Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
Chris Brzuska <chris.brzuska@aalto.fi> Sat, 25 July 2020 20:09 UTC
Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBEDD3A0A8E for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 13:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUz8ztzLNd7c for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 13:09:29 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (smtp-out-02.aalto.fi [130.233.228.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CDCC3A0A87 for <mls@ietf.org>; Sat, 25 Jul 2020 13:09:27 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 279DC27145C_F1C9173B; Sat, 25 Jul 2020 20:09:23 +0000 (GMT)
Received: from exng2.org.aalto.fi (exng2.org.aalto.fi [130.233.223.21]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng2.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id A10912713F0_F1C9172F; Sat, 25 Jul 2020 20:09:22 +0000 (GMT)
Received: from exng6.org.aalto.fi (130.233.223.25) by exng2.org.aalto.fi (130.233.223.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sat, 25 Jul 2020 23:09:22 +0300
Received: from [192.168.1.116] (130.233.0.5) by exng6.org.aalto.fi (130.233.223.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sat, 25 Jul 2020 23:09:21 +0300
From: Chris Brzuska <chris.brzuska@aalto.fi>
To: Richard Barnes <rlb@ipv.sx>
CC: Messaging Layer Security WG <mls@ietf.org>
References: <682de0fe-41c2-9b96-067b-6cb4b08e1e7c@aalto.fi> <7028_1594089739_5F03E109_7028_154_1_B0D017EB-1A15-4C96-84C8-1E202A5A51EF@nps.edu> <4ceb1790-ef66-0113-0f59-023ab1e713e7@aalto.fi> <CAL02cgTLkZrUBAD3LLKtgwfg+eNZKWMn0qEJ7=H98pRM=gzYxQ@mail.gmail.com> <5754afd7-f05f-2844-5656-4f4572b49fab@aalto.fi> <CAL02cgTQonKgoh4trxpQxY9ONVvM_b6U+hFif+9Tahf7or9rmg@mail.gmail.com> <0c22bb51-6ef2-a55c-0c3a-14e0b590d7c7@aalto.fi>
Message-ID: <064ad211-9f5f-7254-aa48-d7aea0ca2c7f@aalto.fi>
Date: Sat, 25 Jul 2020 23:09:19 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <0c22bb51-6ef2-a55c-0c3a-14e0b590d7c7@aalto.fi>
Content-Type: multipart/alternative; boundary="------------8591F5DB9CD872A453A1BEE0"
Content-Language: en-GB
X-Originating-IP: [130.233.0.5]
X-ClientProxiedBy: exng5.org.aalto.fi (130.233.223.24) To exng6.org.aalto.fi (130.233.223.25)
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=subject:from:to:cc:references:message-id:date:mime-version:in-reply-to:content-type; s=its18; bh=iSHiFKnZY1ri+7tD3m5GdXg94trVYpfYuNreow/QRt8=; b=ytbvvEjqMXgVeZgatWH/y+bA1KVQCmFoF+/4a/rnksML9QgHJf/heesP+ZPjf6NtG/mG5dQm2nwzt0WBcxUC86kOMAxqWXePCtXnQC+dcYRIu4pWyV3PwBiVMEIwGtUuxGpzkKwv4oAhNCLWDeM0IVUSuiFIkZWqcSWnZnHJc48Y9qP0mw69IdKeG9PiCMI69SCPFDLvw1enoVC0+BHD4fl2iRYoEnR0YfZei/dRlpFZMFxLaXt2hHiLm+yjJ0BNd4CmuumlznZlxcf9XZZDnAI+4Liy23TdfImesNSxwWgT+t1gyBcCM/7c38TBOI7xSJD2ZB+V76u4gN3/9DQd4Q==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/KhORHn-0nzCpIRSVKkgwevFiobU>
Subject: Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jul 2020 20:09:33 -0000
Hi Richard, I have a quick question: An additional change in your key schedule is that the welcome_secret is now derived *before* including the PSK. What is the motivation behind this? Thanks! Chris On 24/07/2020 22:18, Chris Brzuska wrote: > I see, thanks for clarifying. Obviously, with these requirements, pull > request #336 does not work as is. I think that the conceptual issue of > how to best combine two, three keys and more keys, remains, now with > an additional requirement to combine two keys separately first. > > Will think about it, thanks for clarifying the requirements! > > Chris > > On 24/07/2020 21:47, Richard Barnes wrote: >> Your confusion is understandable -- the document is wrong right now! >> You are correct that the current design prohibits new joiners from >> participating in the PSK proof, but that's a bug, not a feature. The >> epoch secret should verify that *all members of the current epoch* >> know the PSK, not just the ones inherited from the last epoch. >> >> That's why #362 rearranges the key schedule as follows: >> >> init_secret_[n-1] (or 0) >> | >> V >> commit_secret -> HKDF-Extract = joiner_secret >> | >> +--> Derive-Secret(., "welcome") >> | = welcome_secret >> | >> V >> PSK (or 0) -> HKDF-Extract = member_secret >> | >> V >> GroupContext_[n] -> HKDF-Extract = epoch_secret >> >> (I also promoted the GroupContext to the main key schedule.) That's >> the context for my earlier comments. With that picture, the only >> thing you're coalescing with nPRF would be the latter two >> HKDF-Extract calls. >> >> Hope that helps, >> --Richard >> >> >> >> On Fri, Jul 24, 2020 at 2:32 PM Chris Brzuska <chris.brzuska@aalto.fi >> <mailto:chris.brzuska@aalto.fi>> wrote: >> >> Hey Richard, >> >> thank you for looking into this. I think, I need more explanation >> to