Re: [MLS] Proposal: Proposals (was: Laziness)

Richard Barnes <> Fri, 23 August 2019 22:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F1A0512000F for <>; Fri, 23 Aug 2019 15:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y1dlvjRrw-v8 for <>; Fri, 23 Aug 2019 15:48:21 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 173D512001E for <>; Fri, 23 Aug 2019 15:48:21 -0700 (PDT)
Received: by with SMTP id j7so10197120ota.9 for <>; Fri, 23 Aug 2019 15:48:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AmvqX2KvRh1tgJx3ihScCg0+mZT0DHm68i9o5lPV/5k=; b=BZpLaua6wr4f40G1Wzm/YnA+RdrldArRiJGg93agkQHG3dSAYoEwJ1YhxcYYzU+iQZ tmU/6KKWCH2nUm4AKOMJK8jMeCExo0sOUFCo9Omt4YjDgQ7HgZTw8H+YDsftYRvnQ4bI 1dZmTXQ0sjo1ZZe8pX1IZEeSrNBwlyz6AjndeNbXLDw349jqEEqnerSMpGvPTyTvw6f5 Ph8eQQbyC8MglGt4aXWWIWIipfL6CPvPR6ggDwD95XtSgFl4FnxcEqzs/S3GZslzjJP/ +36i4Lje9ByHzltHIcA3jjrfbYopNd3KqedJYa/9xH1z4HbvkAT6/FzMVsN0RdUJJ+ME Heqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AmvqX2KvRh1tgJx3ihScCg0+mZT0DHm68i9o5lPV/5k=; b=jRl3gwJo8y4tMDEkx797vsAjMqv43zJ+Kw1eoCCh3pzSLdDKxA/z3//cVg2qngvV4a 6eQtKz2dS1fsjMLtBkYAVnmmyluMo/n6LXRh0vXrPpD62JK0Uy0Wd7IijA1ifl2AR4lA Xm1kGdg7Gst8veiUApZ5xTa4/zw5+2eXnJO8UFgmv77j9T5ZwFJHyV0FCE6PN2u0lC8r 5MbtYcsh+GVR3WWK9Ml3N9UF3xIMIbMaw8TW3zzGm0m1XuhfWOO5ki0e6FcnxvUY00ks vbqjNqFoRn4YbW4qtZVcrRpVtlmeD7tl5ZfnxUo9YEi4PiM3oOh0I27i8qf01sarqACW GuFQ==
X-Gm-Message-State: APjAAAUK29SpjH8XgArsw4xfxFowetmSdqZz95KngajEqrQYy6S9HUBa ypL1GWTIIHOC+VGblxVtJ1RiJfZVqQArbS+po/NJ/A==
X-Google-Smtp-Source: APXvYqymOuryqF2VdEqdo22Wl8bDmTbaqmZ3zONgSKwsiIlLNhLjXmJNzk9bulD2CGjo05njy6ZhJfo/lDLVMtqFchY=
X-Received: by 2002:a9d:7c87:: with SMTP id q7mr6269059otn.241.1566600500270; Fri, 23 Aug 2019 15:48:20 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Richard Barnes <>
Date: Fri, 23 Aug 2019 18:48:01 -0400
Message-ID: <>
To: Karthik Bhargavan <>
Cc: Stephen Farrell <>, Messaging Layer Security WG <>, Raphael Robert <>
Content-Type: multipart/alternative; boundary="00000000000052edf90590d09a67"
Archived-At: <>
Subject: Re: [MLS] Proposal: Proposals (was: Laziness)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Aug 2019 22:48:24 -0000

Just to confirm I understand, the key exchange protocol in this conception
would be something like, at each epoch:

1. KEM a secret to some set of people whom you believe to be the current
members of the group
2. Send that KEM'ed value out to the group together with a description of
the current membership
3. KDF the KEM'ed secret together with the prior epoch secret to get the
new epoch secret
4. Use the new epoch secret to generate a confirmation over the current
state of the group

Where the KEM in (1) would be something like TreeKEM or just "encrypt to a
list of public keys".  Then the proposals would just be a way for people to
sync up on who the current members of the group are (by leaf key).

