Re: [MLS] Removing ART; maybe adding partial-tree
Cas Cremers <cas.cremers@gmail.com> Tue, 02 October 2018 09:52 UTC
Return-Path: <cas.cremers@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A64412777C for <mls@ietfa.amsl.com>; Tue, 2 Oct 2018 02:52:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ry38SspC_T18 for <mls@ietfa.amsl.com>; Tue, 2 Oct 2018 02:52:33 -0700 (PDT)
Received: from mail-ua1-x941.google.com (mail-ua1-x941.google.com [IPv6:2607:f8b0:4864:20::941]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30BB81271FF for <mls@ietf.org>; Tue, 2 Oct 2018 02:52:33 -0700 (PDT)
Received: by mail-ua1-x941.google.com with SMTP id y16-v6so472283uaa.7 for <mls@ietf.org>; Tue, 02 Oct 2018 02:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=5/7XTACmGimw5cr8q6hMa/uvdu5ult/aKqcTQsOKcaU=; b=ERivTv7UUO3Buq5Tf+5X1MTUY4m1x55QyxbXwdHnrOw4d/tdnDUXnKJsKoJqpf26hp GeajK1y/rysR6n/pS9abTNYmFYS06x8WynxO5JMbjN/AUaJhu26iwTOGoDwMShW5RuCr r0g8dN9dPkrsLfSSfwCaJAStqB/peoa09AfFw1Sj8hQjwY4nfk+6/tDgnCtTyXwOUn4S SlsanZ8c3SEaGuPjgl3nNdjAIPyrT3beDRQWBbyzkiIrn9fHsEDHMVHIcR/8np8+fPHH SR1i/dwBVQmS4mKkW7Jc3z2Va7qKyIm4cSrrAoIeoEXevOmz4klSxa+Ew0g8tK/clI4b WDVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5/7XTACmGimw5cr8q6hMa/uvdu5ult/aKqcTQsOKcaU=; b=dPL4ZltNKoTdfa5oER4Uh3QCxhoREw01Nfwym3Dz0B3yhcFBLhsyoam6V5Hz+mMMui VfWlR7ZFaGnDION3kDzoas8NSyPB2oQ9dDUMF2miSIP7gcJomIC//HVOOmxiE+CiYl/M 9gSGIQXc4Iz7drnzU1Re8kdvScO4lTCQUsFtERZFbKK1aCgD4FFD4K56AA/FFbRVe+yG gs4m3ti5wY+4u3dYBdREakvmzIWYoSZnDuNlCYmUqz5/ZB7Ryq+kUNSyvcnQ6FDOQwuL 1RB0H1NwX3lTy561Nm6vzdn1U/j4Nit/5YcL9zEb0zhGtDjunr34mhvCLrXiXWUAqCXa oWmg==
X-Gm-Message-State: ABuFfogWR739OxX4H3dX/SW/IMzl6fj74pJbYaENoef+bRcPq+c5HL5D 0lXpkOpsxYjSLr7BbGh0YtyZEntCj1hg9e/nM5E=
X-Google-Smtp-Source: ACcGV63jP28umsDRtc1/zTf9rpgHiD50/Te3YZYdCsAQGkGJEnIkD4eSv5fBJnj5Z7oX3v5LuX/HOZVTD19ovSTdTRw=
X-Received: by 2002:a9f:3044:: with SMTP id i4-v6mr6518298uab.100.1538473952116; Tue, 02 Oct 2018 02:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSBCnjNMBHa7iJWqOYF_DNh8gUbGS4jsz57rO5=uAM1EA@mail.gmail.com> <CAKHUCzxJ-5UmvA-3_sqNvWApN=zbLMbHTrwwv+-R3m6nS1RXJw@mail.gmail.com> <CAL02cgSJbB5-8z3-PA8Tk3mC8j=uehHVf=p5bmayub=MFLK0bw@mail.gmail.com>
In-Reply-To: <CAL02cgSJbB5-8z3-PA8Tk3mC8j=uehHVf=p5bmayub=MFLK0bw@mail.gmail.com>
From: Cas Cremers <cas.cremers@gmail.com>
Date: Tue, 02 Oct 2018 11:52:15 +0200
Message-ID: <CABdrxL6q-xpdEsQdrsxg-YEPz4ZpSaGxosaDHVCvHm8cwSTMYg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: dave@cridland.net, ML Messaging Layer Security <mls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/aVqehm97YEDQuxla3VgG8vpeqdc>
Subject: Re: [MLS] Removing ART; maybe adding partial-tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2018 09:52:37 -0000
Hi Dave and all, I would like to add one thing to Richard's explanation of the rationale for dropping ART in favor of TreeKEM for now: An important implicit assumption is that TreeKEM doesn't seem to offer less security guarantees than ART. However, given that the specification of protocols, threat models, and properties isn't completely fleshed out, we don't really yet know if this is true in any formal sense. Analysis is continuing in parallel, and we might need to backtrack in the worst case. This choice is not (and must not be) about efficiency alone. Best, Cas -- https://people.cispa.io/cas.cremers/index.html On Mon, Oct 1, 2018 at 11:15 PM Richard Barnes <rlb@ipv.sx> wrote: > > > > On Mon, Oct 1, 2018 at 10:34 PM Dave Cridland <dave@cridland.net> wrote: >> >> >> >> On Mon, 1 Oct 2018 at 19:06, Richard Barnes <rlb@ipv.sx> wrote: >>> >>> Hey all, >>> >>> At the interim last week, there was agreement to remove the discussion of ART from the protocol draft and focus on TreeKEM. I have implemented that change in the following pull request: >>> >>> https://github.com/mlswg/mls-protocol/pull/66 >>> >> >> I'm not objecting to the change - I lack sufficient cryptographic knowledge to express an opinion - but it'd be very useful to read a synopsis of the reasoning behind it, and a summary of the discussion. I imagine future participants would find it useful too, and of course, all decisions need to go by the list anyway. > > > To recap the discussions at the