Re: [MLS] UPKE and Epoch Forward Secrecy

Yevgeniy Dodis <> Thu, 31 October 2019 20:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B44DB12024E for <>; Thu, 31 Oct 2019 13:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KPjNuXcremte for <>; Thu, 31 Oct 2019 13:43:35 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 84B3512004D for <>; Thu, 31 Oct 2019 13:43:35 -0700 (PDT)
Received: by with SMTP id z10so6668908ilo.8 for <>; Thu, 31 Oct 2019 13:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NUOirXvKtDEripYWYhRGr8i6QRFn8uVGpvzung9pDI8=; b=Fy3XkCdgQN6AXsoCQ4FMjAYOTp4ZfJOOEqyVWpMLrAN1L2vkOtQfm2YHUG2hiH/u2I XZQh/oWsq/qNckFZY0cVunT9SAsSrLYTrZJQlxSqIo1uwX1QoXuZ5vZE706UpI2mZlTt f5PiJXJ/Tk/1chXD8xPpPkivhO1W684y4jPmW5nWP0BBULTyV0Yn5+qEsfjjdsJYqjkw DPEFY0DaR/J5BAy+Yy3ojyO9lJuCJOwy9TRLkx/sa58aDg/UDS3/TJgoDA0gn3jJv7sI A8IiBIECfeFzaThHs72us5MiIFc0pAIuYGVs/uymePVP1vNnBlKNRbGBL89W/2tecyWd CouQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NUOirXvKtDEripYWYhRGr8i6QRFn8uVGpvzung9pDI8=; b=MqkXzoSn55q0H32MRbEQvDYwCCyBVS+GBAPOHZ3YYc2kpFvio9JX0KZ1BYNuIp2Y7+ wCmAzVDqKQv8zvrbSbH9mf1nPhjLsx5XaQ4Z2r/biNlXvkCZe6E8+1kz2hE2NVTrUMKR 1aSmGZsqCprbAdQeyUuSRU9nBtAZfj+Py5PeOzugaP+lo2vZrSnBVJCBFo9j/VZ+hF0x 060u0FwC3QKill8wyEk0KZU1rc+7IPWbk18W3XLw6Ex0/u7+MbgFGsoGnDQFDa/BQIHq zEghIuYOKTDjFXz2jS+N5GgVK6aK6H08lmb6Xqyml/ku8TzYPnjAAFVK8xcEHNwQ8QJa 4BwA==
X-Gm-Message-State: APjAAAVRxyCK7NjN3G3JLL+CiwUNnPVfQn+fkOcfcOkdNJ1+gokoFT0k 9ZqWQ1m9p058G9ICgzmpXfau2ozBNFP76JHkaso=
X-Google-Smtp-Source: APXvYqxv7JSy5+xZMu6WL/uuE5JPLnFaG41cbOOIBfZHRGL2jtmzQwaP8/XXgaAOchKgWm0lUkqVI2GVxkSNMTRUsQA=
X-Received: by 2002:a92:cb84:: with SMTP id z4mr8975066ilo.78.1572554614537; Thu, 31 Oct 2019 13:43:34 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Yevgeniy Dodis <>
Date: Thu, 31 Oct 2019 16:43:22 -0400
Message-ID: <>
To: Joel Alwen <>
Cc: Karthikeyan Bhargavan <>, ML Messaging Layer Security <>
Content-Type: multipart/alternative; boundary="000000000000308c1e05963ae765"
Archived-At: <>
Subject: Re: [MLS] UPKE and Epoch Forward Secrecy
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Oct 2019 20:43:39 -0000

Just to add to an excellent summary by Joel, you guys are right that "full
MLS" is a combination of continuous group key agreement (CGKA) - which is
what we call TreeKEM - and purely symmetric component which we called
forward secure authenticated encryption. Indeed, CGKA defines only update
secret, which is then used to generate new epoch secret by hashing it with
the old epoch secret (more or less).

