Re: [MLS] ART Ideas in TreeKEM
Richard Barnes <rlb@ipv.sx> Mon, 25 February 2019 22:07 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6979A1310DA for <mls@ietfa.amsl.com>; Mon, 25 Feb 2019 14:07:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KIaNbMQEwO8 for <mls@ietfa.amsl.com>; Mon, 25 Feb 2019 14:07:54 -0800 (PST)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D178F12D827 for <mls@ietf.org>; Mon, 25 Feb 2019 14:07:53 -0800 (PST)
Received: by mail-oi1-x22d.google.com with SMTP id g16so8676166oib.1 for <mls@ietf.org>; Mon, 25 Feb 2019 14:07:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=E7f3g113XJVaxRGPJ/hU62d8E26kFEOXLt8yASR08lg=; b=miLC4TBNMp6wp+RPt5msfQgVpUpvkZjPKw6MpSbFlG/Q5YmaU69odjN2StaQ4Q9RPg YuvH3Ok6mEE3WP06L9kciKr4S0XVA+1qI/SM4Yypa2YE7WvgySyAakJopRj+zM8uMTNC W+Rkn/+jZulQE4hFZMQqUdUZDfggJjVIeBOc6GIK/5+pjPOn7uCgvCiuz62rcjsu56n+ GRq6/sDOG0P2eCi6jfOfT62TLI1z4JG56xAey+LSYNkwVXX5TKEHS47vkJ02KxhmeS1b pzxuc5LQBOru8kb3Vui+wpsnOmBoN2aTyTWH3REnyg0pp0I2xqf6IOSPvrZQIn93wizo fCmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E7f3g113XJVaxRGPJ/hU62d8E26kFEOXLt8yASR08lg=; b=WSmZSvNO4Hzruq9OhhZmBYHs8aAWoaYUS6/Me6jlhkT0VOqJBiSqUJ8jscCafL8qFa 4USiLNDyrySfC7qDMu2kS2y7jSImzNQrC4LhfZ8PGtI8+SJnrzvM1uZfxk8x4wbff5MH 6IBKaD/rSYDapcY+Aap6OMdnKXdOuDZsWYpkxWlOnGSODaaryszwpqHTH8dqyilC8x+W 8k3AJNf8jGh0PjcZdjwdzyb0/b8BvOXzaCQUuY6shnkO5oWw6B0mwRb315NZzCbvDir9 xS3OhfNvcWJkhBAdwyMZ/0nCv1NkMJk6ugqiBL2FXxu0MnXnuboKdIbHYMTIFBA+4R/0 4k7g==
X-Gm-Message-State: AHQUAubNlA1YhA8NqbstSWRVY5Gu7EDGymdQkEoIeHpFIByHZl1MSjLO Dsi4bK1z+BrUBQPcsxX5idobHm6/+gYhxCNt/KStXg==
X-Google-Smtp-Source: AHgI3IaFif+ZV3utn8kqnbSDKF1PnBiGt0sMghPBbvuEAN0TjQnw4TFLpO9w5ZumIehd3Cs9Dd3wlF9/F09S6/HY8lg=
X-Received: by 2002:aca:52cc:: with SMTP id g195mr346315oib.99.1551132472840; Mon, 25 Feb 2019 14:07:52 -0800 (PST)
MIME-Version: 1.0
References: <CADSARUs6Qt5srOTYGe6otaVfUZQK56+HZgVJpzhssh8ad1Ux+w@mail.gmail.com>
In-Reply-To: <CADSARUs6Qt5srOTYGe6otaVfUZQK56+HZgVJpzhssh8ad1Ux+w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 25 Feb 2019 17:07:35 -0500
Message-ID: <CAL02cgS3VfEx7YCOw6Zc-ejMKE35Lzkt20+6e8UOGAq2LgpbGQ@mail.gmail.com>
To: "M.A.L. Weidner" <malw2@cam.ac.uk>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000b27220582bf2cc0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/_SGUPAfVSX6nfEcgeVe_v8hIq9Q>
Subject: Re: [MLS] ART Ideas in TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 22:07:57 -0000
Hi Matthew, Thanks for the thoughts. Would it be accurate to summarize your proposal as a "hybrid mode", where when you update: - If both of a node's children are populated, then you do an "ART step", generating the parent from the children - Otherwise, you do a "TreeKEM step", encrypting the next secret to the resolution of the other child (Remove is probably similar; for Add there's no change needed.) Assuming that's right, this honestly doesn't sound like a tremendously compelling proposition to me. Your evaluation on the overhead seems mostly correct, but there have already been some complaints on the list about hashing overhead, so I'm not sure trading DH+smaller_messages for hashing is going to suit. I'm also worried that this hybridization will