Re: [MLS] Re-randomized TreeKEM

Brendan McMillion <> Fri, 18 October 2019 17:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5DF0E12011F for <>; Fri, 18 Oct 2019 10:49:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NatiYwaZrrx5 for <>; Fri, 18 Oct 2019 10:49:00 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 756981200F8 for <>; Fri, 18 Oct 2019 10:49:00 -0700 (PDT)
Received: by with SMTP id 205so4330437pfw.2 for <>; Fri, 18 Oct 2019 10:49:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=SENqneeVArgojE7c0mezLqd0SVJk59mkwLmWygZXbFA=; b=SuPj/SWbHdQTZc/8BxIGmEJ4tov96zOlJCINQZNB+AN90rZBkSzL6SpKL25oroSc5B 0bQXsK6aqNkdFPXzhooiQGj6madn1xFBjg2kWet/LQ/qMLBgyqy9YzL3JvbHlHiAehgw j6L8GKfASKIssNThnTCAefccwVBjm1fCjUNRA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=SENqneeVArgojE7c0mezLqd0SVJk59mkwLmWygZXbFA=; b=XoEumGqfM3Tes/YWnxmp+UmNvHit+eaySnsCiZtzsUvjDwHU06amufDemsZO1z/Y3f 55ljyPSa52H3AJC4qWh56DOnaGDYXRhqApy4Wh32ht+6DgIw5nG83DX00+d5qPQxhsyc qO/28W9sjzNfrOtZ8jPEFi037Q9FgyIRzrJ5Aqnkoz6dMRTkVg3aLqSQgCexgNTZihMP kPK8wry6v2rpV0NgsmQ+rNjq0S6Ww1/Plyg2n+og03si51VIJEek1WKhbuL6TB5VSRv2 W7jolhAvrYIWjfIaVbIay59a0ZpHOFTSMVOnO5zwZAOgyeS0J193Ll42ZdOb77yctuZh xqCg==
X-Gm-Message-State: APjAAAUGIw+xBGlGUGJNfWzK+lpEQKxnT4lCxDyZSSv94Jeax08G7WGW ZZ3Gerevox0v9qHZCL+f1CD/Vw==
X-Google-Smtp-Source: APXvYqzxdOscjz4fLkEQ9EuJucyyVz3VSPuKYfamrB4K3XrbU81uJg9yG9DD2fFVT+gVFEV+8WzDUQ==
X-Received: by 2002:a63:4b0f:: with SMTP id y15mr11783834pga.161.1571420939614; Fri, 18 Oct 2019 10:48:59 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id x139sm8926609pgx.92.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Oct 2019 10:48:57 -0700 (PDT)
From: Brendan McMillion <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E0250104-3F91-4CB3-B7B7-049CDF0DAF11"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 18 Oct 2019 10:48:55 -0700
In-Reply-To: <>
Cc: Messaging Layer Security WG <>
To: Joel Alwen <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [MLS] Re-randomized TreeKEM
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Oct 2019 17:49:05 -0000

Hey Joel

This is a pretty subtle topic so I want to state the assumption that my conclusion is based on upfront: RTreeKEM achieves FS and PCS after a single Update (and all users come online and process the update), while normal TreeKEM requires everyone in the group to Update before achieving the same security guarantee.

This actually makes TreeKEM more attractive to me because it encourages implementors to keep the Update frequency high, and it provides an explicit signal to the group that everyone has processed every update. With TreeKEM, the policy would be “everybody Updates at least once per day”. But with RTreeKEM, the equivalent policy is “at least one person Updates every day” which isn’t as strong, because you don’t know whether or not everybody came online that day and processed the one Update.

And if you have a high Update frequency, I don’t think the security properties of TreeKEM and RTreeKEM are materially different. But RTreeKEM has costs like being harder to implement, and restricting what algorithms we can use.

It’s on this basis that I’m opposed to including RTreeKEM in the spec.

