Re: [MLS] question about group contexts and deriving epoch secrets

Hubert Chathi <hubertc@matrix.org> Tue, 09 February 2021 23:46 UTC

Return-Path: <hubertc@matrix.org>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3BD3A1001 for <mls@ietfa.amsl.com>; Tue, 9 Feb 2021 15:46:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matrix.org header.b=c0Tl2Wrl; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nI2pSRxP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6VIPim6eBlV for <mls@ietfa.amsl.com>; Tue, 9 Feb 2021 15:46:03 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 894063A0FFD for <mls@ietf.org>; Tue, 9 Feb 2021 15:46:03 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 927505C0197 for <mls@ietf.org>; Tue, 9 Feb 2021 18:46:02 -0500 (EST)
Received: from imap22 ([10.202.2.72]) by compute1.internal (MEProxy); Tue, 09 Feb 2021 18:46:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matrix.org; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=1DCcM L7rA6d0VAzi/eCKYBDwkaXW3Ey81WBljXxw31g=; b=c0Tl2WrlpGKWj0xnKNIFg 1rX9J3jjjKCx0X/wmcVaI1qNNuMf8ECbqy4P2/Vj831KZb6TvUnG5Q40PR1RkKCp Sifj0VRvgZYD1OIAIOFvVPYfEXIvDVawXMi6dOZ9pQDHJRLJ/5YtisFcRfCzhU6d 5yrz/bNaT2+t/gSjfcQqBSvRYsM08s7ffA7v58gt/0M7YArA18rvj4DWrnIgmd/B UetjAP2LuUZPM0vmDqoQ29qRMCIAiMt3FYvKKlO/7KhUfXAza7Hn9+4Ik+ksK50E RtGeQDvV0yhRbcvDskdpc7RhRWfUwkG1aMvE2XBR5oP38d+t+kVw8BdaeaG46m6h A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=1DCcML7rA6d0VAzi/eCKYBDwkaXW3Ey81WBljXxw3 1g=; b=nI2pSRxP2Jm+hI91YD0YcmvObwHea9rT7p2j9r0PvWbnl6hfFD1z7Ew29 l/YC+vYX/be0gYhjnwKZproWrhLpe5QqluUAY2rm2t/2uJMNj9ZGGh21EXCvq0sT Zc3WMvPaIudCcHBe90PbH+x+Cr+A0qbHFkjtlvcCWKGKk9KWfY1L4RLK5w/Z1nhu sRRe8oJ8qqFe2jLnNxQ122rY22NcIkGb1X1s3uCUm5PzjJDmW1AO8OrMc5b9yB2S TxCM7nVyJMslG48zVqD5wO5sTny5qg4Q+q0u9fETHq2fDPBRYVYJ36vakJJ8Efr6 hU5dVvY2udP4Y4MsmJ+s6K8aWBTmQ==
X-ME-Sender: <xms:uR4jYLmNI7cYqfmip-E5f5pztKAKwcoq9uA5Qi7X_zn7ohxDQsNl0g> <xme:uR4jYO2p-Uf85nSatz_YqRF_muenlKihenYG9jDcKsiZG6NuMitDE73xVkUXR9isP Nlkmz_EvIm5xY_hNXU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrheeigdduhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfjfhusggvrhhtucevhhgrthhhihdfuceohhhusggvrhht tgesmhgrthhrihigrdhorhhgqeenucggtffrrghtthgvrhhnpeffgfevieeufeffueekue fggfelvdeugfdvieekledvkefhfeeltedtjeetueelffenucffohhmrghinhepihgvthhf rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh ephhhusggvrhhttgesmhgrthhrihigrdhorhhg
X-ME-Proxy: <xmx:uR4jYBqg1BemtQXCirYPlEQTTTe_BSLOewsG-DEYt1EvXXxZDz_xIQ> <xmx:uR4jYDnzOpYzCFzqF2aZXoV8ldqbESsGN67FDfnXHBuLHFkMxFoMpA> <xmx:uR4jYJ2JbtBG-zzQcTz_dHi4bEzckUp-Qqa150FElHtjZT326dsmDA> <xmx:uh4jYHBNNKkS9qV8JTiIfhEZ_U66R-rk667XIUz3TS05HHAJC0TMiw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9272162C005F; Tue, 9 Feb 2021 18:46:01 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-93-gef6c4048e6-fm-20210128.002-gef6c4048
Mime-Version: 1.0
Message-Id: <924f2f66-795c-4149-b5bf-dd61bf99e678@www.fastmail.com>
In-Reply-To: <8E3FEF5E-F5B5-4B58-A5BD-2464383C245A@wire.com>
References: <107abb03-e620-43ed-ac75-034ab6ed1ff4@www.fastmail.com> <8E3FEF5E-F5B5-4B58-A5BD-2464383C245A@wire.com>
Date: Tue, 09 Feb 2021 18:44:30 -0500
From: "Hubert Chathi" <hubertc@matrix.org>
To: mls@ietf.org
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/ObvupGtbEpD_Pzp5bdB1jRqf5N0>
Subject: Re: [MLS] question about group contexts and deriving epoch secrets
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 23:46:05 -0000

On Tue, 9 Feb 2021, at 04:56, Raphael Robert wrote:
> I think “new GroupContext” and “provisional GroupContext” are synonyms.

I'm not so sure about this.  The "provisional GroupContext" is created after applying the proposals (line 2532), but before the UpdatePath is applied to the tree (line 2559).  Whereas, from what I understand, new members are only given the tree after the UpdatePath is applied, which would give a different tree_hash and hence GroupContext.  I don't know if I'm just misunderstanding something.

> Creating the Commit:
>  - Use the confirmed transcript hash (old intermediate transcript hash 
> combined with new commit content from current MLSPlaintext)
>  - Create new provisional GroupContext with new provisional epoch (old 
> epoch  + 1), new tree hash (after proposals were applied to old tree) 
> and confirmed transcript hash from above
> 
> Applying a Commit as an existing member:
>  - Same as creating a Commit
> 
> Joining a group from a Welcome message:
> - Create GroupContext with epoch from GroupInfo, tree hash from 
> GroupInfo and confirmed transcript hash from GroupInfo
> 
> Does that answer the question?
> 
> If you think the spec is wrong/confusing feel free to file a PR.

Yes, once I manage to understand what's going on, I plan on filing a PR.

> 
> Raphael
> 
> > On 9. Feb 2021, at 00:45, Hubert Chathi <hubertc@matrix.org> wrote:
> > 
> > When deriving the epoch secret, you do "ExpandWithLabel(., "epoch", GroupContext_[n], KDF.Nh)", so you need a GroupContext.  As far as I can tell, there appears to be a contradiction about which GroupContext to use: in the "Key Schedule" section (Line 1404), it says to use "The GroupContext object for current epoch", but in the "Commit" section under the part talking about a group member who applies a Commit message (Line 2660), it says to use the provisional GroupContext.  (The part talking about the group member who creates the Commit message doesn't say which GroupContext to use.)  If we are supposed to use the "new" GroupContext (after applying both the proposals and the update), but if we are supposed to use the provisional GroupContext, then I don't think that a new member has access to the tree_hash or confirmed_transcript_hash to create the GroupContext needed to derive the epoch secret.  So it seems like the "new" GroupContext should be correct, but Line 2660 is pretty expli
> > cit about using the provisional GroupContext.
> > 
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>