Re: [MLS] Quicker Provisional GroupContext
Richard Barnes <rlb@ipv.sx> Wed, 27 April 2022 20:49 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6683FC14F728 for <mls@ietfa.amsl.com>; Wed, 27 Apr 2022 13:49:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LmIQI6BYkcy for <mls@ietfa.amsl.com>; Wed, 27 Apr 2022 13:49:46 -0700 (PDT)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D32C14F720 for <mls@ietf.org>; Wed, 27 Apr 2022 13:49:46 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id ke5so1913786qvb.5 for <mls@ietf.org>; Wed, 27 Apr 2022 13:49:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xKPvii2kw3CN3JtUDnM9Axg8G2ef4hHE5EMF00oHLl0=; b=sNApXxkt56NlPEMfmGwXfaAGM75uEVhjd6zsAWRghts/rI6MTta6vySsYnYvFrpGOS SxMDqdgHE1U0kqg4MHWTjbGRX+y6jG/Hy6c+G+3QlIaZCq5DuNLYYSlbRGwhYqzXnLhH GWWZ2YKED4gxxFFRQxLZDet/5xp5d1TLx5RmtyRJ9jfDaOzmBeO4CXKWWWNr2hZxiYC8 IocWhdiiRajElHduGumMgnir6zkDUrqmXl1Sc0WP1DmFOhfhG23EzkU9W2qNM6ZWgUSE sFtoMN7ylKTxzW8oXRx3IOWErb4fclzJ7VshG6nn9pwvEC01foVleatIdS+Hg0pecAig aRUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xKPvii2kw3CN3JtUDnM9Axg8G2ef4hHE5EMF00oHLl0=; b=uximiTa9PgFiXHjF5wGO8bhWUBNxZXipZKWGZ85xrOV4qJfWY0P6YR8AnP9xJvt5PL nlVMT1LydDkRQiLToTU4eiXD54JwOMTcK00YbBrLsW6wGTnOccPHnAYAuzTqn4mwPPjj oSeNi+7C3eyTwjXunUh0ZM2t2uyNMxcDpjZEBD/Q5qajWHapLwi2sVepyKdj/DCsw6mv BdJZhmobrUmXsjw5FXl4ZGlsQDymYLvSv73IW1rnstlGVa98MXg+JU5+Wl1mO6oLo/VG 225gevVTuwZDWtCaV5RlWNPqNjGBsCj/YD/LvNq11KZqL6YgM4w1RC4ne2yApeCnrKcd +wgg==
X-Gm-Message-State: AOAM532oSaWCcNr+rvHFOqaSTmkihASL62uq2eDVxkpOLmOwqC4cqotX gd39Q8JSsea93lsf4ICJZT6sVtaNuOCFef8Zm+9Fvmj/5Zo=
X-Google-Smtp-Source: ABdhPJzk0jXWz8jzIuVpTwnQi4AOEbeb7iHVB2UuMszARtoNPuj1juWnuTJBttksqFF8hN46gKZkVxITLOmMy+MwWCk=
X-Received: by 2002:a05:6214:29e6:b0:44a:2d0f:bf63 with SMTP id jv6-20020a05621429e600b0044a2d0fbf63mr21717442qvb.93.1651092585139; Wed, 27 Apr 2022 13:49:45 -0700 (PDT)
MIME-Version: 1.0
References: <869a895159384e6497015f2f97d7043a@EX13D48EUB002.ant.amazon.com>
In-Reply-To: <869a895159384e6497015f2f97d7043a@EX13D48EUB002.ant.amazon.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 27 Apr 2022 16:49:34 -0400
Message-ID: <CAL02cgS8DMY0GnZ_MCP4CWj5SL0eb_FhXiscmcTwD2RiRqKz6g@mail.gmail.com>
To: "Alwen, Joel" <alwenjo=40amazon.com@dmarc.ietf.org>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000007627205dda8f38e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/cpaYJTchM1eLp0cfbREv89RAOKY>
Subject: Re: [MLS] Quicker Provisional GroupContext
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 20:49:47 -0000
Hey Joël, I actually don't find updating the tree hash all that intimidating, in that it's pretty easily streamlined with caching. The hashes from the old tree still apply, except where they've been invalidated by applying proposals. An Add/Remove/Update invalidates hashes along its direct path, so you basically end up needing to update N_proposals * log(N_leaves) nodes. Truncation can add more nodes to the mix here, but the main effect of that is to require updated hashes along the right edge of the tree, again log-size. You need to do log(N_leaves) more updates once you apply the UpdatePath. But still, everything is roughly log-scale. --Richard On Tue, Apr 26, 2022 at 9:55 PM Alwen, Joel <alwenjo= 40amazon.com@dmarc.ietf.org> wrote: > Hey people, > > Marta, Tom and I had the following thought. When creating/processing a > commit, clients must create a provisional GroupContext to feed as context > to HPKE. The provisional GroupContext includes a "provisional tree-hash" > i.e. of a tree-hash of the ratchet tree after the proposals have been > applied but before the update path. That means we have to recompute a > tree-hash which, for large trees can end up being a fair bit of work which > we could avoid quite easily as follows. > > Instead, the context we give HPKE is defined to be the hash of > 1) The old epoch's GroupContext and > 2) The list of proposals. > > In terms of security & functionality this changes nothing as (1) and (2) > combined fully determine the "provisional GroupContext" we currently use. > In other words, the new context commits to the same info as now. But it > avoids any, possibly expensive-ish, tree-hash computation / tree traversal > since we've already got the old GroupContext from when we started the > previous epoch. > > Are people OK with this change? We're willing to put together a PR to > implement it. It should be very small. > > - Joël > > > > > PS. Funny related observation: The role of the HPKE context is to bind the > ciphertext as much as possible to its intended use e.g. to constrain as > much as possible how an adversaries can reuse honestly generated ciphertext > in injected traffic. So normally I'd say, lets add the specific node and/or > public key to which our MLS ciphertexts are being encrypted since: why not? > Bind to everything we can right? It can only make an adversaries life > harder. > > Thing is, at first glance, provisional GroupContext only fixes the epoch's > state but *not* the specific node to which we're encrypting. But if you > unwrap HPKE, you'll see that context is bound to the HPKE ciphertext by > feeding it to HKDF when deriving the DEM encryption key. As it turns out > though, the receiver PK is *already* being mixed in to that key in an > earlier HKDF call in it's derivation chain (just not as part of the > "key_schedule_context" variable). So adding it to HPKE context would > actually be redundant. In fact, this even locks down the node to which > we're encrypting because we include tree-hash. Happy coincidence? Or clever > engineering? I'm going with the latter. :-) > > In theory we could lock down things juuuuust a bit more by including the > actual node index to which we're encrypting. E.g. in theory PK's could > repeat at leaves, e.g. at a pair of leaves if one of them belongs to an > adversary. But maybe that's just taking this whole context binding one step > too far... > > > Amazon Development Center Austria GmbH > Brueckenkopfgasse 1 > 8020 Graz > Oesterreich > Sitz in Graz > Firmenbuchnummer: FN 439453 f > Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz > > > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Quicker Provisional GroupContext Alwen, Joel
- Re: [MLS] Quicker Provisional GroupContext Richard Barnes