IETF Logo Mail Archive

Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)

Chris Brzuska <chris.brzuska@aalto.fi> Sat, 25 July 2020 20:09 UTC

Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBEDD3A0A8E for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 13:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUz8ztzLNd7c for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 13:09:29 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (smtp-out-02.aalto.fi [130.233.228.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CDCC3A0A87 for <mls@ietf.org>; Sat, 25 Jul 2020 13:09:27 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 279DC27145C_F1C9173B; Sat, 25 Jul 2020 20:09:23 +0000 (GMT)
Received: from exng2.org.aalto.fi (exng2.org.aalto.fi [130.233.223.21]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng2.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id A10912713F0_F1C9172F; Sat, 25 Jul 2020 20:09:22 +0000 (GMT)
Received: from exng6.org.aalto.fi (130.233.223.25) by exng2.org.aalto.fi (130.233.223.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sat, 25 Jul 2020 23:09:22 +0300
Received: from [192.168.1.116] (130.233.0.5) by exng6.org.aalto.fi (130.233.223.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sat, 25 Jul 2020 23:09:21 +0300
From: Chris Brzuska <chris.brzuska@aalto.fi>
To: Richard Barnes <rlb@ipv.sx>
CC: Messaging Layer Security WG <mls@ietf.org>
References: <682de0fe-41c2-9b96-067b-6cb4b08e1e7c@aalto.fi> <7028_1594089739_5F03E109_7028_154_1_B0D017EB-1A15-4C96-84C8-1E202A5A51EF@nps.edu> <4ceb1790-ef66-0113-0f59-023ab1e713e7@aalto.fi> <CAL02cgTLkZrUBAD3LLKtgwfg+eNZKWMn0qEJ7=H98pRM=gzYxQ@mail.gmail.com> <5754afd7-f05f-2844-5656-4f4572b49fab@aalto.fi> <CAL02cgTQonKgoh4trxpQxY9ONVvM_b6U+hFif+9Tahf7or9rmg@mail.gmail.com> <0c22bb51-6ef2-a55c-0c3a-14e0b590d7c7@aalto.fi>
Message-ID: <064ad211-9f5f-7254-aa48-d7aea0ca2c7f@aalto.fi>
Date: Sat, 25 Jul 2020 23:09:19 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <0c22bb51-6ef2-a55c-0c3a-14e0b590d7c7@aalto.fi>
Content-Type: multipart/alternative; boundary="------------8591F5DB9CD872A453A1BEE0"
Content-Language: en-GB
X-Originating-IP: [130.233.0.5]
X-ClientProxiedBy: exng5.org.aalto.fi (130.233.223.24) To exng6.org.aalto.fi (130.233.223.25)
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=subject:from:to:cc:references:message-id:date:mime-version:in-reply-to:content-type; s=its18; bh=iSHiFKnZY1ri+7tD3m5GdXg94trVYpfYuNreow/QRt8=; b=ytbvvEjqMXgVeZgatWH/y+bA1KVQCmFoF+/4a/rnksML9QgHJf/heesP+ZPjf6NtG/mG5dQm2nwzt0WBcxUC86kOMAxqWXePCtXnQC+dcYRIu4pWyV3PwBiVMEIwGtUuxGpzkKwv4oAhNCLWDeM0IVUSuiFIkZWqcSWnZnHJc48Y9qP0mw69IdKeG9PiCMI69SCPFDLvw1enoVC0+BHD4fl2iRYoEnR0YfZei/dRlpFZMFxLaXt2hHiLm+yjJ0BNd4CmuumlznZlxcf9XZZDnAI+4Liy23TdfImesNSxwWgT+t1gyBcCM/7c38TBOI7xSJD2ZB+V76u4gN3/9DQd4Q==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/KhORHn-0nzCpIRSVKkgwevFiobU>
Subject: Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jul 2020 20:09:33 -0000

Hi Richard,

I have a quick question: An additional change in your key schedule is 
that the welcome_secret is now derived *before* including the PSK. What 
is the motivation behind this?

Thanks!