> On Oct 17, 2019, at 8:18 AM, Joel Alwen <> wrote:
> I think the challenge with the hash-forward approach is how to do that
> homomorphically. I.e. what we need are two algorithms; one to refresh
> the PK without knowing the SK (but possibly knowing a secret
> rerandomizer delta if needed) and one to update SK (again possibly using
> delta). So to use a hash-forward approach their must be:
> 1) a way to evolve PK forward to PK' and
> 2) a *one-way* method to evolve SK forward to SK' compatible PK'.
> One-wayness is what gives us Forward Secrecy and "compatibility" between
> the two key evolution methods is what allows for asynchronous (i.e. 1
> packet) updates.
> Currently we use a secret re-randomizer delta to ensure the SK update
> method is one-way. That is, without the delta you cant "undo" the
> update. But that would break if we (at least naively) used some public
> delta, say hash(ciphertext). So I think this is the challenge that we'd
> have to overcome. Basically, make sure we SK evolution is one-way but
> also compatible the public evolution of PK.
> Now one way sweet way to get all this (and more) would be to use a HIBE.
> Initial, PK for a ratchet tree node (i.e. its "identity" since this is a
> HIBE now) is simply the empty vector PK := () while the secret key is
> the master public key for a fresh HIBE instance SK := MSK. We also
> include, as a second component of the nodes PK, the master public key
> PK_0 = MPK. To "hash forward" / "re-randomize" when sending a ciphertext
> C to that node we can do:
> PK' := (PK, hash(C)).
> SK' := DeriveHIBEKey(PK, SK).
> So simply append hash(C) to the identity for that node and derive the
> corresponding HIBE key.
> Ignoring the problems with using HIBE for a second, this is a very cool
> solution. We don't need to send out the updated PK since everyone in the
> group (and even the adversary) can compute it for themselves. We also
> dont need a re-randomize delta as part of the plaintext because we're
> using delta := hash(ciphertext) so the plaintext is shorter again.
> Moreover, HIBE security means that learning SK' doesn't tell you
> anything interesting about SK. In particular, we have forward security.
> (In fact, FS will hold even if hash(C) were chosen *completely*
> adversarially, say, as part of a malicious update in an insider attack!)
> Of course, the problem with this solution is that we're using HIBE.
> Worse, with unbounded depth because each new ciphertext sent to a node
> results in going one depth further into the hierarchy. AFAIK all HIBE
> constructions have pretty horrible (read exponential) efficiency as a
> function of their depth. (And I won't mention the state of
> standardization and open implementations for HIBE.)
> Now there could be a totally different approach that entirly avoids
> HIBE. But even with this approach there's at least some glimer of hope
> to improve on it because, if we don't wory about insider attacks we can
> assume C is honestly generated which means hash(C) really has a ton of
> entropy. So we dont seem to need the full expresivity HIBE identities
> allow us. Rather we only need HIBE for "random" identities. Still, that
> seems like a pretty slim hope for major efficiency improvement. It also
> doesn't do anything to address the lack of implementations and standards.
> - Joël
> On 17/10/2019 16:37, Karthik Bhargavan wrote:
>> Thanks Yevgeniy,
>> This helps a lot.
>> To further my understanding, another question:
>>>  Intuitively, the sender will not only encrypt the message, but also a
>>> random Delta value. It will change public key using homomorthism by
>>> multiplying with g^Delta (in specific DH based scheme), while the
>>> recipient will decrypt Delta (using old secret key), and add it to the
>>> old secret key to get there new one. So now corrupting (old sk plus
>>> Delta) will not help decrypting the ciphertext just decepted, emailing
>>> forward secrecy. 
>> I see that in the DH-based scheme, this Delta needs to be private,
>> otherwise the adversary can compute sk once it knows sk+Delta.
>> But, in general, is it possible to conceive of a UPKE scheme where the
>> recipient effectively “hashes forward” its symmetric key,
>> where this one way hash-forward function does not have to rely on an
>> externally chosen secret value?
>> Best,
>> Karthik
>>> This is the high level, hope it makes sense.
>>> Thanks for your question,
>>> Yevgeniy
>>> On Thu, Oct 17, 2019, 1:43 AM Karthik Bhargavan
>>> <
>>> < <>>> wrote:
>>>    Hi Joel,
>>>    This looks very interesting. It is new to me since I was not at
>>>    the interim.
>>>    After reading the paper and the slides, I am still a bit fuzzy
>>>    about what the recipient of an update needs to do.
>>>    For example, for the running example in your slide deck, it would
>>>    help if I could see:
>>>    - what secret keys does each leaf need to keep
>>>    - how do these secrets change when an update from some other node
>>>    is received.
>>>    Just working this out for one update is enough.
>>>    I know that this is made precise in the eprint, but it would be
>>>    faster if you could help us understand it :)
>>>    Best,
>>>    Karthik
>>>> On 16 Oct 2019, at 23:51, Joel Alwen < <>
>>>    < <>>> wrote:
>>>> <FS-TreeKEM.pdf>
>>>    _______________________________________________
>>>    MLS mailing list
>>> <> < <>>
>>> <>
>> _______________________________________________
>> MLS mailing list
>> <>
>> <>
> _______________________________________________
> MLS mailing list
> <>
> <>