Re: [MLS] Removing redundant ciphertexts in commits

Joel Alwen <jalwen@wickr.com> Fri, 25 September 2020 14:25 UTC

Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B6A3A0AA6 for <mls@ietfa.amsl.com>; Fri, 25 Sep 2020 07:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qetj67xX4P12 for <mls@ietfa.amsl.com>; Fri, 25 Sep 2020 07:25:56 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4936A3A0A8E for <mls@ietf.org>; Fri, 25 Sep 2020 07:25:56 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id lo4so3876878ejb.8 for <mls@ietf.org>; Fri, 25 Sep 2020 07:25:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=u1/cnI+2hUnmwi1Nanp4qVsheUdSKhoxYIxgwmT/jGk=; b=jEbCpCO+mMp1fRYvprlLoxS+E2OvAnH+J2bUQhjxet4JIF+3AFOxhEnO48N5X4UPZC fwaIGrzAML4c6GzXA3OSkmdZvNdNgQel6241PHiEbE98vHN7sbi+L02v5ZWsGilfxcJr qsLT0vT93SG58rc3UCdD1bIe1rseYbH78h4MA1DVUOpQbXhP3hEpEstrXmO5SP1xRFqu F+0A0U25zpa/vB8BpL+rAtamsSQE8YBXaRhIocEh0IUl4duAD32qMg7/RyXO1HxwtRLt KGmGdOgSubCxAUxKaOn/qsNPi/yEDSwANjntv+UmUl9goJKmbYezocJ1t3K+zJjrmAjE hNrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=u1/cnI+2hUnmwi1Nanp4qVsheUdSKhoxYIxgwmT/jGk=; b=Y0C8Zh/A+pxMpn7GftpYOJdS/9qE1AVcS02tCdOPl2dUMypwkY0iA2qcxWowMn207e 6tmSJSqdMTCSXUsdDsfge9zGr5/Z5+8pYl6qlTROyX/xk/+Q1agxfV7wpnL98Nyqe3nm Psy5LqeIKi4WfS0W9BtqD0A3RtHcaHvURWIK7/RmfzfLpEF9tsmYZlLQpLNEKMeBFlz5 fzZwZS0ciJ9aJBQI5mIIjBgONIFVvxJrZ1HKWZIBImBFlhzaV5r8ElNfxT9sJoeeknQz 9gIbxS1AA06guWbPQjU/FXliKCd/LDcizJY6bhH39erTPfl2AqnEjlaTNH/UZqeHhe7h kdqA==
X-Gm-Message-State: AOAM532m8ajNAB4UwCLjOlNGiA97JKAuf479kB6m8/ECcbwrO8o5lkx+ xJfJPLqWb2FHiYLHaGkswB+PXdwnQXYXoOUO
X-Google-Smtp-Source: ABdhPJxISOUhaG0tfVis1mQebH1CQjrRGgiTmhQ8gcbqekg2lWT17iuu7RZXQTmUqaRF709YhO1UDQ==
X-Received: by 2002:a17:906:1157:: with SMTP id i23mr3140298eja.440.1601043954182; Fri, 25 Sep 2020 07:25:54 -0700 (PDT)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id s7sm1953432ejd.103.2020.09.25.07.25.53 for <mls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 25 Sep 2020 07:25:53 -0700 (PDT)
To: mls@ietf.org
References: <eb52dca7acba43d288ecf60a233b7e29@inf.ethz.ch>
From: Joel Alwen <jalwen@wickr.com>
Autocrypt: addr=jalwen@wickr.com; keydata= mQENBFyIZvABCAC65JupY1w7gzhhNo41ftIk09n7Lid9p31jDR8Jefv9R5sWL+HZFGDeABAY 1J1JvV6vOaMsfdy9iUFfGS1GhMJ3+mh799SIsB3JSfPq/eq6Jut57D2yPtILmc7ZbuJyBHg0 xuYfKCQQAYikW+v2LJQU1Y+BUDbVldpzxSc8Z3PPSfunWdzhY6qAAhyCv+Y8EzJlQivMwD5B f6737krf8SoBsjsqCHQrRo/r+BSj5Wtd5/K3FkmWLOUAFoYK23+cpoFntGJKZfss27gDPhyS gX9ibXcBGQqBEF4qDPEzEHK8iQmXTxLul5Y7lQ6ADf69xH15WM4GmRBeCvR3Uanxcr2/ABEB AAG0HUpvZWwgQWx3ZW4gPGphbHdlbkB3aWNrci5jb20+iQFUBBMBCAA+FiEEYFNg9IH2SV6e 03O3FR5tDZv8eygFAlyIZvICGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ FR5tDZv8eyjSywgApQNIRcL4IKTJ0I4XwcQRhICu1Bht3c2fUnG2YziJXjGf6DZ49uKKtuIu fk8mNS+vKRLoLZ7+u+Pv/Yjmk8jtrr6Saz1vnfsle3GgmXG5JaKOM5cOfeo5JnlNUP3QonR7 LMZwY1qVKg2mzNmwi0jG1zIGgQ5fiAwqe+YTNFli5bc/H1O9LcSmbrLV9OyucARq11DIiAvU fDknZ17OahQls+9mgfAXH5vZjzo296tYvzkOJQ2A6GPxdMHIXGbJM/vjuMe2QJl6C0zaqOtm JvFcx/HpNhmugYI9OsNAd7846HASDp8BKyfY5FYP7bn0/JBuCpg18Aykru6xyFjG3gv0Lw==
Message-ID: <fede2390-6f5d-ab4e-eaca-176bff7bafdc@wickr.com>
Date: Fri, 25 Sep 2020 16:25:52 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <eb52dca7acba43d288ecf60a233b7e29@inf.ethz.ch>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/WzZDfogqwFwAfWDxs11UpB1cB2k>
Subject: Re: [MLS] Removing redundant ciphertexts in commits
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 14:25:58 -0000

So does anyone else see any reason for those ciphertexts? If not we can draft a
PR to get rid of them...

- Joël

On 21/09/2020 09:37, Jost Daniel wrote:
> Hi all,
> 
>  
> 
> When working on our analysis of the standard with Joël Alwen and Marta
> Mularczyk, we noted some inefficiencies around commit messages.
> 
>  
> 
> According to our understanding of the draft, UpdatePath contains encryptions for
> newly added group members. More concretely, the draft states "If populating the
> path field: Create a UpdatePath using the new tree (which includes any new
> members)" and in Section 7.7 "The number of ciphertexts in the
> encrypted_path_secret vector MUST be equal to the length of the resolution of
> the corresponding copath node." However, at this point, the resolution will
> already contain the freshly added leaves via the unmerged_leaves list.
> 
>  
> 
> First, this wastes bandwidth and computation as the commit message is not
> intended to be received by parties being welcomed. Second, this poses an, albeit
> small, additional attack scenario where an attacker gets hold of the freshly
> added party’s decryption key but not the welcome message (that may have been
> communicated over a secure out-of-band channel).
> 
>  
> 
> One potential solution would be to explicitly exclude freshly added parties from
> the resolution in that step, at the cost of some additional book-keeping. Of
> course we are open to suggestions if anybody has a better idea. If not, we are
> obviously happy to draft a PR.
> 
>  
> 
> Best,
> 
> Daniel
> 
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>