Re: [MLS] Tree of application secrets

Brendan McMillion <brendan@cloudflare.com> Mon, 10 August 2020 22:30 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1C973A0DBF for <mls@ietfa.amsl.com>; Mon, 10 Aug 2020 15:30:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDKpi9qkcHTD for <mls@ietfa.amsl.com>; Mon, 10 Aug 2020 15:30:00 -0700 (PDT)
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A2AB3A0DBC for <mls@ietf.org>; Mon, 10 Aug 2020 15:30:00 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id o2so5071911qvk.6 for <mls@ietf.org>; Mon, 10 Aug 2020 15:30:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=USxQDVsXXgtzLGskT9Kf6NXNp/DTBb/YNVWNcONkLNk=; b=gch3bz6COPQz9KRMlNNfNGSmDxF6GH4AHGa/bX4/nZ1KYAPY1DDXaMiikfaoHkkS4v VmS5rX7mT+kxJVmBT5nkeTs3wjxwwFP0ggUJNiKspcvyLQOIn8zFPF/uUAhcs3AiZJqz m+eCVlSHJCsBmeGXTC9Vl3ZIsV4b8G885A7AE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=USxQDVsXXgtzLGskT9Kf6NXNp/DTBb/YNVWNcONkLNk=; b=MoJG/V8m2tjKBIxdpTXRy8zR1vOvx5KI2xyUXwVVNB6ugy5wkjq8xu8IeAS2wMExXz TDZctWk2rJoTggPiN6lwssyGSMveGepQTwIv08Aqc+JEuJMHHHaF1wzuczGPHUF1KGm2 dpM5IOhJpdVS6B5ospmeLkU4DR2H+UL1F5JX7PUR1zrpxBleaWUgP0tXNZ98WT8t3geR 1GRbtfLi2jEUEB9sP42Sg7LeGCMvpzoFFuHjUyj5M/F1OAQuq4OtvDEQeajju2LktFeE kmoizOpjbLj6tGHRSIC2pUk0FbJAv3GZby7GddnbgdU8YHV8jE73+CpR8ebYGVAMDbTS ZAWQ==
X-Gm-Message-State: AOAM530Yc9PSlN1OexXG828xLb4xwvLCVFOKwRESbKXgH1Xt6FvbXdFT MR1s7F3x5ojaRPtYzZIss49e8U+N++fcqrUczGCDp8qYmHs=
X-Google-Smtp-Source: ABdhPJyzqkP5yZJ2MLNdE+iuy3VL3DBq8th8gcdenLwln3g7ZMQAwyv2lUy7O+6Y4T3HWQHgSd/XFM+vPFBGLUJJIXc=
X-Received: by 2002:a05:6214:11f3:: with SMTP id e19mr30472339qvu.220.1597098599019; Mon, 10 Aug 2020 15:29:59 -0700 (PDT)
MIME-Version: 1.0
References: <ecf-5f31ad80-5-6e3e3300@109329388>
In-Reply-To: <ecf-5f31ad80-5-6e3e3300@109329388>
From: Brendan McMillion <brendan@cloudflare.com>
Date: Mon, 10 Aug 2020 15:29:48 -0700
Message-ID: <CABP-pSSULNagNQdFhPwkSMsQfzfzq7d1HbD+2_KTSDOgSzc6BA@mail.gmail.com>
To: Hubert Chathi <hubertc@matrix.org>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aaa27c05ac8d7e8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/aR6WcUL35e_hUR0i-XInEMiH8nE>
Subject: Re: [MLS] Tree of application secrets
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 22:30:02 -0000

Hey Hubert

The following section describes the application secrets tree's deletion
schedule
<https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#name-deletion-schedule>.
Values are deleted from the tree as they're consumed to provide forward
secrecy. In the flat approach you described, it wouldn't be O(1) to
generate a leaf, it would be O(n) because when you consume the root node
you'd have to generate every leaf.

On Mon, Aug 10, 2020 at 1:27 PM Hubert Chathi <hubertc@matrix.org> wrote:

> The tree of application secrets (#astree) is used to derive an application
> secret for each sender.  However, only the leaf nodes are ever used; I
> don't see the internal nodes being used anywhere, and I don't see that
> deriving through a tree provides any extra security.  Would it be simpler
> to just derived the application secret for a sender using their leaf number
> (e.g. astree_node_[N]_secret = DeriveAppSecret(application_secret, "label",
> N, 0, Hash.length) using the same DeriveAppSecret as defined in that
> section)?  This would mean that if you need to derive the application
> secret for one of two senders, you'd only need to do O(1) work, rather than
> O(log(n)) work.
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>