Return-Path: <cas.cremers@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 8A64412777C
 for <mls@ietfa.amsl.com>; Tue,  2 Oct 2018 02:52:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, 
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ry38SspC_T18 for <mls@ietfa.amsl.com>;
 Tue,  2 Oct 2018 02:52:33 -0700 (PDT)
Received: from mail-ua1-x941.google.com (mail-ua1-x941.google.com
 [IPv6:2607:f8b0:4864:20::941])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 30BB81271FF
 for <mls@ietf.org>; Tue,  2 Oct 2018 02:52:33 -0700 (PDT)
Received: by mail-ua1-x941.google.com with SMTP id y16-v6so472283uaa.7
 for <mls@ietf.org>; Tue, 02 Oct 2018 02:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=5/7XTACmGimw5cr8q6hMa/uvdu5ult/aKqcTQsOKcaU=;
 b=ERivTv7UUO3Buq5Tf+5X1MTUY4m1x55QyxbXwdHnrOw4d/tdnDUXnKJsKoJqpf26hp
 GeajK1y/rysR6n/pS9abTNYmFYS06x8WynxO5JMbjN/AUaJhu26iwTOGoDwMShW5RuCr
 r0g8dN9dPkrsLfSSfwCaJAStqB/peoa09AfFw1Sj8hQjwY4nfk+6/tDgnCtTyXwOUn4S
 SlsanZ8c3SEaGuPjgl3nNdjAIPyrT3beDRQWBbyzkiIrn9fHsEDHMVHIcR/8np8+fPHH
 SR1i/dwBVQmS4mKkW7Jc3z2Va7qKyIm4cSrrAoIeoEXevOmz4klSxa+Ew0g8tK/clI4b
 WDVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=5/7XTACmGimw5cr8q6hMa/uvdu5ult/aKqcTQsOKcaU=;
 b=dPL4ZltNKoTdfa5oER4Uh3QCxhoREw01Nfwym3Dz0B3yhcFBLhsyoam6V5Hz+mMMui
 VfWlR7ZFaGnDION3kDzoas8NSyPB2oQ9dDUMF2miSIP7gcJomIC//HVOOmxiE+CiYl/M
 9gSGIQXc4Iz7drnzU1Re8kdvScO4lTCQUsFtERZFbKK1aCgD4FFD4K56AA/FFbRVe+yG
 gs4m3ti5wY+4u3dYBdREakvmzIWYoSZnDuNlCYmUqz5/ZB7Ryq+kUNSyvcnQ6FDOQwuL
 1RB0H1NwX3lTy561Nm6vzdn1U/j4Nit/5YcL9zEb0zhGtDjunr34mhvCLrXiXWUAqCXa
 oWmg==
X-Gm-Message-State: ABuFfogWR739OxX4H3dX/SW/IMzl6fj74pJbYaENoef+bRcPq+c5HL5D
 0lXpkOpsxYjSLr7BbGh0YtyZEntCj1hg9e/nM5E=
X-Google-Smtp-Source: ACcGV63jP28umsDRtc1/zTf9rpgHiD50/Te3YZYdCsAQGkGJEnIkD4eSv5fBJnj5Z7oX3v5LuX/HOZVTD19ovSTdTRw=
X-Received: by 2002:a9f:3044:: with SMTP id
 i4-v6mr6518298uab.100.1538473952116; 
 Tue, 02 Oct 2018 02:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSBCnjNMBHa7iJWqOYF_DNh8gUbGS4jsz57rO5=uAM1EA@mail.gmail.com>
 <CAKHUCzxJ-5UmvA-3_sqNvWApN=zbLMbHTrwwv+-R3m6nS1RXJw@mail.gmail.com>
 <CAL02cgSJbB5-8z3-PA8Tk3mC8j=uehHVf=p5bmayub=MFLK0bw@mail.gmail.com>
In-Reply-To: <CAL02cgSJbB5-8z3-PA8Tk3mC8j=uehHVf=p5bmayub=MFLK0bw@mail.gmail.com>
From: Cas Cremers <cas.cremers@gmail.com>
Date: Tue, 2 Oct 2018 11:52:15 +0200
Message-ID: <CABdrxL6q-xpdEsQdrsxg-YEPz4ZpSaGxosaDHVCvHm8cwSTMYg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: dave@cridland.net, ML Messaging Layer Security <mls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/aVqehm97YEDQuxla3VgG8vpeqdc>
Subject: Re: [MLS] Removing ART; maybe adding partial-tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>,
 <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>,
 <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2018 09:52:37 -0000

Hi Dave and all,

I would like to add one thing to Richard's explanation of the
rationale for dropping ART in favor of TreeKEM for now:

An important implicit assumption is that TreeKEM doesn't seem to offer
less security guarantees than ART.