understand the following point: >> >> >>> You can't add the commit secret and PSKs in the same >> operation, because you want new joiners to put in the PSK, but >> you don't want them to have to know the commit secret. >> >> The current draft sais the following about the PSK: >> "Groups which already have an out-of-band mechanism to generate >> *shared* group secrets can inject those in the MLS key schedule >> to seed the MLS group secrets computations by this external >> entropy. At any epoch, including the initial state, an >> application can decide to synchronize the injection of a PSK into >> the MLS key schedule. This mechanism can be used to improve >> security in the cases where having a full run of updates across >> members is too expensive or in the case where the external group >> key establishment mechanism provides stronger security against >> classical or quantum adversaries." >> >> As I understand this paragraph, the PSK is known by all group >> members and not related to new joiners. Maybe, the requirements >> and/or design changed in the meanwhile, and I am not aware of it. >> I interpreted the paragraph this way, since the current >> construction (posted below for convenience) also requires to know >> the commit_secret to derive the epoch_secret (from which the >> welcome_secret is derived). Where did I go wrong? >> >> Thanks! >> >> Chris >> >> init_secret_[n-1] (or 0) >> | >> V >> PSK (or 0) -> HKDF-Extract = early_secret >> | >> Derive-Secret(., "derived", "") >> | >> V >> commit_secret -> HKDF-Extract = epoch_secret >> >> >> On 24/07/2020 20:53, Richard Barnes wrote: >>> Hey Chris, >>> >>> I was looking again at the key schedule as I was drafting #362 >>> [1]. A couple of things occurred to me: >>> >>> 1. You can't add the commit secret and PSKs in the same >>> operation, because you want new joiners to put in the PSK, but >>> you don't want them to have to know the commit secret. >>> >>> 2. The nPRF construction you propose has the same number of HMAC >>> invocations as the chained-HKDF-Extract stuff that's in the >>> current draft / 362. >>> >>> Given those observations, I wonder how much an nPRF is really >>> buying us. It's not saving us any HMAC calls, and relative to >>> #362, it would only coalesce two DPRF calls into one nPRF call. >>> >>> Maybe there's some benefit if there are multiple PSKs? But even >>> then, it seems like you could add a layer, computing a synthetic >>> PSK from the multiple ones, and keeping the main key schedule >>> simple. >>> >>> At this point, given the above and the novelty of the nPRF >>> construction, I'm inclined to just stick with HKDF and merge >>> #362 instead of #336. >>> >>> --Richard >>> >>> >>> [1] https://github.com/mlswg/mls-protocol/pull/362 >>> >>> On Tue, Jul 7, 2020 at 5:30 AM Chris Brzuska >>> <chris.brzuska@aalto.fi <mailto:chris.brzuska@aalto.fi>> wrote: >>> >>> Thank you for the pointer to Carter-Wegman MACs. >>> >>> >>> This style of combing hash outputs does affect collision >>> resistance [4], and some discussion on relation to that >>> would be nice to see. >>> >>> That's an excellent point. In addition to pseudorandomness, >>> we prove the collision-resistance of our construction. I.e., >>> assuming that no unique value is used twice and assuming >>> that HMAC is collision-resistance, then the final Expand >>> operation guarantees unique outputs. I.e., by including the >>> unique value into the final Expand operation after the xor, >>> the construction recovers from any collisions incurred by >>> the xor. >>> >>> Chris >>> >>> On 07/07/2020 05:41, Hale, Britta (CIV) wrote: >>>> >>>> This is an interesting proposal. It is closely related at a >>>> high level to Carter-Wegman MACs (i.e. for random seed r, >>>> MAC((k1, k2), m) = PRF(k1, r) XOR MAC(k2, m)). Quite a few >>>> MACs fall into this category in practice. Considering the >>>> use of a MAC-based KDF and the proofs of [3] on DPRFs, >>>> there is an overlap between NPRFs and extrapolation of the >>>> above (based on iteration of the PRF guarantees). >>>> >>>> This is worth noting from an assurance standpoint: there >>>> was discussion at the virtual interims with respect to the >>>> current formulation of MLS key derivation, which has a “TLS >>>> precedence”, yet this proposal is not without precedence >>>> itself. Ergo, such a change should not necessarily be >>>> concerning based on differing from current practice. >>>> >>>> This style of combing hash outputs does affect collision >>>> resistance [4], and some discussion on relation to that >>>> would be nice to see. >>>> >>>> Britta >>>> >>>> [1] Carter, Wegman. Universal classes of hash functions. >>>> >>>> [2] Carter, Wegman. New hash functions and their use in >>>> authentication and