[MLS] Remove without double-join (in TreeKEM)
Richard Barnes <rlb@ipv.sx> Mon, 06 August 2018 13:01 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95AF0130934 for <mls@ietfa.amsl.com>; Mon, 6 Aug 2018 06:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1P2vdd9a9fDK for <mls@ietfa.amsl.com>; Mon, 6 Aug 2018 06:01:10 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07EDB130DDA for <mls@ietf.org>; Mon, 6 Aug 2018 06:01:10 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id d189-v6so21953637oib.6 for <mls@ietf.org>; Mon, 06 Aug 2018 06:01:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=a+YZs/QTBO0fvrBXa/CgSKKm1iy800AIX/beBgL1j5w=; b=HkG/FXpnMh6GudSS+x5uVOWabtSYhI+pZiG/WaFLO4pUDmgNTkhC6uK4LvhKlzHGei DVRcncVuQzQoUS7I/0L661a3II4MWzkAEGCzdW35xawrIlzG1QAx0vfNf3N7EXxE/zq+ kQPfknVepRmIGLynmn4jSDiTUGbiOpX9lt+x5nxUcEec81fsxivmt5Jg9FMBYE3vgWxu kBcObd5gR1ioK8JQmRK6dOaoQ6nQhJDpwsNovwNcp1eEUbw9EODRn4k7i9EZhbWD6/Kn UFQhWPkwyLIMcwcJht3xl4LdNm06CQNe8OvT/Cza4v0bAvFJuQYA3YSUTcA51+uhaX1Z wnyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=a+YZs/QTBO0fvrBXa/CgSKKm1iy800AIX/beBgL1j5w=; b=XGHTcIer2fSlnxGPPIdvyUq/JbxmndLPSzCUz8QTkPDju9XP7DDf0XbZpL/XMEBPYP 7g0iNpZxSl9z3WtIobt2ST1WpBO7LRSglApwYiu47AHtHjAnJOCsgDP2PcIG8d0GedRL X0+uDcXCqGfAp0AB3izp3/f7Fxmr/U1FZiv2JhbB8bhXddUgMJmi7i7BhO306pq9tNZg 0BEtseMtoesUkBe+pJulK1txspfnqe+1jT4ZfHXnE6L9CSDycmd2DsHXye/jPoklgFs0 /o7zVRs2o6vtLUXrx8IiV8IQZbFqCT2uUIqEUpIKdzieZKV/1ey+o3d3IbC6DFo9lANS fCeg==
X-Gm-Message-State: AOUpUlGLz02WFBooJvvKh45wMC9q0SdJJPSujaRl1Vhb1Tq9f1hOGcwF D6avCTOq8ey6hb7PLgS9f7vveo6vkchQcX4cVe94/vdD
X-Google-Smtp-Source: AAOMgpdO9lMHDOft435RZPtU2t3oMtsFd5oVbMoRSAJxq5IMUaVqTIvA8uHKi5g1IrzL9wgsAIiTXtJ9kVfDqUTSqyw=
X-Received: by 2002:aca:d088:: with SMTP id j8-v6mr14770515oiy.276.1533560468879; Mon, 06 Aug 2018 06:01:08 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 06 Aug 2018 09:00:57 -0400
Message-ID: <CAL02cgSAC2b9ws3ftZe-+QWX_3iLmK36Gc6mu1tZs8Z4e+ej+A@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000fd9cd30572c3dec4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Zzw2tqZC1FCbVZA9LKERsMIQXik>
Subject: [MLS] Remove without double-join (in TreeKEM)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 13:01:13 -0000
Hey all, On Friday, I got to thinking about how to do the Remove operation with TreeKEM, and I think I've got a way to do it that avoids double-join problems while still being pretty elegant. - When a member is removed from the group, remaining members update their local caches of the tree so that any nodes in the direct path of the removed leaf are set to blank - This means that for future group operations, some of the nodes you would encrypt to might not be blank - Extend the "encrypt to subgroup" function so that if the node at the head of the subgroup is blank (i.e., the subgroup is not full), then you work down the tree and encrypt to all the subtree heads. In the short run, this fragments the tree. In the worst case, if you delete every other member, you end up with linear updates. This is mitigated by a few nice features, though: 1. The tree "heals" as members update: Because an Update contains a direct path that overwrites any blanked-out nodes, from the perspective of the rest of the tree, subtrees with heads along that path are now whole from the perspective of nodes outside those subtrees. A healed tree will still be "stringy". 2. New members can be added into the blank leaves just by sending an Update (just like UserAdd / GroupAdd, but without growing the size of the tree). Existing members can relocate to a blank slot in the same way. With a bit more cleverness, it might be possible to shrink a tree back down to its minimal size after adding a bunch of members and removing them all. I've implemented a first pass at this approach in my JS demo stack at < https://ipv.sx/treekem/>. You can delete nodes after adding them, and updates still work. Adds appear to be broken for the moment, but I think that's surmountable. --- Now, it's still possible to do Remove by the sender of the Remove doing an Update for the removed, using a leaf secret the removed node doesn't know. That leaves the tree intact, at the cost of having the sender double-joined in the removed slot as well as his original slot. (Effectively, it's a take-over operation.) So we have now two choices for trade-offs around Remove: 1. Leave some parts of the tree empty and track subtree heads; no double join 2. Keep the tree full and only have normal copath logic; but accept double join Personally, I find the logic of double-join bookkeeping more intimidating than the logic to keep track of the tree. But I would be interested in what other folks think of these trade-offs. It might also be interesting to think of whether ART could be extended to do remove-without-double-join in something like the above way. It wasn't immediately obvious to me, but I didn't try very hard. --Richard
- [MLS] Remove without double-join (in TreeKEM) Richard Barnes
- Re: [MLS] Remove without double-join (in TreeKEM) Raphael Robert
- Re: [MLS] Remove without double-join (in TreeKEM) Richard Barnes