The major thing I would be worried about in such a split is how it would
deal with authority over changes, which affect the authentication
properties of the protocol.  The current Proposals proposal maintains the
property that everyone agrees on the proposals and can verify that they
were proper, e.g., only the holder of a leaf can update that leaf.  If we
sever the connection between the proposals and the top-level transcript
entirely, then I'm not sure how you would continue to assure that, say, the
sender of a Commit didn't just swap out Joe's leaf key for the NSA.

I agree that there is degree of separation here (since, e.g., it's easy to
imagine swapping in a "list of keys" KEM for TreeKEM).  But it seems like a
fairly high degree of coupling is necessary to maintain authentication.


On Fri, Aug 23, 2019 at 1:22 PM Karthik Bhargavan <> wrote:

> Hello All,
> It seems to me that one way to think about “laziness” would be to cleanly
> separate the MLS key exchange into two different protocols.
> The first is a “classic” authenticated synchronization protocol where
> members of a group can create and modify a shared data structure (in this
> case, the group membership tree).
> The second is a novel key establishment protocol where some member of the
> group generates a fresh group secret that will be delivered only to the
> current members computed from the (current) group state.
> Currently the first and second protocols are tightly interleaved: every
> time the group data structure is modified by some member (or admin), that
> member must also generate and distribute the fresh group secret.
> The laziness proposal can be thought of as detaching the two protocols:
> the key establishment protocol can follow group modifications with some
> delay.
> So rather than trying to add “laziness” to the existing protocol, should
> we try to do this detachment in a principled way by defining two
> independent sub-protocols?
> It would have the advantage that we may be able to consider other designs
> for synchronization and key establishment, which may well be orthogonal
> concerns.
> In our model of MLS, we can already factor out the protocol in this way,
> but it makes the security invariants a bit harder to express in a
> user-friendly way.
> Still, I would prefer to compose proofs for simpler sub-protocols rather
> than try to prove security for a single complex protocol with lots of
> options.
> Best,
> -Karthik
> On 23 Aug 2019, at 10:48, Richard Barnes <> wrote:
> On Fri, Aug 23, 2019 at 10:21 AM Stephen Farrell <
>> wrote:
>> Hiya,
>> On 23/08/2019 15:10, Richard Barnes wrote:
>> >
>> > I'm not clear on what you mean by "meaningfully handled by members".
>> >
>> I'm assuming that MLS protocol data will likely be
>> handled by a library. ISTM more likely that such a
>> library might default to, or be carelessly used to,
>> honor anything the server proposes if this is an MLS
>> protocol feature rather than an application layer
>> feature. That'd be an example of not meaningfully
>> handling this:-) We have seen similar kinds of
>> failure with applications and TLS libraries in the
>> past where certs aren't checked etc.
> Oh I see.  That would actually be a pretty difficult policy to implement,
> at least without turning off authentication altogether, at least in the
> envisioned protocol.  By which I mean:
> - Right now, clients are expected to maintain a list of members' signing
> keys
> - So signers are just indicated by their index in that list
> - The obvious way to add non-member signers is to reserve a block of
> indices (say 0xFFFFFFxx) that can correspond to application-specific
> entities
> - Then clients need to get configured with which server keys go with which
> reserved indices
> Assuming we go in that direction, the natural, "I don't care about
> server-initiated stuff" library design would be to just not implement any
> special handling for those reserved indices, in which case you'll reject
> anything from the server.  I would expect a library that does anything else
> to have an API for the configuration required in the last point.
> The obvious screw-up case would be, "Treat a signature from the reserved
> block as trusted".  But that's actually a little hard to implement; because
> the public keys aren't provided, you would have to also not do any
> signature verification at all, which means you're now totally open to the
> world.  Hopefully that would raise some red flags for developers.
> So it's not impossible to screw up, but not trivial either.  At least if
> you want to maintain authentication for group members.  If you turn that
> off too, I don't think we can save you.
> --Richard
>> I do accept the argument that it can happen at the
>> application layer if not defined in the MLS protocol,
>> but doing this kind of thing at the application layer
>> seems safer to me.
>> It's also not clear to me that all MLS applications
>> would need this feature. (That may be true, I just
>> don't know.) If they don't, then again, it seems to
>> be more conservative to leave it to applications.
>> I agree that there are sharp edges however this kind
>> of thing is done though.
>> Cheers,
>> S.
> _______________________________________________
> MLS mailing list