Re: [MLS] New Parent Hash

Mularczyk Marta <marta.mularczyk@inf.ethz.ch> Thu, 31 December 2020 15:02 UTC

Return-Path: <marta.mularczyk@inf.ethz.ch>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA903A0CE2 for <mls@ietfa.amsl.com>; Thu, 31 Dec 2020 07:02:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aucFIP1UKE_2 for <mls@ietfa.amsl.com>; Thu, 31 Dec 2020 07:02:51 -0800 (PST)
Received: from mailg210.ethz.ch (mailg210.ethz.ch [IPv6:2001:67c:10ec:5606::21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E042E3A0CE1 for <mls@ietf.org>; Thu, 31 Dec 2020 07:02:49 -0800 (PST)
Received: from mailm216.d.ethz.ch (2001:67c:10ec:5603::30) by mailg210.ethz.ch (2001:67c:10ec:5606::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 31 Dec 2020 16:02:30 +0100
Received: from mailm213.d.ethz.ch (2001:67c:10ec:5603::27) by mailm216.d.ethz.ch (2001:67c:10ec:5603::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 31 Dec 2020 16:02:45 +0100
Received: from mailm213.d.ethz.ch ([fe80::48e5:b9c:79eb:9d16]) by mailm213.d.ethz.ch ([fe80::48e5:b9c:79eb:9d16%4]) with mapi id 15.01.2106.006; Thu, 31 Dec 2020 16:02:45 +0100
From: "Mularczyk Marta" <marta.mularczyk@inf.ethz.ch>
To: Raphael Robert <raphael=40wire.com@dmarc.ietf.org>
CC: Joel Alwen <jalwen@wickr.com>, "daniel.jost@cs.nyu.edu" <daniel.jost@cs.nyu.edu>, Messaging Layer Security WG <mls@ietf.org>
Thread-Topic: [MLS] New Parent Hash
Thread-Index: AQHWuTjfZw1SmrLREUKS4j4Eh1hSAKoRUjgAgABCrXI=
Date: Thu, 31 Dec 2020 15:02:45 +0000
Message-ID: <cc448694ee224c4786a05281b38c8cbd@inf.ethz.ch>
References: <68acccb2-9e5f-f52d-b32c-3b6e3195bc2d@wickr.com>, <7A25FA3A-25E9-47AD-9D8F-112F24748062@wire.com>
In-Reply-To: <7A25FA3A-25E9-47AD-9D8F-112F24748062@wire.com>
Accept-Language: en-US, de-CH
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [83.4.222.248]
x-tm-snts-smtp: C60E91BC9CFCC6224A16B98FECA3BE6C403D60E3369B354E1DDEC68DB1669D8B2000:8
Content-Type: multipart/alternative; boundary="_000_cc448694ee224c4786a05281b38c8cbdinfethzch_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Icg6nQxAELwZ1nXMg_JNC6eI7bI>
Subject: Re: [MLS] New Parent Hash
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 15:02:54 -0000

Hi Raphael,


There indeed seems to be a misunderstanding about how "resolution" is defined. In the version of the draft I see, in 5.2 the resolution is defined as "an ordered list of non-blank nodes that collectively cover all non-blank descendants of the node" and not just the first one. Also, 5.2 says that the resolution of node 5 is the list [CD,C] and not [CD]. Can you point to the version of the draft you're referring to?


Best,

Marta

________________________________
From: MLS <mls-bounces@ietf.org> on behalf of Raphael Robert <raphael=40wire.com@dmarc.ietf.org>
Sent: Thursday, December 31, 2020 12:47:28 PM
To: Messaging Layer Security WG
Cc: Joel Alwen
Subject: Re: [MLS] New Parent Hash

Hi Joël, Daniel and Marta,

I just implemented the stronger parent hash scheme you proposed in the way it is described in the spec now.
The good news is that it is implementable, the bad news is that is does not solve the problem you initially describe. Specifically, swapping out two leaf nodes still goes undetected.

I think it is due to a terminology conflict, but it would be great if you could validate that assumption.
In 7.4 you introduce the notion of “original child resolution” as " the array of HPKEPublicKey values of the nodes in the resolution of S”. The term “resolution” is defined in 5.2. It is essentially a way of dealing with blank nodes by substituting them with the first non-blank descendants you find when descending the subtree of a node.
Here is my assumption: You probably thought the resolution would cover all non-blank descendants of a node, not just the first non-blank descendant. In that case we would need another function that does that (let’s call it “descendants”).

If we look at the example of 5.2:

 - The resolution of node 3 is the list [A, CD, C]
 - The descendants of node 3 is the list [A, CD, C, D]

 - The resolution of node 5 is the list [CD]
 - The descendants of node 5 is the list [CD, C, D] (we just need to additionally filter out C, because it is an unmerged leaf of node 5)

Here is a code snippet of what the “descendants” function would look like (sorry that it’s Rust, not Python):

fn descendants(x: NodeIndex, size: LeafIndex) -> Vec<NodeIndex> {
    if level(x) == 0 {
        vec![x]
    } else {
        let left_child = left(x);
        let right_child = right(x, size);
        [
            descendants(left_child, size),
            vec![x],
            descendants(right_child, size),
        ]
        .concat()
    }
}

There’s a more efficient implementation of course, this is just to illustrate.

In other words, the new “original child resolution” of S would be the subtree under S, but with filtered-out blank nodes and unmerged leaves of S.

If my assumption is correct, I’ll follow up quickly with a PR since this is currently a blocker for interop based on draft-11.

Thanks

Raphael



> On 12. Nov 2020, at 22:14, Joel Alwen <jalwen@wickr.com> wrote:
>
> Hey people,
>
> Just a quick heads up that Daniel, Marta and I put in a PR with a new version of
> strong parent hash to prevent the attacks from the earlier thread. We tried to
> make it as minimal as we could to help with deniability while still preventing
> the attacks permitted by weak parent hashes.
>
> In a nutshell, when computing parent_hash at node v with parent p and sibling w
> we include
> - p's HPKE pubkey
> - p's parent_hash value and
> - HPKE pub keys in the resolution of w except for those belonging to leaves
> unmerged at p.
>
> As a sanity check, notice that as long as p's keys remain the same one can
> always recompute the same parent_hash value at v as was initially computed by
> the member that set p's keys. (In other words, new members can verify that the
> stored parent_hash values match whats in the tree.) In particular, that's coz as
> long as p's keys are unchanged so is the resolution of w. The only exception are
> leaves being added as unmerged at w. But those leaves are also added as unmerged
> at p so they are left out of the hash.
>
> As for deniability, at least parent_hash only binds HPKE keys and nothing else
> (like, say, credentials or signatures). Its the best we were able to come up
> with for now...
>
> - joël
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

_______________________________________________
MLS mailing list
MLS@ietf.org
https://www.ietf.org/mailman/listinfo/mls