[MLS] Efficiency and "Ampelmann trees"
Richard Barnes <rlb@ipv.sx> Mon, 24 December 2018 15:53 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01ADA130F52 for <mls@ietfa.amsl.com>; Mon, 24 Dec 2018 07:53:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B51x832Ipq6C for <mls@ietfa.amsl.com>; Mon, 24 Dec 2018 07:53:47 -0800 (PST)
Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA47130F4A for <mls@ietf.org>; Mon, 24 Dec 2018 07:53:46 -0800 (PST)
Received: by mail-oi1-x243.google.com with SMTP id c206so10190763oib.0 for <mls@ietf.org>; Mon, 24 Dec 2018 07:53:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=49TTf8TDHv+E/qLgj1akhMKV5k7syQ5HoWeaekvdfic=; b=DultAWbr6HxjekwI2L3Gq9KZoey3MIQ0EKbBQv9QSFO2krycvf9TuRAhdv4DheZdEG VDoOpR7bDfZ//lRWuktEeTKWsUpcemWh6/hU72KFQu6bQYhNWwGk32Dfxro9eropvChn ykMlg1pIzPdP1jVl2ZrXFyMZaxAjGqXvsFq0jG2sxi310uZkrs1p4P3kHVCd3YnQ8cVv RWcjpzIkDrFJTv3oVCdIuEw67GrO/+MOTE2qSFX1xmInxSzgolYXV4aYq6ktCA3ynj+B J5QW7G9AQQPxhvZWEhmpZDlD+w+1ZdJcTAARPzb1iJeC0Ip2PRo2PQY2V25ZMxhNwMio F69w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=49TTf8TDHv+E/qLgj1akhMKV5k7syQ5HoWeaekvdfic=; b=iJhx5AxXdQOP8ZqAHjdKtgJ+pAaXf7DOXPC6nKC+7ngZ2860908NaQGneg2qKQW9dy HQpolzvVuB1GdzqKHJQ93KxWZ3IxTTlaQrMwdTijoimhaVY5IL3xIBx45k6TLW+5yq6p 56vtC4Gn7Ich7OrNZoE0oKS9v2UH8wuIP8jG2BXNsF57/54rMDf60Muja0VzahMMKT69 ASoQAz5KqsDt0r1XQ9f2R4ydS1ksOF9A+riJI3lGCo96Y2moThsLZgK1DY1rVIjEPQpl 3AjSYzB81BNf+fua4X5kWKxe4N1Mu2c1/r1pEN7wS0Gh1lDKgkTAQqpsPM2UHbfB64Wh 9wiw==
X-Gm-Message-State: AJcUuke4FECIpvtER/dJMYgTRgMDXKPBiJ8kaobiPHqn2vNnu86QxOgL vEDTqeAM0aTRgz43kxZoZuf8hhoF8perVzlSp4Z+X4zpp68FHA==
X-Google-Smtp-Source: AFSGD/Xe/Sfh9H+NHJLpzTlT39Ftdb12XhMaNwj28L2X0jT3veR/83eO3JjRckpY/gwRN7/M8HrMl3R6AsWrcTM/z3I=
X-Received: by 2002:aca:d64d:: with SMTP id n74mr8104942oig.199.1545666823711; Mon, 24 Dec 2018 07:53:43 -0800 (PST)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 24 Dec 2018 10:53:25 -0500
Message-ID: <CAL02cgS5zgH0y=6n+Yoks17yGO+pma-J3nouKL+znvKEOSSVCA@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/mixed; boundary="000000000000f82a63057dc699b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/INcV28Jth25m_l__NMmQIYp13Po>
Subject: [MLS] Efficiency and "Ampelmann trees"
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Dec 2018 15:53:50 -0000
Hey all, At the last IETF meeting, we had some discussion about the efficiency of the protocol. On the one hand, having endpoints ship around the whole tree and keep it in memory seems like a bad bit of linearity; can't we just have the server track that stuff, and have the clients download slices of the tree as needed? On the other hand, you need to make sure the server doesn't lie, which requires some complicated hashing. This email has some thoughts about how complicated the hashing needs to be. Recall that in order to do the group operations, an endpoint needs the following parts of the tree: - Add: Frontier == Copath of position N+1 - Update: Copath of the endpoint's own leaf - Remove: Copath of the removed node's leaf So we need a scheme for computing a commitment to the tree (which can go in the GroupState/Welcome) such that it's easy to prove a copath. You could do this with a Merkle tree over the nodes of the ratchet tree, but it's kind of inelegant. The commitment would obviously be the root of the Merkle tree. It's less clear how best to prove a copath, but it is possible: The requester knows the indices in the tree of the copath nodes, so in the worst case, the server could provide log(N) individual proofs for those nodes (each of size log(N)). In thinking about this a bit, it seems you could improve on this by aligning the hash tree structure to the tree structure you're verifying. Merkle trees assume there are no values at the intermediate nodes of the tree; let's just hash them in: If an intermediate node has value V and child hashes L and R, then set the value of the node to: H(H(L || R) || V) (instead of H(L || R) in the Merkle tree case). If you do that, then I think you get copath proofs of size 2 * log(N) instead of log(N)^2. The attached figures (assuming they survive remailing) illustrate how this works. (I've been calling these "Ampelmann Trees", for their resemblance to the famous indicators in Berlin [1]) Now, even assuming this scheme works, it isn't a total solution to the problem. Given that we have blanks in the tree to avoid double-joins, we're going to need a way to handle blanks in the proof algorithms. Pretty sure it's still possible, but will require another layer of math. Likewise, it would be nice if an endpoint could keep its view of its own copath up to date based on Handshake messages alone, which isn't currently possible (it requires the whole tree). So there's plenty still to discuss! Suggestions welcome, either here or at the interim in a few weeks. Happy Holidays! --Richard [1] https://en.wikipedia.org/wiki/Ampelm%C3%A4nnchen
- [MLS] Efficiency and "Ampelmann trees" Richard Barnes
- Re: [MLS] Efficiency and "Ampelmann trees" Raphael Robert