Chris

On 24/07/2020 22:18, Chris Brzuska wrote:

> I see, thanks for clarifying. Obviously, with these requirements, pull 
> request #336 does not work as is. I think that the conceptual issue of 
> how to best combine two, three keys and more keys, remains, now with 
> an additional requirement to combine two keys separately first.
>
> Will think about it, thanks for clarifying the requirements!
>
> Chris
>
> On 24/07/2020 21:47, Richard Barnes wrote:
>> Your confusion is understandable -- the document is wrong right now!  
>> You are correct that the current design prohibits new joiners from 
>> participating in the PSK proof, but that's a bug, not a feature.  The 
>> epoch secret should verify that *all members of the current epoch* 
>> know the PSK, not just the ones inherited from the last epoch.
>>
>> That's why #362 rearranges the key schedule as follows:
>>
>> init_secret_[n-1] (or 0)
>>                         |
>>                         V
>>    commit_secret -> HKDF-Extract = joiner_secret
>>                         |
>>                         +--> Derive-Secret(., "welcome")
>>                         |    = welcome_secret
>>                         |
>>                         V
>>       PSK (or 0) -> HKDF-Extract = member_secret
>>                         |
>>                         V
>> GroupContext_[n] -> HKDF-Extract = epoch_secret
>>
>> (I also promoted the GroupContext to the main key schedule.)  That's 
>> the context for my earlier comments. With that picture, the only 
>> thing you're coalescing with nPRF would be the latter two 
>> HKDF-Extract calls.
>>
>> Hope that helps,
>> --Richard
>>
>>
>>
>> On Fri, Jul 24, 2020 at 2:32 PM Chris Brzuska <chris.brzuska@aalto.fi 
>> <mailto:chris.brzuska@aalto.fi>> wrote:
>>
>>     Hey Richard,
>>
>>     thank you for looking into this. I think, I need more explanation
>>     to understand the following point:
>>
>>     >>>  You can't add the commit secret and PSKs in the same
>>     operation, because you want new joiners to put in the PSK, but
>>     you don't want them to have to know the commit secret.
>>
>>     The current draft sais the following about the PSK:
>>     "Groups which already have an out-of-band mechanism to generate
>>     *shared* group secrets can inject those in the MLS key schedule
>>     to seed the MLS group secrets computations by this external
>>     entropy. At any epoch, including the initial state, an
>>     application can decide to synchronize the injection of a PSK into
>>     the MLS key schedule. This mechanism can be used to improve
>>     security in the cases where having a full run of updates across
>>     members is too expensive or in the case where the external group
>>     key establishment mechanism provides stronger security against
>>     classical or quantum adversaries."
>>
>>     As I understand this paragraph, the PSK is known by all group
>>     members and not related to new joiners. Maybe, the requirements
>>     and/or design changed in the meanwhile, and I am not aware of it.
>>     I interpreted the paragraph this way, since the current
>>     construction (posted below for convenience) also requires to know
>>     the commit_secret to derive the epoch_secret (from which the
>>     welcome_secret is derived). Where did I go wrong?
>>
>>     Thanks!
>>
>>     Chris
>>
>>                     init_secret_[n-1] (or 0)
>>                           |
>>                           V
>>          PSK (or 0) -> HKDF-Extract = early_secret
>>                           |
>>                     Derive-Secret(., "derived", "")
>>                           |
>>                           V
>>     commit_secret -> HKDF-Extract = epoch_secret
>>
>>
>>     On 24/07/2020 20:53, Richard Barnes wrote:
>>>     Hey Chris,
>>>
>>>     I was looking again at the key schedule as I was drafting #362
>>>     [1].  A couple of things occurred to me:
>>>
>>>     1. You can't add the commit secret and PSKs in the same
>>>     operation, because you want new joiners to put in the PSK, but
>>>     you don't want them to have to know the commit secret.
>>>