As such, it is indeed slightly harder to attack the full MLS than to attack
TreeKEM. In particular, while TreeKEM is not even forward secure in
isolation, full MLS at least achieves FS in isolation, and breaking full
MLS requires at least two compromises. Unfortunately, the good news stops
here. Every attack on TreeKEM easily extends to only marginally more
complex attack on full MLS.
- corrupt some user A
- either update A or remove A  (so we should recover in the ideal world)
- do more or less the same attack on full MLS as you did on TreeKEM

In particular, when TreeKEM would have update secret i insecure by future
corruption at epoch j >i, in full MLS we will
have epoch secret i insecure by corruption at some time k<i, recovery
before i (by update or delete), and future corruption at j>i.
So, yes, marginally more complicated, but nothing changes conceptually:
periods between k and j which should be secure
in the ideal world, are not secure.

We will definitely add a section to our paper to emphasize that,
unfortunately, all our attacks on TreeKEM easily extends to the "full MLS".

Thank you for bringing this important point.

On Thu, Oct 31, 2019, 9:54 AM Joel Alwen <> wrote:

> Crap. Sent that last email to soon. Here are some correction.
> The concern is not just Bob leaking keys that *directly* allow processing
> Alice's (and subsequent) updates as described in my previous email. As
> pointed out in the thread introducing RTreeKEM, there are only log(n) such
> keys for any given update (assuming no blanks). Unfortunately, we must also
> ensure that Bob leaks no keys that allow recovering other keys (from past
> network traffic) that in turn then allow proccessing Alice's (or other)
> updates. And so on and so forth. So there are really about n/2 keys to
> worry about for any given update not just the log(n) that allow processing
> the update.
> IMO this accentuates the gap bewteen the PCFS guarantees of MLS and RMLS
> as the former refreshes those critical keys slower than RMLS. The more
> critical keys the worse for MLS in some sense.
> As an aside: Its also worth noting that its probably pretty clear to the
> adversary who still has which keys in their state just by watching the
> encrypted network traffic making it easier to select the right target for
> compromising a target epoch.
> - Joël
> On Thu, 31 Oct 2019, 14:12 Joel Alwen, <> wrote:
>> Hey,
>> Yeah, we should have been more explicite about how this all plays out for
>> MLS. Good that you asked. :-)
>> "PCFS" is exactly the term we were using to talk about how change from
>> TreeKEM -> RTreeKEM affects MLS. In a nutshell, FS for epochs after a
>> compromise is healed (with an update) takes no less but (potentially quite
>> a bit) longer to kick in for "MLS" (MLS+TreeKEM) than for "RMLS"
>> (MLS+RTreeKEM).
>> Here's an example scenario that highlights the difference for MLS.
>> Suppose Alice's state leaked in the past and now she does an update
>> defining epoch_secret[i]. Intuitively, until the next corruption (say of
>> Bob when he's in epoch j>i) we'd like that all epoch_secrets in [i,j)
>> remain secure. (This property is what we've informally been calling PCFS.
>> I.e. Forward Security for epochs after a compromise.) We consider what
>> security we get for (R)MLS.
>> MLS: Assume (for a moment) all handshake messages are delivered in the
>> same order to all group messages. Because TreeKEM lets Bob keep HPKE keys
>> around even after using them Bob could still have the keys to process
>> Alice's update. Whether this is true or not depends on who's update between
>> [i,j) and their, Alice and Bob's possitions in the ratchet tree. To
>> guarantee Bob doesn't have said keys we'd need to know e.g. Bob updated
>> between [i,j) or someone strictly closer to Bob than Alice has updated.
>> (Closer = shorter path ratchet tree from Bob's leaf to Charlie's leaf than
>> from Alice's leaf to Charlie's.)
>> RMLS: Now consider RMLS when the same assumption holds. All epoch_secrets
>> in [i,j) remain secure even after Bob's compromise because Bob already
>> deleted any keys he had that can proccess Alice's update. In more detail:
>> the adversary knows init_secret[n-1] (from having corrupted Alice). So to
