Re: [MLS] Removing ART; maybe adding partial-tree
Richard Barnes <rlb@ipv.sx> Fri, 05 October 2018 20:53 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD571277D2 for <mls@ietfa.amsl.com>; Fri, 5 Oct 2018 13:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0zxBSPu_yxc for <mls@ietfa.amsl.com>; Fri, 5 Oct 2018 13:53:49 -0700 (PDT)
Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5266C1286E3 for <mls@ietf.org>; Fri, 5 Oct 2018 13:53:49 -0700 (PDT)
Received: by mail-ot1-x344.google.com with SMTP id l1so684563otj.5 for <mls@ietf.org>; Fri, 05 Oct 2018 13:53:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sy6bOGIAQoVc06+OV74cBg1paqV/8Cl/L1oFl4c1NPo=; b=I7VuW8lw/kvb9r5uWdGp2gumlgfoUii9l1FpTPouv0dYVTQunJnLg98ZzxvTLBG8i5 U6jmkii+Xi84cUbyvbKpccR3bKhjsOead1C/TWQAs0szVW948SKL04W7d9Iov/VCWBRW TIh53V3O6ZKttw2RM+W+bh1xJ/JDGSAiu7pMQRq9eVEE6jBVv+CptuoMzy68MLvA7N5w 6z4VN9iZlwbsXMG2zYlG20aCQ1fW/JSHvP2cD63W1BU+nGuJehnC+X1j74q9SXx/yyM8 IT4QRHgpXxEmHV42ZsquZ90SuqWbBtnoAfq4sNHzi6qPl4WaeGfjGgy8YmaoRMJG5xV7 SEpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sy6bOGIAQoVc06+OV74cBg1paqV/8Cl/L1oFl4c1NPo=; b=I/cfnnwsEtYm2r7yxmqjGMgoB0yUc/uSzSHA6u4SJqaTSXmWiqp40c0RxYraGjprcj 73NoQiRmsIYfrmJISPyD+fagveiHmA1couNLmFF+F/1kNQ+J76KJzasTJxPEnhL45815 6R/Cx6W3DqEr1hCltjUaIh/kUb3oSvhQpsTfH7D0wGCzVVck4XS5C/QIBLNsvQrzwOf/ FqxCkTciC6MGCSwwWBey4TRx0qQNJweJH2SP4apjx1Tqyrp7+HnQGUiLckgDlb5dDall I6jgxG0q7acyYykUPfpbMSRPcClXXgRfwxWgu9LUZzbouWZwbGINCCuJZBV6ktaaBO30 DKUg==
X-Gm-Message-State: ABuFfoi9ZXcd0YgPUfL637Aeg8+oINRwElzl7uEbItCL/yY+B2jsKa45 z8ZaNh5FOieR7N+1iYVk8cycu07fiQGzgDYWXvth/Q==
X-Google-Smtp-Source: ACcGV61KWITdQ9vom0CkjxMeyFMxVyH5wG2bxkkIAZDgJcimzvnSuxllZowPE0e2IqBWKCBgKeD9mCprB1M4f0OechQ=
X-Received: by 2002:a9d:42f1:: with SMTP id c46-v6mr6969492otj.331.1538772828464; Fri, 05 Oct 2018 13:53:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSBCnjNMBHa7iJWqOYF_DNh8gUbGS4jsz57rO5=uAM1EA@mail.gmail.com> <CAKHUCzxJ-5UmvA-3_sqNvWApN=zbLMbHTrwwv+-R3m6nS1RXJw@mail.gmail.com> <CAL02cgSJbB5-8z3-PA8Tk3mC8j=uehHVf=p5bmayub=MFLK0bw@mail.gmail.com> <CABdrxL6q-xpdEsQdrsxg-YEPz4ZpSaGxosaDHVCvHm8cwSTMYg@mail.gmail.com>
In-Reply-To: <CABdrxL6q-xpdEsQdrsxg-YEPz4ZpSaGxosaDHVCvHm8cwSTMYg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 05 Oct 2018 16:53:36 -0400
Message-ID: <CAL02cgTTKttbV18DFkhik2jno15qbPu0A-YcjB3aFdwq8Lu9-w@mail.gmail.com>
To: Cas Cremers <cas.cremers@gmail.com>
Cc: Dave Cridland <dave@cridland.net>, mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d4ba0605778177d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/P8aJx0HHxItsYJ1Cl4N04UK72so>
Subject: Re: [MLS] Removing ART; maybe adding partial-tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Oct 2018 20:53:53 -0000
One additional possibly-nice thing here: Adds can O(1) for existing members. Someone pointed out at the interim (I think Cas or Karthik) that in the Add case, there's no need for the existing members of the group to fold in new entropy into the group secrets, they just need to hash everything forward. This means that the sender of an add doesn't need to encrypt any fresh entropy to the group, and the existing group members don't need to decrypt it. The member sending the Add just needs to send the init_secret for the group to the new member and tell everyone to ratchet forward. Now, this doesn't mean that Adds are free. It's just that instead of paying in units of computation to send/process the message, you pay in terms of future updates being more expensive, due to the ancestors of the new member being blanked. If you have a tree of size N and do M adds, then the next Update/Remove will involve (log(N) + log(N) + M) encryptions/ciphertexts in the worst case. (The extra log(N) comes from existing nodes being blanked out.) That said, if the new node updates quickly, then you're back to a whole tree and only log(N) operations. --Richard On Tue, Oct 2, 2018 at 5:52 AM Cas Cremers <cas.cremers@gmail.com> wrote: > Hi Dave and all, > > I would like to add one thing to Richard's explanation of the > rationale for dropping ART in favor of TreeKEM for now: > > An important implicit assumption is that TreeKEM doesn't seem to offer > less security guarantees than ART. > > However, given that the specification of protocols, threat models, and > properties isn't completely fleshed out, we don't really yet know if > this is true in any formal sense. Analysis is continuing in parallel, > and we might need to backtrack in the worst case. > > This choice is not (and must not be) about efficiency alone. > > Best, > > Cas > > -- > https://people.cispa.io/cas.cremers/index.html > > On Mon, Oct 1, 2018 at 11:15 PM Richard Barnes <rlb@ipv.sx> wrote: > > > > > > > > On Mon, Oct 1, 2018 at 10:34 PM Dave Cridland <dave@cridland.net> wrote: > >> > >> > >> > >> On Mon, 1 Oct 2018 at 19:06, Richard Barnes <rlb@ipv.sx> wrote: > >>> > >>> Hey all, > >>> > >>> At the interim last week, there was agreement to remove the discussion > of ART from the