>>>     2. The nPRF construction you propose has the same number of HMAC
>>>     invocations as the chained-HKDF-Extract stuff that's in the
>>>     current draft / 362.
>>>
>>>     Given those observations, I wonder how much an nPRF is really
>>>     buying us.  It's not saving us any HMAC calls, and relative to
>>>     #362, it would only coalesce two DPRF calls into one nPRF call.
>>>
>>>     Maybe there's some benefit if there are multiple PSKs?  But even
>>>     then, it seems like you could add a layer, computing a synthetic
>>>     PSK from the multiple ones, and keeping the main key schedule
>>>     simple.
>>>
>>>     At this point, given the above and the novelty of the nPRF
>>>     construction, I'm inclined to just stick with HKDF and merge
>>>     #362 instead of #336.
>>>
>>>     --Richard
>>>
>>>
>>>     [1] https://github.com/mlswg/mls-protocol/pull/362
>>>
>>>     On Tue, Jul 7, 2020 at 5:30 AM Chris Brzuska
>>>     <chris.brzuska@aalto.fi <mailto:chris.brzuska@aalto.fi>> wrote:
>>>
>>>         Thank you for the pointer to Carter-Wegman MACs.
>>>
>>>         >>> This style of combing hash outputs does affect collision
>>>         resistance [4], and some discussion on relation to that
>>>         would be nice to see.
>>>
>>>         That's an excellent point. In addition to pseudorandomness,
>>>         we prove the collision-resistance of our construction. I.e.,
>>>         assuming that no unique value is used twice and assuming
>>>         that HMAC is collision-resistance, then the final Expand
>>>         operation guarantees unique outputs. I.e., by including the
>>>         unique value into the final Expand operation after the xor,
>>>         the construction recovers from any collisions incurred by
>>>         the xor.
>>>
>>>         Chris
>>>
>>>         On 07/07/2020 05:41, Hale, Britta (CIV) wrote:
>>>>
>>>>         This is an interesting proposal. It is closely related at a
>>>>         high level to Carter-Wegman MACs (i.e. for random seed r,
>>>>         MAC((k1, k2), m) =  PRF(k1, r) XOR MAC(k2, m)). Quite a few
>>>>         MACs fall into this category in practice. Considering the
>>>>         use of a MAC-based KDF and the proofs of [3] on DPRFs,
>>>>         there is an overlap between NPRFs and extrapolation of the
>>>>         above (based on iteration of the PRF guarantees).
>>>>
>>>>         This is worth noting from an assurance standpoint: there
>>>>         was discussion at the virtual interims with respect to the
>>>>         current formulation of MLS key derivation, which has a “TLS
>>>>         precedence”, yet this proposal is not without precedence
>>>>         itself. Ergo, such a change should not necessarily be
>>>>         concerning based on differing from current practice.
>>>>
>>>>         This style of combing hash outputs does affect collision
>>>>         resistance [4], and some discussion on relation to that
>>>>         would be nice to see.
>>>>
>>>>         Britta
>>>>
>>>>         [1] Carter, Wegman. Universal classes of hash functions.
>>>>
>>>>         [2] Carter, Wegman. New hash functions and their use in
>>>>         authentication and set equality.
>>>>
>>>>         [3] Bellare and Lysyanskaya. Symmetric and Dual PRFs from
>>>>         Standard Assumptions: A Generic Validation of an HMAC
>>>>         Assumption.
>>>>
>>>>         [4] Bernstein. What output size resists collisions in a xor
>>>>         of independent expansions?
>>>>
>>>>         *From: *MLS <mls-bounces@ietf.org>
>>>>         <mailto:mls-bounces@ietf.org> on behalf of Chris Brzuska
>>>>         <chris.brzuska@aalto.fi> <mailto:chris.brzuska@aalto.fi>
>>>>         *Date: *Tuesday, June 9, 2020 at 10:32 AM
>>>>         *To: *"mls@ietf.org" <mailto:mls@ietf.org> <mls@ietf.org>
>>>>         <mailto:mls@ietf.org>
>>>>         *Subject: *[MLS] Key Schedule: Replace DPRF with
>>>>         multi-input PRF (NPRF)
>>>>
>>>>         Hi all,
>>>>
>>>>         I would like to open a discussion on a suggestion for a
>>>>         change in the key schedule. In the current draft, we use
>>>>         the Extract function twice as a dual pseudorandom function