>> get epoch_secret[n] she still needs update_secret[n] defined by Alice's
>> update. By assumption Bob processed that update himself. So RTreeKEM (but
>> not TreeKEM) guarantees Bob no longer has the keys to re-process it. Thus,
>> corrupting him doesnt let the adversary recover epoch_secret[i] (nor any
>> ones after that since its always missing at least the required init_secret).
>> Now lets consider what happens if the global ordering assumption doesn't
>> hold.
>> RMLS: Suppose we know only that Bob processed Alice's update. Then just
>> as above (and regardless of anything else in the execution) corrupting Bob
>> reveals nothing about any epoch_secrets (or init_secrets) other than the
>> ones currently held by Bob. So the Adversary breaks no other "epoch
>> security" (besides the one Bob is in at the time of corruption).
>> MLS: Assuming Bob processed Alice's update doesn't help us like it did
>> for RMLS because TreeKEM doesnt require him to then delete the keys he
>> used. Instead, any keys Bob still has for processing handshake messages
>> starting just before Alice's update let the adversary recover the
>> corresponding update_secrets. So the adversary can ratchet the global key
>> schedule forward through all those epochs (startin with init_secret[n-1]
>> she had from corrupting Alice).
>> Suppose finally, that we have neither global ordering nor did Bob ever
>> process Alice's message.
>> RMLS: For RMLS, this is the only way that corrupting Bob can
>> (potentially) help the adversary break "epoch security" for any epoch
>> besides the one Bob is in during corruption. That is, it might be that Bob
>> still has keys to proccess Alice's update (and even some further sequences
>> of handshake messages as long as they depend directly on Alice's update.
>> This works until the Adversary hits the first handshake message in a
>> sequence for which Bob doesn't have keys to process.
>> MLS: First (and as in all cases) anything the adversary could compute for
>> RMLS they can compute for MLS too. So the above "forking attack" exhists
>> for MLS. But even here RMLS can behave better than MLS because RTreeKEM
>> generally causes Bob to refresh his key material more frequently than
>> TreeKEM.
>> Let me know if this helps clarify stuff a bit.
>> - Joel
>> On Thu, 31 Oct 2019, 08:27 Karthikeyan Bhargavan, <
>>> wrote:
>>> I must begin by saying that I have been enjoying reading Alwen et al’s
>>> work [1] and they make some excellent points.
>>> I particularly like the idea of using a primitive like UPKE (or SkuPke
>>> as [2] calls it) to improve the forward secrecy guarantees of TreeKEM.
>>> If this can be made to work with standards-compliant EC implementations,
>>> we should definitely consider adding this mechanism to MLS.
>>> For my own better understanding, however, I am trying to figure out the
>>> exact forward secrecy improvement this will bring to the protocol.
>>> It is clear from [1] that the *update secret* and each *subgroup secret*
>>> in TreeKEM provides weak Forward Secrecy (since each update
>>> only modifies one leaf key, leaving the attacker N-1 members to
>>> compromise.)
>>> However, the public key part of TreeKEM is only part of the Forward
>>> Secrecy story, we must also account for the “init_secret” which
>>> changes with every update. As far as I can see, the discussion in [1]
>>> appears to ignore the “init_secret -> update_secret ->
>>> epoch_secret+init_secret”
>>> ratchet which has always been part of MLS. So I don’t fully see how the
>>> attack of [1] works, and maybe someone can explain.
>>> One may argue that the goal of TreeKEM is to provide FS and PCS for the
>>> epoch_secret, not the update_secret.
>>> If every member of the group is honest, then A sends an update , then B
>>> accepts the update (ratcheting forward its init_secret),
>>> and then B is compromised, then how can the attacker learn the new epoch
>>> secret?
>>> Perhaps we are worried about post-compromise forward secrecy (PCFS), but
>>> I don’t see any attack on that either.
>>> It is likely I am missing something, so do chime in and explain.
>>> Best,
>>> Karthik
>>> [1]
>>> <>
>>> [2]
>>> _______________________________________________
>>> MLS mailing list
>> _______________________________________________
> MLS mailing list