Re: [MLS] Efficiency and "Ampelmann trees"
Raphael Robert <raphael@wire.com> Tue, 25 December 2018 21:47 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A7DF130E1B for <mls@ietfa.amsl.com>; Tue, 25 Dec 2018 13:47:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j_WSV63YKCEk for <mls@ietfa.amsl.com>; Tue, 25 Dec 2018 13:47:17 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B197123FFD for <mls@ietf.org>; Tue, 25 Dec 2018 13:47:17 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id b14so12127622edt.6 for <mls@ietf.org>; Tue, 25 Dec 2018 13:47:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=a2utZgslc5pqCi0j9F7IQCVO313wgO+6sfTeAu/D6Ak=; b=X7wxjp8mwd5XvRM17R0+NStHzILPhK6Uik2K/lUjwUsbU5ip6CjmTIDl61XPJsqdlD vIXA1ZNnVtQwYoJseufCI2np3IFJHa4G//wqFW38ByDT6KHgvkl/yi/7djO0iPgUJKBN vDW56WsuDs6KKb2HvWz+GSYKQpMQZTDvuEVtbyg9x+d1rqKcnQ/UPUI/Gplx9cwEq2h8 /9BIsVKg3EoqQEtjQ1KkRg7a6N10u6MxMwPwDRbGSms3ipmVksnO6OulVdScFInXdbUe i2uSXIpDFPAJRDY1fLNV/nLQbLR9r7MhDSD3YLjHtFMnYpi5ENs70bJJTP1fIme0u01d Yflw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=a2utZgslc5pqCi0j9F7IQCVO313wgO+6sfTeAu/D6Ak=; b=aWmj8/M9sefLnMLL9Rxed51R0Xy+p/PL1abGxX3SkVQgu6l8s2iQwasYinEE1pB/U4 8F040rrpCi1kyE5SiVbcMAKqMHy3pBs+by5KiTYr9Xx+IEFbXgE0AHaKKSvURe8HOOZi yr9ZB7BUMAV6kdRRndSha3ngbKXlljO9rRfwSFEZdZCoarO2b3LVikaw/4zhJDO1wqt1 gwQt1wApuCpBjSREoWxCIQ4Ty+8n/eZiALaraUxpbIbbzxDTzcZBiGNWwaTia0R0UwOF wUO+oJNNCfKB/hQDC0JbeaLm0mFYZY1jGcrrJ+DD/9sxN3ovNPY3TdIbCnNOuxUrlwe8 Iq5g==
X-Gm-Message-State: AA+aEWZO4aCIxqYlfwhR/LUGQ7PwAhkcKw/aonum0+qPDiMYIapU1GNH 1l7ysbsoMGvmPHu3ZLsv0v+YlCdez1lWZISW
X-Google-Smtp-Source: AFSGD/VyqTM8QqaQOa6ELC/xnFq4EHJdYQ4KVJnyO6Hzx6uuXoPhnTa+DH5rABu3j4guDQtkcZe5tQ==
X-Received: by 2002:a17:906:f24a:: with SMTP id gy10-v6mr11792990ejb.64.1545774435202; Tue, 25 Dec 2018 13:47:15 -0800 (PST)
Received: from dynamic.wline.6rd.res.cust.swisscom.ch ([2a02:1205:34c1:3788:fc75:e919:1b16:501b]) by smtp.gmail.com with ESMTPSA id c38sm10235558edb.15.2018.12.25.13.47.13 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Dec 2018 13:47:14 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3F79570D-A5C4-407C-B2FB-69B9C0884987"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 25 Dec 2018 22:47:12 +0100
References: <CAL02cgS5zgH0y=6n+Yoks17yGO+pma-J3nouKL+znvKEOSSVCA@mail.gmail.com>
To: mls@ietf.org
In-Reply-To: <CAL02cgS5zgH0y=6n+Yoks17yGO+pma-J3nouKL+znvKEOSSVCA@mail.gmail.com>
Message-Id: <9C4BE735-74B6-4B97-A718-DBBAC2901E46@wire.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/PUGd_HnRgmeLRWDu2ZVV5DuQ0E4>
Subject: Re: [MLS] Efficiency and "Ampelmann trees"
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Dec 2018 21:47:21 -0000
Hey Richard, I think this could work the way you intended it. My understanding of this is that we use the (second?) preimage resistance of the hashing algorithm to make it impossible for the server to forge arbitrary values anywhere in the (co)path it provides to clients. I think your assumption is right that the data requested from a server is indeed either a direct path or a copath. What both have in common is that they start at the leaf level and include one node from each level — all the way to the root. This means the server just has to provide the sibling of each node as proof. The hash values could be computed by the server, as long as the commitment is part of HS messages (this could be either implicit in the group state, or sent as an explicit value). For the sake of simplicity, couldn’t we simplify the node hash to H(L || R || V) instead of H(H(L || R) || V) ? For leaf nodes, the values for R and L would probably just be null, effectively only the public key of the node would be hashed. For blank nodes, we can maybe think of a mechanism similar to node resolution to compute