introduce a bunch of new complexity into the protocol and make it harder to implement and analyze. Open to arguments if other folks are enthusiastic, though. --Richard On Mon, Feb 25, 2019 at 4:37 PM M.A.L. Weidner <malw2@cam.ac.uk> wrote: > Greatings MLS Working Group! > > I have been studying the proposals for TreeKEM, and earlier, ART, and > noticed a way to use ART's DH tree ideas in TreeKEM, without sacrificing > the ability to merge updates or use blank nodes. My apologies if this has > been discussed before or if there are any mistakes. > > My main motivation here is to reduce the size of update messages, since > the key encrypted keys in addition to new public keys means that they are > ~2x as large in TreeKEM as in ART. > > Basically, we use TreeKEM, but with ART's key derivation "as" H(X). That > is, when a node C1 gets the new secret X, instead of H(X), its parent gets > the new secret > > H2(DH(X, priv(C2))) = H2(pub(C2) ^ X) = H2(pub(X) ^ priv(C2)) > > where C2 is the neighbor of C1, for some hash function H2. Since TreeKEM > is agnostic about H, we can "define" > > H(X) := H2(DH(X, priv(C2))) > > in this way without issue, noting that the only users who will have to > compute H2(DH(X, priv(C2))) are descendants of C1 (who know X) or C2 (who > know priv(C2)). > > We can merge updates as with "pure" TreeKEM, choosing one update to > dominate at nodes where they conflict. This will cause the tree to cease > being a DH tree, which is fine. Note that descendants of C2 will have to > keep around priv(C2) for a short time after it is overwritten in case of > simultaneous updates (so that they can compute the parent secret), but that > is true for TreeKEM anyway, since any simultaneous update will send data > encrypted under pub(C2). > > Blank nodes can be handled by reverting to pure TreeKEM: if a node with > new secret X has a blank neighbor, set the parent's secret to H(X) and send > that separately to every public key in the resolution. > > Now instead of including > > pub(X), Enc(pub(C2), H(X)) > > in the RatchetNode struct for node C2, we need merely include pub(X), > saving bandwidth. > > Pros: > - reduces the update message size by about 50% in the typical case (I > think). > - we can build a ternary tree using 3-party Joux DH (as with ART), > giving a further log_3(2) ~ 0.63 scaling on update message size. (I think > it's possible to do this with pure TreeKEM as well, by replacing the > ephemeral DH exchange with a Joux DH when doing asymmetric encryption.) > > Cons: > - forced to use a DH style cryptosystem (bad for post-quantum?) (as with > ART). > - need log(N) DH operations to compute the new key, instead of log(N) > hashes (as with ART). So this is a bad deal if CPU cycles are more > expensive than bandwidth. > - can also reduce bandwidth by 2 just by ratcheting half as often. > > I hope you may find this interesting. > > Best, > Matthew Weidner > MPhil student, University of Cambridge > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- Re: [MLS] ART Ideas in TreeKEM Richard Barnes
- [MLS] ART Ideas in TreeKEM M.A.L. Weidner
- Re: [MLS] ART Ideas in TreeKEM Raphael Robert
- Re: [MLS] ART Ideas in TreeKEM M.A.L. Weidner