Re: [MLS] KDF instead of hashing up the tree
Konrad Kohbrok <konrad.kohbrok@datashrine.de> Wed, 23 January 2019 15:19 UTC
Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A046129AA0 for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 07:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_46xbVSe-LF for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 07:19:20 -0800 (PST)
Received: from mx2.mailbox.org (mx2a.mailbox.org [IPv6:2001:67c:2050:104:0:2:25:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75D9C126BED for <mls@ietf.org>; Wed, 23 Jan 2019 07:19:20 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 04905A180F; Wed, 23 Jan 2019 16:19:18 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id 7oPRwGI1gWNQ; Wed, 23 Jan 2019 16:19:11 +0100 (CET)
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, Richard Barnes <rlb@ipv.sx>
Cc: Messaging Layer Security WG <mls@ietf.org>
References: <dc702cea-d780-216b-ab8e-1eba99a2bace@datashrine.de> <CAL02cgTdx7_=t9jfZj2iFULFK4x-RSL+J5LrqRN=3co1nSKS7A@mail.gmail.com> <DB120F33-B500-42F2-8117-8883B396B278@gmail.com>
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Message-ID: <7507c820-d574-a570-6aba-c469366cc9c5@datashrine.de>
Date: Wed, 23 Jan 2019 17:19:10 +0200
MIME-Version: 1.0
In-Reply-To: <DB120F33-B500-42F2-8117-8883B396B278@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/T8duuQzF5DcS3s292MP4Hqkq0us>
Subject: Re: [MLS] KDF instead of hashing up the tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 15:19:23 -0000
Exactly, thanks Karthik!
Say we have the same tree as in the example in 5.4:
G
/ \
/ \
E _
/ \ / \
A B C D
Then A generates a fresh secret X_1secret and derives the following new secrets:
X_1kemkey=HKDF(X_1secret,"kemkey")
X_2secret=HKDF(X_1secret,"parent")
X_2kemkey=HKDF(X_2secret,"kemkey")
X_3secret=HKDF(X_2secret,"parent")
X_3kemkey=HKDF(X_3secret,"kemkey")
A then sends E(pk(B), X_2secret) to B, E(pk(C),X_3secret) to C and
E(pk(D),X_3secret) to D.
Hopefully that makes the idea a little clearer. Sorry for the terrible notation.
Konrad
On 23/01/2019 16:59, Karthikeyan Bhargavan wrote:
> If I understand correctly, Chris and Konrad are not suggesting changing the secrets.
> Instead, they are suggesting that H(.) be implemented as something like:
>
> H(x) = HKDF(x,label=”parent”)
>
> where x is the tree secret for the current node.
>
> Similarly, when generating the KEM private key for a node, we use
>
> KGEN(x) = HKDF(x,label=“kem key”)
>
> This would be a good way of making sure that each key in the protocol is
> independent, but at no additional cost.
> Am I understanding this correctly, Konrad?
>
>> On 23 Jan 2019, at 15:29, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
>>
>> Note this is a little bit expensive in terms of message size; it changes the
>> size of an update from log(N) to log(N)^2. It does not change the number of
>> DH operations
>>
>> This is because you have to send the fresh secret for each intermediate node
>> in the tree to all its descendants. Comparing the secrets you generate in
>> each case, from leaf to root, along a path of depth 3 with S0 at the leaf:
>>
>> Current: S0, S1 = H(S0), S2 = H^2(S0), S3 = H^3(S0)
>> Proposed: S0, S1 = KDF(T0, S0), S2 = KDF(T1, S1), S3 = KDF(T2, S2)
>>
>> Where T* are the fresh secrets called for here. This doesn't change to whom
>> you encrypt things, but changes what you encrypt to each copath node:
>>
>> Current -> Proposed
>> S1 -> S1, T1, T2
>> S2 -> S2, T2
>> S3 -> S3
>>
>> (This is of course because you need to enable each recipient to compute up the
>> tree.) So there's your log->log^2.
>>
>> This discussion is not to say that I'm opposed to this idea. It just looks
>> like it has some non-negligible cost, so we should make sure we know what
>> we're getting for that cost.
>>
>> --Ricahrd
>>
>>
>>
>> On Wed, Jan 23, 2019 at 8:58 AM Konrad Kohbrok <konrad.kohbrok@datashrine..de
>> <mailto:konrad.kohbrok@datashrine.de>> wrote:
>>
>> Hey everyone,
>>
>> I just discussed the current draft with my advisor Chris Brzuska and he
>> came up
>> with a suggestion that I thought I'd just quickly relay here. As I have only
>> started following the discussion recently, I apologize if this was already
>> brought up in the past.
>>
>> In terms of key separation, wouldn't it make for a cleaner design, if we
>> used a
>> KDF instead of a hash function? Instead of generating a new leaf-node secret
>> and then hashing it to compute the new secret for the parent node, it would be
>> better to generate a new secret and then from that secret independently (i.e.
>> with different labels) compute the new leaf secret and the new secret for the
>> parent node. This key independence would also make the proof easier. In
>> terms of
>> overhead, this would mean two KDF operations instead of one hashing operation.
>>
>> Cheers,
>> Konrad
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org <mailto:MLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/mls
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org <mailto:MLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/mls
>
- [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Richard Barnes
- Re: [MLS] KDF instead of hashing up the tree Karthikeyan Bhargavan
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Richard Barnes
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Benjamin Beurdouche
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Benjamin Beurdouche