IETF Logo Mail Archive

Re: [MLS] ART Ideas in TreeKEM

"M.A.L. Weidner" <malw2@cam.ac.uk> Wed, 27 February 2019 14:13 UTC

Return-Path: <malw2@cam.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1059130DE7 for <mls@ietfa.amsl.com>; Wed, 27 Feb 2019 06:13:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=universityofcambridgecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d1AmfppjMn6k for <mls@ietfa.amsl.com>; Wed, 27 Feb 2019 06:13:30 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50138.outbound.protection.outlook.com [40.107.5.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0876A12F1AC for <mls@ietf.org>; Wed, 27 Feb 2019 06:13:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=UniversityOfCambridgeCloud.onmicrosoft.com; s=selector1-cam-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T8Rp+rZ8ybk7tXTcTCmpXMLjR+wzMVbyWhW0DtdUbX0=; b=d2nzUO8u4ns/Yblb5rql3NWWfDLFKlfTxoD1yLcWqwSeWnBQyxn9I5Os6uUGRir6yIy+OSFno+fdIl2Bfi59AfkGxlYxZjq0YU3jbs0DKm9y/hzVgk3l+0wvnrEqfBQagSAmChtkUO93jexSl//u4Keiqxl9ej+npkRAa1c83pc=
Received: from AM5PR0801MB1281.eurprd08.prod.outlook.com (10.167.216.144) by AM5PR0801MB1971.eurprd08.prod.outlook.com (10.168.158.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Wed, 27 Feb 2019 14:13:26 +0000
Received: from AM5PR0801MB1281.eurprd08.prod.outlook.com ([fe80::a425:8068:2b75:8f47]) by AM5PR0801MB1281.eurprd08.prod.outlook.com ([fe80::a425:8068:2b75:8f47%3]) with mapi id 15.20.1643.019; Wed, 27 Feb 2019 14:13:26 +0000
From: "M.A.L. Weidner" <malw2@cam.ac.uk>
To: Raphael Robert <raphael@wire.com>
CC: "mls@ietf.org" <mls@ietf.org>, Richard Barnes <rlb@ipv.sx>
Thread-Topic: [MLS] ART Ideas in TreeKEM
Thread-Index: AQHUzVJJoSxk3lmKTky1XqgDJ73oyA==
Date: Wed, 27 Feb 2019 14:13:26 +0000
Message-ID: <CADSARUuAiWt0b8A7XcAPMA08GE3RmW0M9zzqr_Scdrh4Rp4AXQ@mail.gmail.com>
References: <CADSARUs6Qt5srOTYGe6otaVfUZQK56+HZgVJpzhssh8ad1Ux+w@mail.gmail.com> <CAL02cgS3VfEx7YCOw6Zc-ejMKE35Lzkt20+6e8UOGAq2LgpbGQ@mail.gmail.com> <BFE54756-A69C-4493-BE0A-CF3DFA1D6599@wire.com>
In-Reply-To: <BFE54756-A69C-4493-BE0A-CF3DFA1D6599@wire.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM6P193CA0033.EURP193.PROD.OUTLOOK.COM (2603:10a6:209:3e::46) To AM5PR0801MB1281.eurprd08.prod.outlook.com (2603:10a6:203:1e::16)