set equality. >>>> >>>> [3] Bellare and Lysyanskaya. Symmetric and Dual PRFs from >>>> Standard Assumptions: A Generic Validation of an HMAC >>>> Assumption. >>>> >>>> [4] Bernstein. What output size resists collisions in a xor >>>> of independent expansions? >>>> >>>> *From: *MLS <mls-bounces@ietf.org> >>>> <mailto:mls-bounces@ietf.org> on behalf of Chris Brzuska >>>> <chris.brzuska@aalto.fi> <mailto:chris.brzuska@aalto.fi> >>>> *Date: *Tuesday, June 9, 2020 at 10:32 AM >>>> *To: *"mls@ietf.org" <mailto:mls@ietf.org> <mls@ietf.org> >>>> <mailto:mls@ietf.org> >>>> *Subject: *[MLS] Key Schedule: Replace DPRF with >>>> multi-input PRF (NPRF) >>>> >>>> Hi all, >>>> >>>> I would like to open a discussion on a suggestion for a >>>> change in the key schedule. In the current draft, we use >>>> the Extract function twice as a dual pseudorandom function >>>> (DPRF) when combining 3 keys (*) and interleave them with >>>> an Expand call. >>>> >>>> The suggestion [1] is to replace these 3 calls by a >>>> multi-input PRF (NPRF) which is especially designed to >>>> return a pseudorandom key when at least one of the input >>>> keys is pseudorandom. The new suggestion relies on standard >>>> PRF security rather than DPRF-security of Extract. >>>> >>>> You can find the accompanying paper with pictures, >>>> discussion and security reduction for the design principle >>>> here [2]. I include a summary of the main points in the end >>>> of this eMail. >>>> >>>> Please comment/share your opinion. Thanks! >>>> >>>> Chris >>>> >>>> (*) commit_secret, PSK and init_secret >>>> >>>> [1] Pull Request:https://github.com/mlswg/mls-protocol/pull/337 >>>> >>>> [2] Paper: http://chrisbrzuska.de/2020-NPRF.html >>>> >>>> *--------------------------------------------------------------------------------------------------------------------* >>>> >>>> *Summary of main points:* >>>> >>>> The current key schedule >>>> - uses Extract as a dual pseudorandom function and assumes >>>> that HMAC is a dual pseudorandom function >>>> - applies Extract after Expand, i.e., after applying a >>>> function which generates a pseudorandom value >>>> - iterates Extract-then-Expand sequentially to combine more >>>> than 2 keys >>>> >>>> The pull request suggests to >>>> - replace the ad-hoc assumption that Extract is a dual >>>> pseudorandom function >>>> - remove Extract steps when applied after Expand >>>> - use a provably secure NPRF construction which allows to >>>> combine more than 2 keys and is based on a standard PRF >>>> assumption and statistical properties of xor. >>>> >>>> Efficiency: >>>> - The suggested construction has higher parallel >>>> efficiency. It increases the overall number of HMAC >>>> evaluations by 1. >>>> >>>> Assumptions: >>>> - HMAC is a standard PRF. >>>> - Relies on a unique value, the group_context was suggested. >>>> >>>> Construction: >>>> (1) Use unique value to expand each key and xor the result >>>> (2) expand resulting key, including unique value into the >>>> context again >>>> >>>> Security argument: >>>> - Pseudorandomness: unique value ensures that each outcome >>>> of Expand in (1) is used only once in a xor combination, >>>> thus allowing on one-time pad argument of xor. >>>> - Uniqueness of resulting keys: (2) ensures that if HMAC is >>>> collision-resistent, then the result is collision-resistent. >>>> >>>> Variants: >>>> - It is possible to use an NPRF variant called NameNPRF [2] >>>> which has 3 HMAC evaluations more and relies less on the >>>> unique value. I.e., NameNPRF is secure in the same >>>> scenarios as DPRF: Keys only repeat if the input keys >>>> repeat *and* the group context repeats. >>>> >>>> Questions/Comments that came up: >>>> - Barnes, MacMillion suggested group_context as unique value >>>> - MacMillion wondered about removal of Extract: One can add >>>> an extract operation for the psk. For other input keys, it >>>> does not seem needed, since they were returned from Expand. >>>> - Wood: Can we replace HMAC by arbitrary PRF? Yes. For >>>> uniqueness of output keys, the PRF needs to be >>>> collision-resistant, too. >>>> >>>> >>>> _______________________________________________ >>>> MLS mailing list >>>> MLS@ietf.org <mailto:MLS@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/mls >>> _______________________________________________ >>> MLS mailing list >>> MLS@ietf.org <mailto:MLS@ietf.org> >>> https://www.ietf.org/mailman/listinfo/mls >>>
- [MLS] Key Schedule: Replace DPRF with multi-input… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Hale, Britta (CIV)
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Konrad Kohbrok
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Chris Brzuska
- Re: [MLS] Key Schedule: Replace DPRF with multi-i… Richard Barnes