However, given that the specification of protocols, threat models, and
properties isn't completely fleshed out, we don't really yet know if
this is true in any formal sense.  Analysis is continuing in parallel,
and we might need to backtrack in the worst case.

This choice is not (and must not be) about efficiency alone.

Best,

Cas

--=20
https://people.cispa.io/cas.cremers/index.html

On Mon, Oct 1, 2018 at 11:15 PM Richard Barnes <rlb@ipv.sx> wrote:
>
>
>
> On Mon, Oct 1, 2018 at 10:34 PM Dave Cridland <dave@cridland.net> wrote:
>>
>>
>>
>> On Mon, 1 Oct 2018 at 19:06, Richard Barnes <rlb@ipv.sx> wrote:
>>>
>>> Hey all,
>>>
>>> At the interim last week, there was agreement to remove the discussion =
of ART from the protocol draft and focus on TreeKEM.  I have implemented th=
at change in the following pull request:
>>>
>>> https://github.com/mlswg/mls-protocol/pull/66
>>>
>>
>> I'm not objecting to the change - I lack sufficient cryptographic knowle=
dge to express an opinion - but it'd be very useful to read a synopsis of t=
he reasoning behind it, and a summary of the discussion. I imagine future p=
articipants would find it useful too, and of course, all decisions need to =
go by the list anyway.
>
>
> To recap the discussions at the interim, I think the reasons are basicall=
y as follows, in descending order of importance:
>
> 1. ART requires each recipient of a message to do O(log N) DH operations,=
 where as TreeKEM only requires O(1).  This is a significant difference for=
 large groups / small devices.
> 2. TreeKEM offers the possibility of doing Add/Remove without double join
> 3. TreeKEM offers the possibility of being able to merge Update messages
>
> While I don't think anyone has proved that (2) and (3) aren't possible wi=
th ART, the fact that it's contributive makes them more difficult.
>
>
>>
>> I reviewed the PR for clarity/typos.
>>
>>>
>>> If a couple of folks could give a quick review, it would be appreciated=
.  I also put together a PR describing how to do the "partial tree" approac=
h described at the interim and in my earlier message today.
>>>
>>> https://github.com/mlswg/mls-protocol/pull/67
>>
>>
>> Also reviewed for clarity/typos. I admit I'm mildly confused as to why a=
dding a node needs to blank the direct path, but at the same time I'm not s=
ure it makes any difference. (That is, here: https://github.com/mlswg/mls-p=
rotocol/pull/67/commits/7a7cd37aec0ceff773600564b5c9619c3d06a115#diff-a87cc=
9081154f564150420544170f1c9R1113 ). That's probably just my lack of underst=
anding somewhere.
>
>
> The reason is symmetric for Add and Remove.
>
> Recall that the invariant property the tree is supposed to have is that a=
 node's secret value and private key are only known to the holders of leave=
s below that node in the tree.  For both Add and Remove, you need to change=
 the intermediate nodes above the target leaf, either to make it so that th=
e removed member doesn't know them or so that the added member does.  The q=
uestion is what relationship those intermediate nodes have to the sender of=
 the Add/Remove -- does the sender know the secret / private key or not?
>
> On the one hand, if the sender does know the private key, then you have a=
 "double join" situation, where the sender knows something he's not suppose=
d to.  The phrase "double join" arises from the Add case, since the relevan=
t intermediate node secrets are known both to the new member and to the sen=
der of the Add.  Effectively, they both occupy the new member's leaf, which=
 complicates things quite a bit.  For example, if you now want to evict the=
 sender of the Add, you have to also evict the newly added leaf, etc.  In t=
he Remove case, the main impact of the double-join is that you don't have a=
 true Remove operation, you only have a Take-over operation.  That makes it=
 difficult to imagine how you would ever compact the tree.
>
> On the other hand, if the sender doesn't know the private key, then the n=
ode has to be blank..  In the Add case, there's no way (AFAIK) to set the i=
ntermediate node values to something that is known to (a) the existing memb=
ers under those nodes and (b) the new member, without it also being known t=
o the sender of the add.  So the values that get decrypted to intermediate =
nodes during the Add are only for the purpose of computing the new root sec=
ret; the intermediate nodes can't have a non-blank value without violating =
the tree invariant.
>
> It may be possible to avoid blanks in the Remove case, but we would have =
to modify TreeKEM.  You could still do the "hash to the root" trick to gene=
rate the fresh shared entropy for the epoch, but you couldn't just overwrit=
e the values of the intermediate nodes (as is done now).  You would have to=
 fold in some entropy only known to the existing members.  This is probably=
 worth some thought.
>
> Anyway, hope that helps,
> --Richard
>
>
>>
>>
>>>
>>>
>>> Feedback welcome!
>>>
>>> Thanks,
>>> --Richard
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls