[MLS] Lazy handshake messages
Raphael Robert <raphael@wire.com> Thu, 03 January 2019 13:15 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4723F130D7A for <mls@ietfa.amsl.com>; Thu, 3 Jan 2019 05:15:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BTXEXh_7rk2 for <mls@ietfa.amsl.com>; Thu, 3 Jan 2019 05:15:34 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C097F12EB11 for <mls@ietf.org>; Thu, 3 Jan 2019 05:15:34 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id s5so29311194oth.7 for <mls@ietf.org>; Thu, 03 Jan 2019 05:15:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=YrpWFXprp/RpkmzZZqAKTsG1arVfH4bX3ey0znEeqb8=; b=BKbCjqR+b9Kd+CC8/lVqal6+NLaabgMfYsgRxD6D0F8GHbZ0s0YtWwlmAgGTNw8kHO kk0cP9BH9WK0RfJKpGkCi2Hvv6CUaWzMNg6fIjxhxwJvh9Ry+ZdGcysDAGTsOEkj0BkH Dl4bnpstV+1iOkNpOnLz60h/8CXulfCT6YJKlHhpYs1gXj2b2Byi4WF7yDZRHTA1iU/3 mPDuNA2dy74rwIT4KcuClfI8g+ImxDIly0Iv/Xc7rRBUeQNxoHRrc9iu5W41mLuJWTOp yHQbKfyjNhcWTzZLrGV84u5gPcohzqHqdrZYd+PFvetvt90Q2U2rgtvU+sSfgykiJsEs RklQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=YrpWFXprp/RpkmzZZqAKTsG1arVfH4bX3ey0znEeqb8=; b=P9Df7i/mIdQprTW1iygDJcrXd4fMzrN6X9tpW2BUYuaXe+ZbBno4J0u5mZMXKuP3OS DE/g01F1JusB+nrqTihvhXbJV806y30iESoMaX1steCdIDMreszblzzD+1Dl9NNicM45 6pWL3tMbvUz8jtel9tajDQDztUKtSOmim16l+Jhy33UqNT8EPozkPiJ2VVdhvpvCaLLW z4E58TRFwvkcR07/opG1RybK+HsEHZPcsZwjsVELtg3VYkcIlnxs16488o4DpnWb3fy+ Xvp6wPmOp4AaANaV9kPQdxfxGF1EwyVaeTRbm2bEVUS75+3KAxQlcld6hstiealQcEri wL/Q==
X-Gm-Message-State: AJcUukfVIF2xVizaK3I4nUFJyTL/zZ92gomzSeCOAD/SM3v2Q/mTVYUW vRsbmokUwcWvPj+m+Mn6DKB2VeFz1qKFWRXUZwyJ2mpGAbs=
X-Google-Smtp-Source: ALg8bN7zNiob+wR4igZQ4tXrVQHPtZz3d4eJjSLQxsDO+Z9/Uwek3yY6HFO+laMm32smI0au+Sws4sRfZjFn4GOQ0+g=
X-Received: by 2002:a9d:2f64:: with SMTP id h91mr33130853otb.14.1546521333728; Thu, 03 Jan 2019 05:15:33 -0800 (PST)
MIME-Version: 1.0
From: Raphael Robert <raphael@wire.com>
Date: Thu, 03 Jan 2019 14:15:22 +0100
Message-ID: <CAD1bPdAmngq58ix=VAqFB75XcdFk6YPrrBwr-gfHWXY4hqPD4A@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bc1d4e057e8d8ec7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/f2hDwb6xlQleT4JDfy_4QTN_oKM>
Subject: [MLS] Lazy handshake messages
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2019 13:15:37 -0000
Hi all, Currently Update handshake messages are computed in an eager fashion: the sender of a message has to do most of the work (O(log n) - O(n)) and other group members just consume the HS message in O(1). This leads to a bottleneck situation when a new device is added or removed by a user (as explained at IETF 103). Depending on what multi-device mode is being used (concealed devices under the own leaf node or 1 device per leaf node), either and Update or an Add+Update have to be carried out in every group. This can lead to costly operations (at least O(log n) ECIES operations, worst case O(n) ECIES operations) in potentially hundreds of groups. Adding a new device or removing an old one can therefore lead to considerable UX lag, because these operations cannot really be done in the background and therefore constitute a large blocking atomic operation. The following explores the idea of considerably reducing the size of the atomic operation by asynchronously outsourcing expensive calculations to other members of the group. Lazy Update ----------------- Steps: 1. The sender creates a new leaf node (NLN), but doesn't "hash it up". 2. The public key of the NLN is sent to the group in a new HS message (LazyUpdate) 3. Everyone in the group replaces the old leaf node (OLN) of the sender with the new leaf node (NLN) 4. Everyone blanks the sender's direct path Aside from creating the new leaf node, no cryptographic operations have taken place. This means FS and PCS are not guaranteed yet. Every LazyUpdate therefore has to be followed by a regular Update, no other regular HS message is allowed to follow a LazyUpdate (and must be rejected by recipients). The regular Update can be issued by anyone in the group using node resolution. That way the owner of the OLN cannot know the new group secret (PCS) and the owner of NLN cannot know the old group secret (FS). The idea behind this approach is that costly operations can be spread over time, as there is no need to issue the regular Update right away. If a group is completely inactive, i.e. no messages are being sent, there is no need to rotate the group secret pre-emptively, it can rather be rotated "just in time". The owner of the NLN only needs to know the current init secret of the group to be able to process the regular Update that follows the LazyUpdate. This means that several LazyUpdates can be stacked before a regular Update is issued. Naturally every subsequent LazyUpdate will further unbalance the tree and thus reduce efficiency. It is therefore recommended that active members issue Updates as soon as they see fit, however each member can apply its own strategy. For example, mobile devices might not do Updates as frequently as PCs because of resource constraints. Ideally, the owner of the NLN will do the regular Update themselves. In that case the secret of the NLN probably can just be "hashed up" and KEMed to its resolved copath. This would then be a "slow Update" stretched over 2 phases: Announcing the public key of the node leaf first (in the LazyUpdate message), doing the KEMing later (in the Update message). A similar concept can potentially also be applied to Remove HS messages, where a member merely announces the removal, everyone else blanks the direct path of the removed member, but the key rotation (by means of issuing an Update HS) only occurs later. Raphael
- [MLS] Lazy handshake messages Raphael Robert