[MLS] small subgroup validation

"Katriel Cohn-Gordon" <me@katriel.co.uk> Tue, 27 February 2018 09:53 UTC

Return-Path: <me@katriel.co.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A94F1274D2 for <mls@ietfa.amsl.com>; Tue, 27 Feb 2018 01:53:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=katriel.co.uk header.b=bgJh10hE; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=IMpcNv5P
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wNfRgpGhaO-E for <mls@ietfa.amsl.com>; Tue, 27 Feb 2018 01:53:33 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E57F126BF7 for <mls@ietf.org>; Tue, 27 Feb 2018 01:53:33 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 67E8E2094D for <mls@ietf.org>; Tue, 27 Feb 2018 04:53:32 -0500 (EST)
Received: from web6 ([10.202.2.216]) by compute6.internal (MEProxy); Tue, 27 Feb 2018 04:53:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=katriel.co.uk; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=4S2H2HgujKJ/b+VuoBgZcwfd1xjB11VTnLRUDdb8GuE=; b=bgJh1 0hE+RpnbG8KAE+8HYkKYMbmCDj+C5l+TOAt2LxuopG46YbM3lflDblaPReJjMYR1 p7pvb4Oz/zDheu2xYxxJwTtS5fjkI+PVaeKwQBs95B3v7svsSZud5bCmeOefHAdS WZl1TEaiy8otJoVTicYgfeFwZKg/E3Ea79L9mE=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=4S2H2HgujKJ/b+VuoBgZcwfd1xjB1 1VTnLRUDdb8GuE=; b=IMpcNv5PmgBkeaCAYM+sGo/pEjfbRWRIDhxnx5EQTa0yg TUTL1FHYg/p2FEIiMWEepmLiJaWsR1QhO3Oo0hr0vaOb6ERXKiJ85ySAO32NaLdE mfUqhDUiukLlf+3+AmdOuOIchRReHt727o7LeYrFlgcrJA2AOOlIr/LheV3tXval oLmYzzLKIjN7agCuhlKJbQ1AO3U2RDtjfc4RtOUmD7sSUV+tz9HQHaOLsUM1lhSX hAh8szkydwNhX2dy75yu4YlVYgyvVzLGaQ3SBACnTvCkEVPmhMa645QXe6/idoC6 DeOHFUUXZhR+ygT6JLM7HoFOo8g6R1vd/fd6jJZ7A==
X-ME-Sender: <xms:nCqVWrRaTzZsaJ16a0YuyvN43ap9vFakbK8TldQRQy6ghVuUkfqkHQ>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 4AE36429A; Tue, 27 Feb 2018 04:53:32 -0500 (EST)
Message-Id: <1519725212.924168.1284819432.01A6E695@webmail.messagingengine.com>
From: Katriel Cohn-Gordon <me@katriel.co.uk>
To: mls@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-efbb3405
Date: Tue, 27 Feb 2018 09:53:32 +0000
X-Forwarded-Message-Id: <1519725148.924004.1284817792.27264EB7@webmail.messagingengine.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/bxPnbwjX21dw5S8ECF-wQsX8CN8>
Subject: [MLS] small subgroup validation
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 09:53:35 -0000

Hi all,

We should probably consider small subgroup attacks more carefully in the threat analysis and the draft documents.

Specifically, computational proofs often implicitly assume point validation, which is particularly important in the case that a malicious group member sends an invalid copath element. I think the draft should state that point validation is required on all received group elements (unless using a group that doesn't require it); if I understand correctly this will cost roughly an additional exponentiation for each check, so O(log(n)) for a new and untrusted copath.

[This was pointed out by Dennis Jackson.]

best,
Katriel