IETF Logo Mail Archive

Re: [MLS] KDF instead of hashing up the tree

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Wed, 23 January 2019 14:59 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1089B130E6D for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 06:59:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DelkEXSwtcWF for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 06:59:51 -0800 (PST)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F825124C04 for <mls@ietf.org>; Wed, 23 Jan 2019 06:59:51 -0800 (PST)
Received: by mail-wm1-x336.google.com with SMTP id g67so2245185wmd.2 for <mls@ietf.org>; Wed, 23 Jan 2019 06:59:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nK2SnMw0B5MeCy4W3xb1lWnO9jWZEJVyd4fIpOfGGl4=; b=fsc/TH8bZM7ss9wj637/ojC8Zvx4ZGYBLqfZmT2vg8YzkLxhYP2iHoRjTBLj0UPcCA 1CP9ANjuDoBRm0dNjSRD6QAyNNMyVSn4DlZY130Ha5EDOjGy0To9iwKLEr4E4V0elLFx Tl8+v9QHC2IxdqIkoBe/aXv8JKkmNteOyZW05mdVDP6MknNR+tisxZKTKqp9tHSjr7IP sTql9QMA4JbDnwLGfhq9eNL/S8j0mP+vIPdLOYwkkx0QzBPk6WTTOZRu+G46Y2G435XP 5EH2+frP8Cw38YTtovbfXrY0sw8DBKo0A3SSt/ZAwJIMlKyG7N3MnPOfRb52dlAZbpmZ UrlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nK2SnMw0B5MeCy4W3xb1lWnO9jWZEJVyd4fIpOfGGl4=; b=Q8QkkoDJFUIZkf5O+vMr+HMigzrVgQh3hgjuDJeG8ipBDCa6kkffrpiYuAyWx8dWh0 NBL6ccJzN5QVnUajsflH4h65l0rvC6NuVjBJJUqmIv1c/lh1hi6jHjf9m4u5a4jARqem OOvH5Mlrmg5op4yFbw+1rsNfvnJQx51+5oDIPMw7YJFUdKlYVkCNbCpCrL6/VRvl5sm0 qFUHW3tMJFFpeLrO71z47Z2VLlrLxWvMsE3VA4i7qE6NoOSNRIfGTRsRwkRor2pf3wsV nfN7cNdaM7o8NA3BjKFKDQCcKLG3SETuMS1dXRESZgzWSSGnruIS91HoIvEBWYCybvEW DFiA==
X-Gm-Message-State: AJcUukcd72BxGoYznvqyyH/q7fXIJ4gZNbb+l2TwrK6zLvU9qDUHOUy1 d9EP+6NQbpbyeBsUa7GtQ1b9NoDx
X-Google-Smtp-Source: ALg8bN7LyTv/KzzDPVO0yUPmLso+ByCgy6dF0MWObV72OvkAH8wBv+yQ0oMYVm6yNvsOVWCUWKVMCA==
X-Received: by 2002:a7b:cb86:: with SMTP id m6mr3037631wmi.61.1548255589678; Wed, 23 Jan 2019 06:59:49 -0800 (PST)
Received: from [192.168.0.67] (89-156-93-25.rev.numericable.fr. [89.156.93.25]) by smtp.gmail.com with ESMTPSA id i186sm71673717wmd.19.2019.01.23.06.59.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Jan 2019 06:59:49 -0800 (PST)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <DB120F33-B500-42F2-8117-8883B396B278@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2D664F46-B4DC-4942-A3DF-99F67B536EFA"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 23 Jan 2019 15:59:47 +0100
In-Reply-To: <CAL02cgTdx7_=t9jfZj2iFULFK4x-RSL+J5LrqRN=3co1nSKS7A@mail.gmail.com>
Cc: Konrad Kohbrok <konrad.kohbrok@datashrine.de>, Messaging Layer Security WG <mls@ietf.org>
To: Richard Barnes <rlb@ipv.sx>
References: <dc702cea-d780-216b-ab8e-1eba99a2bace@datashrine.de> <CAL02cgTdx7_=t9jfZj2iFULFK4x-RSL+J5LrqRN=3co1nSKS7A@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/WMw71_9qCG8STOVkGZExuF2IAJ8>
Subject: Re: [MLS] KDF instead of hashing up the tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 14:59:54 -0000

If I understand correctly, Chris and Konrad are not suggesting changing the secrets.
Instead, they are suggesting that H(.) be implemented as something like:

H(x) = HKDF(x,label=”parent”)

where x is the tree secret for the current node.

Similarly, when generating the KEM private key for a node, we use

KGEN(x) = HKDF(x,label=“kem key”) 

This would be a good way of making sure that each key in the protocol is independent, but at no additional cost.
Am I understanding this correctly, Konrad?

> On 23 Jan 2019, at 15:29, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Note this is a little bit expensive in terms of message size; it changes the size of an update from log(N) to log(N)^2.  It does not change the number of DH operations
> 
> This is because you have to send the fresh secret for each intermediate node in the tree to all its descendants.  Comparing the secrets you generate in each case, from leaf to root, along a path of depth 3 with S0 at the leaf:
> 
> Current: S0, S1 = H(S0), S2 = H^2(S0), S3 = H^3(S0)
> Proposed: S0, S1 = KDF(T0, S0), S2 = KDF(T1, S1), S3 = KDF(T2, S2)
> 
> Where T* are the fresh secrets called for here.  This doesn't change to whom you encrypt things, but changes what you encrypt to each copath node:
> 
> Current -> Proposed
> S1 -> S1, T1, T2
> S2 -> S2, T2
> S3 -> S3
> 
> (This is of course because you need to enable each recipient to compute up the tree.)  So there's your log->log^2.
> 
> This discussion is not to say that I'm opposed to this idea.  It just looks like it has some non-negligible cost, so we should make sure we know what we're getting for that cost.
> 
> --Ricahrd
> 
> 
> 
> On Wed, Jan 23, 2019 at 8:58 AM Konrad Kohbrok <konrad.kohbrok@datashrine..de <mailto:konrad.kohbrok@datashrine.de>> wrote:
> Hey everyone,
> 
> I just discussed the current draft with my advisor Chris Brzuska and he came up
> with a suggestion that I thought I'd just quickly relay here. As I have only
> started following the discussion recently, I apologize if this was already
> brought up in the past.
> 
> In terms of key separation, wouldn't it make for a cleaner design, if we used a
> KDF instead of a hash function? Instead of  generating a new leaf-node secret
> and then hashing it to compute the new secret for the parent node, it would be
> better to generate a new secret and then from that secret independently (i.e.
> with different labels) compute the new leaf secret and the new secret for the
> parent node. This key independence would also make the proof easier. In terms of
> overhead, this would mean two KDF operations instead of one hashing operation.
> 
> Cheers,
> Konrad
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.23.0 | Report a Bug | By Email