x-ms-exchange-messagesentrepresentingtype: 1
x-gm-message-state: APjAAAWNqCruyR2QAb3rwsYoGq7L515vygC1YpeCGXLlQpkxnnlu2Iz9 ZHt7shCJjZyH+q2pN/Afq2PRVmGeIy+HZLdf5Ac=
x-google-smtp-source: APXvYqxnJJfjumo6B88BTmnnK3RMkSkd8BNlZf3pBWShi9V1RIBBi5OwGlhFFl9pNTz1NoDznu3Oke7FodMd1BnUE/w=
x-received: by 2002:a5d:574b:: with SMTP id q11mr2489627wrw.41.1551276804881; Wed, 27 Feb 2019 06:13:24 -0800 (PST)
x-gmail-original-message-id: <CADSARUuAiWt0b8A7XcAPMA08GE3RmW0M9zzqr_Scdrh4Rp4AXQ@mail.gmail.com>
x-originating-ip: [209.85.221.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e80f1afa-5fdb-4335-ff09-08d69cbdbd5d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:AM5PR0801MB1971;
x-ms-traffictypediagnostic: AM5PR0801MB1971:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;AM5PR0801MB1971;23:ptapa1Jpzg/2fAYbbvaN+lGR5d3UNXh9sydGK/WhH+ySjBgFToxBBJp4t94yEbzlSMgsHuhHo/u5mNPRY+vm7CrQfC7zjsXPvl41mMsZsOPwBzEfmY0rPAXJT2ZOGg5dUP0jJWwFJ+xH0ZYxrUhx9EfxrcwlBOgVeg7h/18d96lCmp37sl4MzdUGkkHDtOLZSKoAfPXyGtLyyxr2oQUPVlHAub/OYu+WGynsbooZEibCBnCXZ6oKId1P2HIupw+nq1+79rH2AtNflqvg3Ujiu2nv8JE12cBFDQKP4seQ02+zpUPv8lpevE4CEVSv1ilZLdYyXOrjEP6LgnaEe3xA6qRgqcWwfsKlJ3vP67TH7LZnmODKJNvEraNMvWTWRNtNmUV/oyDnGZYCWwevdrIMx8FzCejeHFyDCiQQh5uspV8WdVbh7tl6mYvj765x3In1w0dehspZAb7577U6RQFIYoQx7hG99Srv3xf6YdhK+hBK1B4GH5IH1yO1znLYOE0vU1AwQDEabUWkbaMnCmoIQY1eVR4utQLo9hFtZ41LPPuO7Hk7pUuJ9rbVpTeHHKs85FyacYb+o/1HBsZPlHMlyM1LdNKXfB640ikyHODQckkiGRZvmZylDWzxLrX3mdCMlr4KDsEXjlJyzpiQT1rZxbdG9R0Ls/a1GmBhn6CSBqshYm4fbj9/d7+lDUGWDH7Uv3ApFXOR8fr34rEY82Xnp4pmESteYLOHCM+iXq+MvvyOqrwjc8OTAYIIYaUL7h+rCCN5dPkxwFXFZCOMRdOSLaGkmOtoZu8+IRPFyUS/BE8rUPrXBkKlLqqV44BAzZ0DpSvV+CaWcLEjfH+3tWfyC9UpQVyr8g5TREMGz4fSd75lAHYm7nTc9ZlE023ARK9oGbmDchAjC2KT8b1OyYyFq6PxLmzENGlyJTSd3F0GfxBczTrA68uU0TNdu/m1UG/ek/JDwtQQ371dQd/5zsjOmZMqPmUwanDvx4lOqJ6MYuE3wCIxMfavIzJPCmo2TBVvZ613RhxhQFfanmYMtdkvOex2105Am0nxNPH8YXeQPRcFxn3Q6XyWLveVJFSVlZEtpLJKcxSrMpS8saQgg2mBeygCzO2eoQcYRO39tcz+kahp/GMgbZa3d84PcBNFFcEFjlI+mxvfZsr5GLn5Cl1WTMrwKNYSO+WVk4sK/WMs4nX6fNHskLXZI0vxT4FA526iSRLRNMvVi8wS/DTA9WNtc0/0uO74FoSkmpb/PPnpHrgF2bocJ89gQyH0WvlPvWxau+YlSEJE6vmdgeOq5ZN4JyeS68qvtEpCpBTwkggq1+2enPlqpUudvB+1Ios4Zrpvt1KzSg6OxFB9kEiXSLx2HE0403bRmL4mO8iWoi6iNF1bk+bpQgjgw3unGJZZ/QPN0RgDA+oJ3OqRUcU2y9tc8u37ibl8O2B90yTsi1ll1W2ZekDSTm5mD7+UwoaQ8E97ywYUwFEQXbjWbQswt7CyWo4Y06o/mis7UBMwUwHX13pJ56rF+ZR5wUPRMIWamm+8QLCrjIDDv+4CsQx//jLUETWU5oIAuBQyWOexgoXFKS4=
