQugW7WOVFVkH0ffLURfA@mail.gmail.com>
To: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce5ae2058022043b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Hf-rQITz4MklQyQgtcryoBKgL9I>
Subject: Re: [MLS] KDF instead of hashing up the tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 15:48:05 -0000
Ah, ok, I get it. I misunderstood "new secret" as "fresh entropy". In that case, this falls into the "sure, if it makes the analysis better" bucket. We've been treating hashes/HKDF invocations as basically free. At some point we might need to worry about that, but I suspect that today is not that day. Want to make a PR? --Richard On Wed, Jan 23, 2019 at 10:19 AM Konrad Kohbrok < konrad.kohbrok@datashrine.de> wrote: > Exactly, thanks Karthik! > > Say we have the same tree as in the example in 5.4: > > G > / \ > / \ > E _ > / \ / \ > A B C D > > Then A generates a fresh secret X_1secret and derives the following new > secrets: > X_1kemkey=HKDF(X_1secret,"kemkey") > X_2secret=HKDF(X_1secret,"parent") > > X_2kemkey=HKDF(X_2secret,"kemkey") > X_3secret=HKDF(X_2secret,"parent") > > X_3kemkey=HKDF(X_3secret,"kemkey") > > A then sends E(pk(B), X_2secret) to B, E(pk(C),X_3secret) to C and > E(pk(D),X_3secret) to D. > > Hopefully that makes the idea a little clearer. Sorry for the terrible > notation. > > Konrad > > On 23/01/2019 16:59, Karthikeyan Bhargavan wrote: > > If I understand correctly, Chris and Konrad are not suggesting changing > the secrets. > > Instead, they are suggesting that H(.) be implemented as something like: > > > > H(x) = HKDF(x,label=”parent”) > > > > where x is the tree secret for the current node. > > > > Similarly, when generating the KEM private key for a node, we use > > > > KGEN(x) = HKDF(x,label=“kem key”) > > > > This would be a good way of making sure that each key in the protocol is > > independent, but at no additional cost. > > Am I understanding this correctly, Konrad? > > > >> On 23 Jan 2019, at 15:29, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> > wrote: > >> > >> Note this is a little bit expensive in terms of message size; it > changes the > >> size of an update from log(N) to log(N)^2. It does not change the > number of > >> DH operations > >> > >> This is because you have to send the fresh secret for each intermediate > node > >> in the tree to all its descendants. Comparing the secrets you generate > in > >> each case, from leaf to root, along a path of depth 3 with S0 at the > leaf: > >> > >> Current: S0, S1 = H(S0), S2 = H^2(S0), S3 = H^3(S0) > >> Proposed: S0, S1 = KDF(T0, S0), S2 = KDF(T1, S1), S3 = KDF(T2, S2) > >> > >> Where T* are the fresh secrets called for here. This doesn't change to > whom > >> you encrypt things, but changes what you encrypt to each copath node: > >> > >> Current -> Proposed > >> S1 -> S1, T1, T2 > >> S2 -> S2, T2 > >> S3 -> S3 > >> > >> (This is of course because you need to enable each recipient to compute > up the > >> tree.) So there's your log->log^2. > >> > >> This discussion is not to say that I'm opposed to this idea. It just > looks > >> like it has some non-negligible cost, so we should make sure we know > what > >> we're getting for that cost. > >> > >> --Ricahrd > >> > >> > >> > >> On Wed, Jan 23, 2019 at 8:58 AM Konrad Kohbrok > <konrad.kohbrok@datashrine..de > >> <mailto:konrad.kohbrok@datashrine.de>> wrote: > >> > >> Hey everyone, > >> > >> I just discussed the current draft with my advisor Chris Brzuska > and he > >> came up > >> with a suggestion that I thought I'd just quickly relay here. As I > have only > >> started following the discussion recently, I apologize if this was > already > >> brought up in the past. > >> > >> In terms of key separation, wouldn't it make for a cleaner design, > if we > >> used a > >> KDF instead of a hash function? Instead of generating a new > leaf-node secret > >> and then hashing it to compute the new secret for the parent node, > it would be > >> better to generate a new secret and then from that secret > independently (i.e. > >> with different labels) compute the new leaf secret and the new > secret for the > >> parent node. This key independence would also make the proof > easier. In > >> terms of > >> overhead, this would mean two KDF operations instead of one hashing > operation. > >> > >> Cheers, > >> Konrad > >> > >> _______________________________________________ > >> MLS mailing list > >> MLS@ietf.org <mailto:MLS@ietf.org> > >> https://www.ietf.org/mailman/listinfo/mls > >> > >> _______________________________________________ > >> MLS mailing list > >> MLS@ietf.org <mailto:MLS@ietf.org> > >> https://www.ietf.org/mailman/listinfo/mls > > >
- [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Richard Barnes
- Re: [MLS] KDF instead of hashing up the tree Karthikeyan Bhargavan
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Richard Barnes
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Benjamin Beurdouche
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Benjamin Beurdouche