protocol draft and focus on TreeKEM. I have implemented > that change in the following pull request: > >>> > >>> https://github.com/mlswg/mls-protocol/pull/66 > >>> > >> > >> I'm not objecting to the change - I lack sufficient cryptographic > knowledge to express an opinion - but it'd be very useful to read a > synopsis of the reasoning behind it, and a summary of the discussion. I > imagine future participants would find it useful too, and of course, all > decisions need to go by the list anyway. > > > > > > To recap the discussions at the interim, I think the reasons are > basically as follows, in descending order of importance: > > > > 1. ART requires each recipient of a message to do O(log N) DH > operations, where as TreeKEM only requires O(1). This is a significant > difference for large groups / small devices. > > 2. TreeKEM offers the possibility of doing Add/Remove without double join > > 3. TreeKEM offers the possibility of being able to merge Update messages > > > > While I don't think anyone has proved that (2) and (3) aren't possible > with ART, the fact that it's contributive makes them more difficult. > > > > > >> > >> I reviewed the PR for clarity/typos. > >> > >>> > >>> If a couple of folks could give a quick review, it would be > appreciated. I also put together a PR describing how to do the "partial > tree" approach described at the interim and in my earlier message today. > >>> > >>> https://github.com/mlswg/mls-protocol/pull/67 > >> > >> > >> Also reviewed for clarity/typos. I admit I'm mildly confused as to why > adding a node needs to blank the direct path, but at the same time I'm not > sure it makes any difference. (That is, here: > https://github.com/mlswg/mls-protocol/pull/67/commits/7a7cd37aec0ceff773600564b5c9619c3d06a115#diff-a87cc9081154f564150420544170f1c9R1113 > ). That's probably just my lack of understanding somewhere. > > > > > > The reason is symmetric for Add and Remove. > > > > Recall that the invariant property the tree is supposed to have is that > a node's secret value and private key are only known to the holders of > leaves below that node in the tree. For both Add and Remove, you need to > change the intermediate nodes above the target leaf, either to make it so > that the removed member doesn't know them or so that the added member > does. The question is what relationship those intermediate nodes have to > the sender of the Add/Remove -- does the sender know the secret / private > key or not? > > > > On the one hand, if the sender does know the private key, then you have > a "double join" situation, where the sender knows something he's not > supposed to. The phrase "double join" arises from the Add case, since the > relevant intermediate node secrets are known both to the new member and to > the sender of the Add. Effectively, they both occupy the new member's > leaf, which complicates things quite a bit. For example, if you now want > to evict the sender of the Add, you have to also evict the newly added > leaf, etc. In the Remove case, the main impact of the double-join is that > you don't have a true Remove operation, you only have a Take-over > operation. That makes it difficult to imagine how you would ever compact > the tree. > > > > On the other hand, if the sender doesn't know the private key, then the > node has to be blank.. In the Add case, there's no way (AFAIK) to set the > intermediate node values to something that is known to (a) the existing > members under those nodes and (b) the new member, without it also being > known to the sender of the add. So the values that get decrypted to > intermediate nodes during the Add are only for the purpose of computing the > new root secret; the intermediate nodes can't have a non-blank value > without violating the tree invariant. > > > > It may be possible to avoid blanks in the Remove case, but we would have > to modify TreeKEM. You could still do the "hash to the root" trick to > generate the fresh shared entropy for the epoch, but you couldn't just > overwrite the values of the intermediate nodes (as is done now). You would > have to fold in some entropy only known to the existing members. This is > probably worth some thought. > > > > Anyway, hope that helps, > > --Richard > > > > > >> > >> > >>> > >>> > >>> Feedback welcome! > >>> > >>> Thanks, > >>> --Richard > >>> _______________________________________________ > >>> MLS mailing list > >>> MLS@ietf.org > >>> https://www.ietf.org/mailman/listinfo/mls > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org > > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Removing ART; maybe adding partial-tree Richard Barnes
- Re: [MLS] Removing ART; maybe adding partial-tree Dave Cridland
- Re: [MLS] Removing ART; maybe adding partial-tree Richard Barnes
- Re: [MLS] Removing ART; maybe adding partial-tree Cas Cremers
- Re: [MLS] Removing ART; maybe adding partial-tree Richard Barnes
- Re: [MLS] Removing ART; maybe adding partial-tree Richard Barnes