Re: [MLS] KDF instead of hashing up the tree
Richard Barnes <rlb@ipv.sx> Wed, 23 January 2019 14:29 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725C6128CE4 for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 06:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTJgrJKUfA2q for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 06:29:28 -0800 (PST)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59ECC1200D7 for <mls@ietf.org>; Wed, 23 Jan 2019 06:29:28 -0800 (PST)
Received: by mail-oi1-x22c.google.com with SMTP id m6so1896829oig.11 for <mls@ietf.org>; Wed, 23 Jan 2019 06:29:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9CnUUhbihWo1OydMDT3r3NrygbzuE33GRdWe/7Tf4WA=; b=m49ojr7NMwtOICSGJW2wCtC+AE9+s65XBVhHJGwxlw1mJ8Ec3KSNSutGaSvN3jjlai DQm6Uiunf032c3sCcBHL9k+xLD1qfdkc0eM86eZdR/SsrPg9fTCdmdd39mQzZJnqukYL sFXXZU8Hq08gOMZfRk5BsyUrxEoQMu6kb4PPbq5NVGzZBt+BUNJkXNucuJKoPq3aVh8T TEDnOmbFhoYTlQHbiNYPP3/qHMfGhZayfhLyL6W8cQXMIcs0oGotiqMGZVUvOtIL9EfF +h40fn4Yc68UnatOc+WqsJ68PNTlhPggLyrlhD22JM9HaFOkHk6awjLkgqgzR53o10QZ bVag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9CnUUhbihWo1OydMDT3r3NrygbzuE33GRdWe/7Tf4WA=; b=TD2wziYHeJCrJraNjZ2oIRzDIFxR5icCBj0A/leR3Cy3znTEzZ86aWbpFYedlh/Axb nMewjMKTmMOBy5jEW01kncjim6IAxACYTyN9LTT2679IJi3M5ux6xCrPy5M9dPmC+nnM yGzAjWzx2NmN1HfEY2UyHHrMHdd9OOeCmLEQe8peUFjTGZvrsKyGkbqOglK2W0zL0LIw qbvJR+QDzaqSXPn244s8TT+CJ6HZUVgq6iHDnEUnYbejsDw5X1DckZbEAwS7xNINgBtd 6EfI5vFdMogIUynjwBHh5488kaWxwcGUY+mqTYbx0yo0BpuMlYz2gb5C3MNaIkT83ZUI nJrw==
X-Gm-Message-State: AJcUukfbEQYPJwVDMBYiAYLyXI4cwVBHWLY5mkTot0aUDJIwntv/X0DM wqpLFnuwSzAUlQVS3cnWtE3+Olc7InrbW8QFZFl+bsw2bwo=
X-Google-Smtp-Source: ALg8bN4Nl8oqaZwa8gzBy5LF4RZyYz1V5iFqJQI6vYEdPM1TLBgJEIAuq9qGpuFRdAvyhjjF9S4iQq5uSnj4hvjSt8o=
X-Received: by 2002:aca:d64d:: with SMTP id n74mr406458oig.199.1548253767383; Wed, 23 Jan 2019 06:29:27 -0800 (PST)
MIME-Version: 1.0
References: <dc702cea-d780-216b-ab8e-1eba99a2bace@datashrine.de>
In-Reply-To: <dc702cea-d780-216b-ab8e-1eba99a2bace@datashrine.de>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 23 Jan 2019 09:29:14 -0500
Message-ID: <CAL02cgTdx7_=t9jfZj2iFULFK4x-RSL+J5LrqRN=3co1nSKS7A@mail.gmail.com>
To: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Cc: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d3d035058020eb88"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/csgxqw4ODXyQ46tIeBHYjcb-Osg>
Subject: Re: [MLS] KDF instead of hashing up the tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 14:29:30 -0000
Note this is a little bit expensive in terms of message size; it changes the size of an update from log(N) to log(N)^2. It does not change the number of DH operations This is because you have to send the fresh secret for each intermediate node in the tree to all its descendants. Comparing the secrets you generate in each case, from leaf to root, along a path of depth 3 with S0 at the leaf: Current: S0, S1 = H(S0), S2 = H^2(S0), S3 = H^3(S0) Proposed: S0, S1 = KDF(T0, S0), S2 = KDF(T1, S1), S3 = KDF(T2, S2) Where T* are the fresh secrets called for here. This doesn't change to whom you encrypt things, but changes what you encrypt to each copath node: Current -> Proposed S1 -> S1, T1, T2 S2 -> S2, T2 S3 -> S3 (This is of course because you need to enable each recipient to compute up the tree.) So there's your log->log^2. This discussion is not to say that I'm opposed to this idea. It just looks like it has some non-negligible cost, so we should make sure we know what we're getting for that cost. --Ricahrd On Wed, Jan 23, 2019 at 8:58 AM Konrad Kohbrok <konrad.kohbrok@datashrine.de> wrote: > Hey everyone, > > I just discussed the current draft with my advisor Chris Brzuska and he > came up > with a suggestion that I thought I'd just quickly relay here. As I have > only > started following the discussion recently, I apologize if this was already > brought up in the past. > > In terms of key separation, wouldn't it make for a cleaner design, if we > used a > KDF instead of a hash function? Instead of generating a new leaf-node > secret > and then hashing it to compute the new secret for the parent node, it > would be > better to generate a new secret and then from that secret independently > (i.e. > with different labels) compute the new leaf secret and the new secret for > the > parent node. This key independence would also make the proof easier. In > terms of > overhead, this would mean two KDF operations instead of one hashing > operation. > > Cheers, > Konrad > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Richard Barnes
- Re: [MLS] KDF instead of hashing up the tree Karthikeyan Bhargavan
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Richard Barnes
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Benjamin Beurdouche
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Konrad Kohbrok
- Re: [MLS] KDF instead of hashing up the tree Benjamin Beurdouche