[MLS] question about group contexts and deriving epoch secrets

Hubert Chathi <hubertc@matrix.org> Mon, 08 February 2021 23:46 UTC

Return-Path: <hubertc@matrix.org>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048F43A16E1 for <mls@ietfa.amsl.com>; Mon, 8 Feb 2021 15:46:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matrix.org header.b=RX2FJhAR; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=i0MXCKHX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4rt0bqt09VM for <mls@ietfa.amsl.com>; Mon, 8 Feb 2021 15:46:02 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC04E3A16E0 for <mls@ietf.org>; Mon, 8 Feb 2021 15:46:02 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 0E3125C00CA for <mls@ietf.org>; Mon, 8 Feb 2021 18:46:01 -0500 (EST)
Received: from imap22 ([10.202.2.72]) by compute1.internal (MEProxy); Mon, 08 Feb 2021 18:46:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matrix.org; h= mime-version:message-id:date:from:to:subject:content-type :content-transfer-encoding; s=fm1; bh=GsO47i2SPkTDislMY9vQzamI9D sX7Ms7liXEdu19ZWQ=; b=RX2FJhARPG73fV5z4Qg7H5jWf22glO2981VAVzfQRU 3IzqrfP36GkEKU9ixwDb0dkPFkX6i7vIGUYIxMYmMTt9WBY5beeDn1uHISIayfe1 0JHTxrmxCUhZfP+z0CDatL5KMABggBfNQbsC3OANJzTe95zgFiiEQaXnsEk8+lWc FUGK5ytVGACKbsejG3M2kCOAa8VvXBZEFtnBt+td3j1CDJRzyVlHVhavJwhaYM4e tQrZLm2J9N7s0uH+LpxOl1c+1g54HZtMua73EGlogTQ7V/ic5muRP4E6CRxHNeid j0bAE3kmqbRJUqVUIbRKomKcTpscn5kA2NTO9pYpRr1Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=GsO47i 2SPkTDislMY9vQzamI9DsX7Ms7liXEdu19ZWQ=; b=i0MXCKHXxjuSqtwpDSv0x/ CQhxO5+Q7dfx5mBf8+twqcvj7FXjXNriCR47Jpkoa2FKa0Ep9F2R1DDeaJ1B+cRo zbnK4ga9bD4h2rQBDFwReidKBhtVm+aRHgsufhmS4H+mdz3B6Eb+mJckVYgDHBA9 GApwfhSwxUINX6fZNDIcOmahC/m8R4PcWJVO6RI/E81RVIcTj1ZgmTx9iO4vcEp+ eKUyjCyjeBFa/KOmXbtpmqXYc1BQbKrLFwcKUZHNR4tdgD+Rh/F7k/xto7jt2TWq mGIsIdo2hQwON601//YEXUg2gOvr+CF5gbDDTJpOhj9Fo0xW4nlUOqQG/Kg4O54w ==
X-ME-Sender: <xms:OM0hYOChOiCEu3Nvkdapf2S5Ag1JHzK2ENZj-MelFFMZtbILmESyAQ> <xme:OM0hYIhI3CjyAAOWTEGLkoiIw9SD7V1CbMCzdBccHCgUGRGLWqxgkgMRGaZBndhgt Mt8XC0rCsL2FNJYaPY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrheeggddugecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgfgsehtqhertd erredtnecuhfhrohhmpedfjfhusggvrhhtucevhhgrthhhihdfuceohhhusggvrhhttges mhgrthhrihigrdhorhhgqeenucggtffrrghtthgvrhhnpefhffeiteevjefffeeuveethf egheetjedvfeeugeeiueduledtfefgheevkeeikeenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpehhuhgsvghrthgtsehmrghtrhhigidrohhrgh
X-ME-Proxy: <xmx:OM0hYBlqtRNuSp9Reo3zwu69phVYTKa6rJpsIjmOy9HSUV_9ewZSsA> <xmx:OM0hYMwOgCMksrKSCMFXOeAOZvhhwE_iCdp6AqILh9-GLaVB3pcC5g> <xmx:OM0hYDRZJfMY5gj5UdT2H_AWAVJX-4qW8CE7qrPsvEFw2Z3geZ1YIg> <xmx:Oc0hYOfYhnczPfjlDyYH1qJMwC9DXEzJMR97UM0ZoDA8GaZnNAYRag>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7B84D62C0062; Mon, 8 Feb 2021 18:46:00 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-93-gef6c4048e6-fm-20210128.002-gef6c4048
Mime-Version: 1.0
Message-Id: <107abb03-e620-43ed-ac75-034ab6ed1ff4@www.fastmail.com>
Date: Mon, 08 Feb 2021 18:45:31 -0500
From: "Hubert Chathi" <hubertc@matrix.org>
To: mls@ietf.org
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/NMNIUkOs6SY4oqRNh8GbeEKY1w4>
Subject: [MLS] question about group contexts and deriving epoch secrets
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 23:46:04 -0000

When deriving the epoch secret, you do "ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh)", so you need a GroupContext.  As far as I can tell, there appears to be a contradiction about which GroupContext to use: in the "Key Schedule" section (Line 1404), it says to use "The GroupContext object for current epoch", but in the "Commit" section under the part talking about a group member who applies a Commit message (Line 2660), it says to use the provisional GroupContext.  (The part talking about the group member who creates the Commit message doesn't say which GroupContext to use.)  If we are supposed to use the "new" GroupContext (after applying both the proposals and the update), but if we are supposed to use the provisional GroupContext, then I don't think that a new member has access to the tree_hash or confirmed_transcript_hash to create the GroupContext needed to derive the epoch secret.  So it seems like the "new" GroupContext should be correct, but Line 2660 is pretty explicit about using the provisional GroupContext.