[MLS] Formal proof for PR 713 / "Improve parent hash guarantees"
Théophile Wallez <theophile.wallez@inria.fr> Wed, 08 June 2022 08:14 UTC
Return-Path: <theophile.wallez@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95161C138FCA for <mls@ietfa.amsl.com>; Wed, 8 Jun 2022 01:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.128
X-Spam-Level:
X-Spam-Status: No, score=-2.128 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=inria.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-O0sEtXpuAT for <mls@ietfa.amsl.com>; Wed, 8 Jun 2022 01:14:31 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44358C138FC9 for <mls@ietf.org>; Wed, 8 Jun 2022 01:14:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=message-id:date:mime-version:from:subject:to: content-transfer-encoding; bh=Tk5oaEgjdEQfeaNXislVx1Md41w9QCHiuZPnqrrahHM=; b=UFCw8GyjrLQLzrMkRShNEU9ms0Z/8o7+7CRKipfZaaLn5j08n6Yl+EHD kj7ko5Uxi6KKXzuzHcF15VLqKkturKZyJSLBbNK25C9nmnV2tfApD/XW0 H3CIXbfLGXnrJZpPFhSuVu0RGt2UZxpK+/QlhcJicNnFAo1BXWv7lqr+M 8=;
Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=theophile.wallez@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="5.91,285,1647298800"; d="scan'208";a="16179887"
Received: from abordeaux-652-1-7-163.w90-16.abo.wanadoo.fr (HELO [192.168.0.122]) ([90.16.54.163]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2022 10:14:30 +0200
Message-ID: <7e5a8152-ef25-7ab4-b265-8e2e27756038@inria.fr>
Date: Wed, 08 Jun 2022 10:14:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US-large
From: Théophile Wallez <theophile.wallez@inria.fr>
To: Messaging Layer Security WG <mls@ietf.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/aZUF3-DKsUYpnPLnGIvdYA_SitM>
Subject: [MLS] Formal proof for PR 713 / "Improve parent hash guarantees"
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2022 08:14:36 -0000
Hello All, During the last interim, when discussing PR 713, people raised concerns that this PR might introduce bugs in MLS, because the parent-hash is a complex thing and contained many bugs in the past. During the last days, I formalized a small part of MLS in F*, and proved that the invariants checked in the "Verifying Parent Hashes" section are actually invariants of the protocol. Of course I can't just say "believe my I have a formal proof". I also can't just send my model as-is and expect everyone to decipher the F* code without explanations. Richard therefore proposed to meet during one hour before the next interim, for the people interested, during which I will explain my model, hoping that afterwards: - you will agree that my code faithfully models the parts of MLS dealing with parent-hashes, - you will agree that the theorem I proved actually state that the new invariants are preserved. The only prerequisite will be to be a bit familiar with functional programming (no need to know super fancy stuff, just algebraic datatypes / pattern matching / recursion should be enough). Richard will take care of setting up a Webex link. Cheers, Théophile.
- [MLS] Formal proof for PR 713 / "Improve parent h… Théophile Wallez
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Richard Barnes
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Raphael Robert
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Carsten Bormann
- Re: [MLS] Formal proof for PR 713 / "Improve pare… dbnisbe@uwe.nsa.gov
- Re: [MLS] Formal proof for PR 713 / "Improve pare… Raphael Robert