>>>>         (DPRF) when combining 3 keys (*) and interleave them with
>>>>         an Expand call.
>>>>
>>>>         The suggestion [1] is to replace these 3 calls by a
>>>>         multi-input PRF (NPRF) which is especially designed to
>>>>         return a pseudorandom key when at least one of the input
>>>>         keys is pseudorandom. The new suggestion relies on standard
>>>>         PRF security rather than DPRF-security of Extract.
>>>>
>>>>         You can find the accompanying paper with pictures,
>>>>         discussion and security reduction for the design principle
>>>>         here [2]. I include a summary of the main points in the end
>>>>         of this eMail.
>>>>
>>>>         Please comment/share your opinion. Thanks!
>>>>
>>>>         Chris
>>>>
>>>>         (*) commit_secret, PSK and init_secret
>>>>
>>>>         [1] Pull Request:https://github.com/mlswg/mls-protocol/pull/337
>>>>
>>>>         [2] Paper: http://chrisbrzuska.de/2020-NPRF.html
>>>>
>>>>         *--------------------------------------------------------------------------------------------------------------------*
>>>>
>>>>         *Summary of main points:*
>>>>
>>>>         The current key schedule
>>>>         - uses Extract as a dual pseudorandom function and assumes
>>>>         that HMAC is a dual pseudorandom function
>>>>         - applies Extract after Expand, i.e., after applying a
>>>>         function which generates a pseudorandom value
>>>>         - iterates Extract-then-Expand sequentially to combine more
>>>>         than 2 keys
>>>>
>>>>         The pull request suggests to
>>>>         - replace the ad-hoc assumption that Extract is a dual
>>>>         pseudorandom function
>>>>         - remove Extract steps when applied after Expand
>>>>         - use a provably secure NPRF construction which allows to
>>>>         combine more than 2 keys and is based on a standard PRF
>>>>         assumption and statistical properties of xor.
>>>>
>>>>         Efficiency:
>>>>         - The suggested construction has higher parallel
>>>>         efficiency. It increases the overall number of HMAC
>>>>         evaluations by 1.
>>>>
>>>>         Assumptions:
>>>>         - HMAC is a standard PRF.
>>>>         - Relies on a unique value, the group_context was suggested.
>>>>
>>>>         Construction:
>>>>         (1) Use unique value to expand each key and xor the result
>>>>         (2) expand resulting key, including unique value into the
>>>>         context again
>>>>
>>>>         Security argument:
>>>>         - Pseudorandomness: unique value ensures that each outcome
>>>>         of Expand in (1) is used only once in a xor combination,
>>>>         thus allowing on one-time pad argument of xor.
>>>>         - Uniqueness of resulting keys: (2) ensures that if HMAC is
>>>>         collision-resistent, then the result is collision-resistent.
>>>>
>>>>         Variants:
>>>>         - It is possible to use an NPRF variant called NameNPRF [2]
>>>>         which has 3 HMAC evaluations more and relies less on the
>>>>         unique value. I.e., NameNPRF is secure in the same
>>>>         scenarios as DPRF: Keys only repeat if the input keys
>>>>         repeat *and* the group context repeats.
>>>>
>>>>         Questions/Comments that came up:
>>>>         - Barnes, MacMillion suggested group_context as unique value
>>>>         - MacMillion wondered about removal of Extract: One can add
>>>>         an extract operation for the psk. For other input keys, it
>>>>         does not seem needed, since they were returned from Expand.
>>>>         - Wood: Can we replace HMAC by arbitrary PRF? Yes. For
>>>>         uniqueness of output keys, the PRF needs to be
>>>>         collision-resistant, too.
>>>>
>>>>
>>>>         _______________________________________________
>>>>         MLS mailing list
>>>>         MLS@ietf.org  <mailto:MLS@ietf.org>
>>>>         https://www.ietf.org/mailman/listinfo/mls
>>>         _______________________________________________
>>>         MLS mailing list
>>>         MLS@ietf.org <mailto:MLS@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/mls
>>>

v2.23.0 | Report a Bug | By Email