x-microsoft-antispam-prvs: <AM5PR0801MB197100C394C0E7E611CF7B43AC740@AM5PR0801MB1971.eurprd08.prod.outlook.com>
x-forefront-prvs: 0961DF5286
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(39860400002)(396003)(376002)(346002)(189003)(199004)(52314003)(51914003)(6246003)(97736004)(6486002)(6506007)(386003)(6436002)(966005)(478600001)(236005)(14454004)(6512007)(54896002)(6306002)(53936002)(9686003)(99286004)(102836004)(61266001)(6346003)(52116002)(76176011)(2906002)(95326003)(71200400001)(71190400001)(256004)(14444005)(7736002)(8936002)(305945005)(53546011)(5660300002)(8676002)(55446002)(86362001)(81156014)(81166006)(498394004)(61726006)(4326008)(6862004)(25786009)(486006)(5070765005)(54906003)(26005)(68736007)(6116002)(105586002)(74482002)(186003)(786003)(316002)(229853002)(476003)(106356001)(66066001)(3846002)(446003)(11346002)(561944003)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0801MB1971; H:AM5PR0801MB1281.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cam.ac.uk does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=malw2@cam.ac.uk;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: yUP+WqgeBdY6rwx3JlgS7eQWqoNl+UGmXTdx2r8GFM/A6KW9O414G1MbesjyjT2IT39+HF3X5n73Lok4p2FSwfHNjlQ80hwo9Slh8ElXDwoHwpHutz0hlm3GX3BRW4bzIIxctgoPWd1lgLGrX4Y1bezXmXQumMktvqX1sDUHqWqg652BE1knCojMdTObJlcx5Aw9IecdiSOdJfVRaSa3jUvGsGvlh4EQW1mEx3ofh6/HbD8wohwIWrjpOjuEv8QGcoFDMZmOuPZuL0uI5dIJrjE3mP6H1hN+X9jOiKZ/ibbau6UIA5+LpIkW/Bx7ZaFMgt3IKodi7MPzYy91Vw79ORx4jbARP6+9URsERYLBmgjlww/DTLAXGByprH1laRlcPIzCTp/C+zpzpI9rcvV3ieXfzJbfLyDpsT04sI+oW6M=
Content-Type: multipart/alternative; boundary="_000_CADSARUuAiWt0b8A7XcAPMA08GE3RmW0M9zzqrScdrh4Rp4AXQmailg_"
MIME-Version: 1.0
X-OriginatorOrg: cam.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: e80f1afa-5fdb-4335-ff09-08d69cbdbd5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2019 14:13:25.9299 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 49a50445-bdfa-4b79-ade3-547b4f3986e9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1971
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/ItmP4Xp7PrsFiQ-fa5tSUcQoMPA>
Subject: Re: [MLS] ART Ideas in TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 14:13:34 -0000