interim, I think the reasons are basically as follows, in descending order of importance: > > 1. ART requires each recipient of a message to do O(log N) DH operations, where as TreeKEM only requires O(1). This is a significant difference for large groups / small devices. > 2. TreeKEM offers the possibility of doing Add/Remove without double join > 3. TreeKEM offers the possibility of being able to merge Update messages > > While I don't think anyone has proved that (2) and (3) aren't possible with ART, the fact that it's contributive makes them more difficult. > > >> >> I reviewed the PR for clarity/typos. >> >>> >>> If a couple of folks could give a quick review, it would be appreciated. I also put together a PR describing how to do the "partial tree" approach described at the interim and in my earlier message today. >>> >>> https://github.com/mlswg/mls-protocol/pull/67 >> >> >> Also reviewed for clarity/typos. I admit I'm mildly confused as to why adding a node needs to blank the direct path, but at the same time I'm not sure it makes any difference. (That is, here: https://github.com/mlswg/mls-protocol/pull/67/commits/7a7cd37aec0ceff773600564b5c9619c3d06a115#diff-a87cc9081154f564150420544170f1c9R1113 ). That's probably just my lack of understanding somewhere. > > > The reason is symmetric for Add and Remove. > > Recall that the invariant property the tree is supposed to have is that a node's secret value and private key are only known to the holders of leaves below that node in the tree. For both Add and Remove, you need to change the intermediate nodes above the target leaf, either to make it so that the removed member doesn't know them or so that the added member does. The question is what relationship those intermediate nodes have to the sender of the Add/Remove -- does the sender know the secret / private key or not? > > On the one hand, if the sender does know the private key, then you have a "double join" situation, where the sender knows something he's not supposed to. The phrase "double join" arises from the Add case, since the relevant intermediate node secrets are known both to the new member and to the sender of the Add. Effectively, they both occupy the new member's leaf, which complicates things quite a bit. For example, if you now want to evict the sender of the Add, you have to also evict the newly added leaf, etc. In the Remove case, the main impact of the double-join is that you don't have a true Remove operation, you only have a Take-over operation. That makes it difficult to imagine how you would ever compact the tree. > > On the other hand, if the sender doesn't know the private key, then the node has to be blank.. In the Add case, there's no way (AFAIK) to set the intermediate node values to something that is known to (a) the existing members under those nodes and (b) the new member, without it also being known to the sender of the add. So the values that get decrypted to intermediate nodes during the Add are only for the purpose of computing the new root secret; the intermediate nodes can't have a non-blank value without violating the tree invariant. > > It may be possible to avoid blanks in the Remove case, but we would have to modify TreeKEM. You could still do the "hash to the root" trick to generate the fresh shared entropy for the epoch, but you couldn't just overwrite the values of the intermediate nodes (as is done now). You would have to fold in some entropy only known to the existing members. This is probably worth some thought. > > Anyway, hope that helps, > --Richard > > >> >> >>> >>> >>> Feedback welcome! >>> >>> Thanks, >>> --Richard >>> _______________________________________________ >>> MLS mailing list >>> MLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/mls > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls
- [MLS] Removing ART; maybe adding partial-tree Richard Barnes
- Re: [MLS] Removing ART; maybe adding partial-tree Dave Cridland
- Re: [MLS] Removing ART; maybe adding partial-tree Richard Barnes
- Re: [MLS] Removing ART; maybe adding partial-tree Cas Cremers
- Re: [MLS] Removing ART; maybe adding partial-tree Richard Barnes
- Re: [MLS] Removing ART; maybe adding partial-tree Richard Barnes