the values of R and L. If L is blanked, and LL and LR are its children, we could substitute L by (LL || LR). This would have to be recursive as long as at least one child node is blanked. Alternatively, L could be substituted by H(LL || LR), if that provides additional security. This might be more in line with the per-level hashing we would do if there were no blank nodes. In the extreme case of a tree that only contains leave nodes and no intermediate nodes (and we don’t do the per-level hashing mentioned above), the root hash value would be H(H(V_A) || H(V_B) || H(V_C) || …) where V_x are the values of the leaf nodes. Is that the other layer of math you had in mind? Happy Holidays! Raphael > On 24 Dec 2018, at 16:53, Richard Barnes <rlb@ipv.sx> wrote: > > Hey all, > > At the last IETF meeting, we had some discussion about the efficiency of the protocol. On the one hand, having endpoints ship around the whole tree and keep it in memory seems like a bad bit of linearity; can't we just have the server track that stuff, and have the clients download slices of the tree as needed? On the other hand, you need to make sure the server doesn't lie, which requires some complicated hashing. This email has some thoughts about how complicated the hashing needs to be. > > Recall that in order to do the group operations, an endpoint needs the following parts of the tree: > > - Add: Frontier == Copath of position N+1 > - Update: Copath of the endpoint's own leaf > - Remove: Copath of the removed node's leaf > > So we need a scheme for computing a commitment to the tree (which can go in the GroupState/Welcome) such that it's easy to prove a copath. > > You could do this with a Merkle tree over the nodes of the ratchet tree, but it's kind of inelegant. The commitment would obviously be the root of the Merkle tree. It's less clear how best to prove a copath, but it is possible: The requester knows the indices in the tree of the copath nodes, so in the worst case, the server could provide log(N) individual proofs for those nodes (each of size log(N)). > > In thinking about this a bit, it seems you could improve on this by aligning the hash tree structure to the tree structure you're verifying. Merkle trees assume there are no values at the intermediate nodes of the tree; let's just hash them in: If an intermediate node has value V and child hashes L and R, then set the value of the node to: > > H(H(L || R) || V) > > (instead of H(L || R) in the Merkle tree case). If you do that, then I think you get copath proofs of size 2 * log(N) instead of log(N)^2. The attached figures (assuming they survive remailing) illustrate how this works. (I've been calling these "Ampelmann Trees", for their resemblance to the famous indicators in Berlin [1]) > > Now, even assuming this scheme works, it isn't a total solution to the problem. Given that we have blanks in the tree to avoid double-joins, we're going to need a way to handle blanks in the proof algorithms. Pretty sure it's still possible, but will require another layer of math. Likewise, it would be nice if an endpoint could keep its view of its own copath up to date based on Handshake messages alone, which isn't currently possible (it requires the whole tree). > > So there's plenty still to discuss! Suggestions welcome, either here or at the interim in a few weeks. > > Happy Holidays! > > --Richard > > > [1] https://en.wikipedia.org/wiki/Ampelm%C3%A4nnchen <https://en.wikipedia.org/wiki/Ampelm%C3%A4nnchen> > > > > <Dirpath Proofs.pdf><Hashing Structure.pdf><Ampelmännchen!.pdf><Copath : Frontier Proofs.pdf>_______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls
- [MLS] Efficiency and "Ampelmann trees" Richard Barnes
- Re: [MLS] Efficiency and "Ampelmann trees" Raphael Robert