Hi Richard and Raphael,

> Would it be accurate to summarize your proposal as a "hybrid mode", where when you update:
> - If both of a node's children are populated, then you do an "ART step", generating the parent from the children
> - Otherwise, you do a "TreeKEM step", encrypting the next secret to the resolution of the other child
That's a good way to describe it.  One extra detail is that if two updates both affect a node, you choose one update to win and set the new secret to be what it would have been given that update alone, instead of doing DH on both new children.

>The hunch is that TreeKEM is roughly an order of magnitude faster for average operations in MLS.
Yes, that seems like a good argument against it.  In principle we have a tradeoff between bandwidth and CPU cost, but in practice the bandwidth cost is small (perhaps 1 KB/update?) while this CPU cost is large, unless we are in an unusually network-constrained environment.

Best,
Matthew

On Tue, Feb 26, 2019 at 9:01 AM Raphael Robert <raphael@wire.com<mailto:raphael@wire.com>> wrote:
Hi Matthew,

One of the convincing reasons we saw when looking into ART vs. TreeKEM was that the recipient of handshake messages can process them with O(1) DH operations with TreeKEM as opposed to O(log n) with ART. This sounds like a small difference at first, but we believe that it makes a big difference in real life scenarios. Clients will mostly process handshake messages (particularly in large dynamic groups), but only rarely send them. The hunch is that TreeKEM is roughly an order of magnitude faster for average operations in MLS.
If we go back to O(log n) DH operations to derive the root secret we would lose the speed advantage.

Raphael

On 25 Feb 2019, at 23:07, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:

Hi Matthew,

Thanks for the thoughts.  Would it be accurate to summarize your proposal as a "hybrid mode", where when you update:

- If both of a node's children are populated, then you do an "ART step", generating the parent from the children
- Otherwise, you do a "TreeKEM step", encrypting the next secret to the resolution of the other child

(Remove is probably similar; for Add there's no change needed.)

Assuming that's right, this honestly doesn't sound like a tremendously compelling proposition to me.  Your evaluation on the overhead seems mostly correct, but there have already been some complaints on the list about hashing overhead, so I'm not sure trading DH+smaller_messages for hashing is going to suit.  I'm also worried that this hybridization will introduce a bunch of new complexity into the protocol and make it harder to implement and analyze.  Open to arguments if other folks are enthusiastic, though.

--Richard







On Mon, Feb 25, 2019 at 4:37 PM M.A.L. Weidner <malw2@cam.ac.uk<mailto:malw2@cam.ac.uk>> wrote:
Greatings MLS Working Group!

I have been studying the proposals for TreeKEM, and earlier, ART, and noticed a way to use ART's DH tree ideas in TreeKEM, without sacrificing the ability to merge updates or use blank nodes.  My apologies if this has been discussed before or if there are any mistakes.

My main motivation here is to reduce the size of update messages, since the key encrypted keys in addition to new public keys means that they are ~2x as large in TreeKEM as in ART.

Basically, we use TreeKEM, but with ART's key derivation "as" H(X).  That is, when a node C1 gets the new secret X, instead of H(X), its parent gets the new secret

H2(DH(X, priv(C2))) = H2(pub(C2) ^ X) = H2(pub(X) ^ priv(C2))

where C2 is the neighbor of C1, for some hash function H2.  Since TreeKEM is agnostic about H, we can "define"

H(X) := H2(DH(X, priv(C2)))

in this way without issue, noting that the only users who will have to compute H2(DH(X, priv(C2))) are descendants of C1 (who know X) or C2 (who know priv(C2)).

We can merge updates as with "pure" TreeKEM, choosing one update to dominate at nodes where they conflict.  This will cause the tree to cease being a DH tree, which is fine.  Note that descendants of C2 will have to keep around priv(C2) for a short time after it is overwritten in case of simultaneous updates (so that they can compute the parent secret), but that is true for TreeKEM anyway, since any simultaneous update will send data encrypted under pub(C2).

Blank nodes can be handled by reverting to pure TreeKEM: if a node with new secret X has a blank neighbor, set the parent's secret to H(X) and send that separately to every public key in the resolution.

Now instead of including

pub(X), Enc(pub(C2), H(X))

in the RatchetNode struct for node C2, we need merely include pub(X), saving bandwidth.

Pros:
  - reduces the update message size by about 50% in the typical case (I think).
  - we can build a ternary tree using 3-party Joux DH (as with ART), giving a further log_3(2) ~ 0.63 scaling on update message size.  (I think it's possible to do this with pure TreeKEM as well, by replacing the ephemeral DH exchange with a Joux DH when doing asymmetric encryption.)

Cons:
  - forced to use a DH style cryptosystem (bad for post-quantum?) (as with ART).
  - need log(N) DH operations to compute the new key, instead of log(N) hashes (as with ART).  So this is a bad deal if CPU cycles are more expensive than bandwidth.
  - can also reduce bandwidth by 2 just by ratcheting half as often.

I hope you may find this interesting.

Best,
Matthew Weidner
MPhil student, University of Cambridge
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls

v2.23.0 | Report a Bug | By Email