Re: [MLS] reusing HPKE keys from welcome messages

Richard Barnes <> Fri, 17 April 2020 14:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6FB8A3A0AD8 for <>; Fri, 17 Apr 2020 07:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5xtUmBWFh6OT for <>; Fri, 17 Apr 2020 07:40:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 984773A0AD5 for <>; Fri, 17 Apr 2020 07:40:45 -0700 (PDT)
Received: by with SMTP id 20so2554684qkl.10 for <>; Fri, 17 Apr 2020 07:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vsR8PgL41Yg2kT/kLzfBuWx2nzKHgcFsYEF8BBNbnvw=; b=sWJjl7zWmM/s8sZsJJE2SwU587UP17O9Chgav7T2/tPOltS+dImf4fKNCVeYkMXRWe V09J7xpp0W3YqSZQPDyxWea2QF3x9eSKKwhPx7EOoszVmKB6+mqX/ocvTf9ewfiIcdLl ZUkMHa7baWrW7hs+V+bKRYflrZpnycSoWq+V0vuUFXxDYU4ElwpAkRF3mdC8kYLDUp64 EXKvLoA00TAJRhNEbeZSwd6D7m5zcq8QqydB94AW3r+fQ/XLEHfrwlSJ9D9HfqIiEb4c HKcQ5lINEE5ou1Ka4cQHd/yOFCgNLDb51quGXvBCXB/vFJaLU18x8zwjVksv0AgbEjkW ENKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vsR8PgL41Yg2kT/kLzfBuWx2nzKHgcFsYEF8BBNbnvw=; b=bCG7SWqta3JdxxHF3n7c0RG1pCBOY+TzesGQoJuZUu6rli/dRxBWBObNOBnUnuxojZ f5RHI8lEkCyCLOaYXPeCcEBi+NAvSLeHhtQreTDtZxl5V7Kja7EC+ChGCIHcXvlQTt++ aOf3vAhiQ7z29rIJ/Ni2Fg0YU/wXEz8p/rNokEoXt/CHhBiJxpQ8ou+FakR+c17pSIR3 nkBCjRzrF2Y4GW54ZzLjG9SKwXfYsEAnqRftsv9fV3n94ZnBA0kwGkTlnEN6T7AnxXpl GVWEcmnm9q7QsvM6Wk7S8q5uvlmIpPkrnoOqRykXFhb471S8A4DWKubo4IOVa+AhZcmr 8SzQ==
X-Gm-Message-State: AGi0PuYhnoK0gI7UoAnGtHIx3mkzdQzlaCe3UTwOMI2/1+VrdCk/rv33 l6M3kLfa0M+DZE3BuAn1pG57MVJxuWwiBZ9wcj3nw14i
X-Google-Smtp-Source: APiQypKhfjjPoqborYiKxVv4mt0uPV6sH6IA+kxrzaDnw7ZyFGCxZhVEzD3dm9dWC3wsACQcqTbOlVQLraDIYnAGqX4=
X-Received: by 2002:a37:9f4a:: with SMTP id i71mr3529804qke.132.1587134444104; Fri, 17 Apr 2020 07:40:44 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Richard Barnes <>
Date: Fri, 17 Apr 2020 10:40:26 -0400
Message-ID: <>
To: Joel Alwen <>
Cc: Messaging Layer Security WG <>
Content-Type: multipart/alternative; boundary="000000000000c07d3405a37d88cd"
Archived-At: <>
Subject: Re: [MLS] reusing HPKE keys from welcome messages
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Apr 2020 14:40:48 -0000

This seems like a reasonable trade-off in terms of performance.  There are
some mechanical issues to address because we use the same KeyPackage struct
for initialization and for leaves in the tree.  In particular, if we have
both "WelcomeKey" and "LeafKey" in the package, we probably don't want the
leaves to keep making new WelcomeKeys forever.

I think that's adequately addressed, though, by just putting the WelcomeKey
in an extension, and requiring that extension to be present in KeyPackages
used for initialization.

Alternatively, it seems like this issue could be papered over operationally
if a member updates on joining.  That would push the expense to join time
instead of KP generation time.  I don't think this is a great trade-off,
though, just wanted to document it.


On Fri, Apr 17, 2020 at 3:48 AM Joel Alwen <> wrote:

> Hey Everyone,
> Sandro Coretti and I have a few suggestions. To keep threads on the list
> topic
> specific I'm putting the suggestions in separate emails so please excuse
> the
> spam. Here goes.
> Issue: HPKE Key Reuse
> Suppose Alice (commits to a proposal that) invites Bob to a group. For
> this she
> uses a Key Bundle for Bob with an HPKE pub key in it. That pub key has 2
> functions (and correct me if I'm wrong here). On the one it becomes the
> HPKE key
> in Bob's leaf in the new ratchet tree. On the other hand, the Welcome
> message to
> Bob is also encrypted to that HPKE key.
> Problem: Bob must keep around the corresponding HPKE secret until he
> updates or
> leaves the group. Thing is, that same HPKE sec key lets you reprocess that
> welcome message. Ergo, until he does an update we have no FS for all MLS
> epochs
> after his join. (See PS. at end of email for more.)
> Proposed Solution: Separate HPKE keys for welcome message and initial leaf
> key.
> E.g. Key Bundles registered on the Key Server have two HPKE keys. One for
> the
> welcome message only and the other used as new leaf's HPKE key. As soon as
> Bob
> processes the welcome message he deletes the HPKE key he used for it.
> Thoughts?
> - Joël & Sandro
> PS. For those familiar, this is basically a special case of the FS issues
> with
> TreeKEM we address with RTreeKEM in eprint/2019/1189. But normally attacks
> on
> the FS of some TreeKEM epoch msg still requires u to somehow know the
> previous
> epochs init_secret. Thats why, normally, FS attacks on TreeKEM "only"
> translate
> to PCFS attacks on MLS. But for the welcome message variant that's
> different.
> The whole point of the welcome message is to bootstrap from that one HPKE
> secret
> key all the way to full-state MLS (including current key schedule). So the
> attacker no longer needs an extra init_secret if they leak that one HPKE
> secret
> key. Thus, this goes from the usual PCFS attack for MLS to being a plain
> FS one.
> _______________________________________________
> MLS mailing list