Re: [MLS] Overflow discussion on #406

Raphael Robert <> Wed, 21 October 2020 15:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B0ED73A0F35 for <>; Wed, 21 Oct 2020 08:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AmHEcs65xrph for <>; Wed, 21 Oct 2020 08:38:46 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A926A3A0EB7 for <>; Wed, 21 Oct 2020 08:38:46 -0700 (PDT)
Received: by with SMTP id o18so3051972edq.4 for <>; Wed, 21 Oct 2020 08:38:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=l1+ppa/2OzvCjP9ndFwPJ+8ANkeAKFG/xC5J80CoD+8=; b=iZxXAoBvdn7sRdeHj9HscWD4hZPENmgVf117QkaX4Jtl+lhfOyLYnquBfl7XX9xDfI chtvt2Aa1I1mGtO8lWcFdPa2+/CwgoYSNJJQqATaDIDnrlCHXD6ahVgs5J2UV4vEWCR0 so2bkWkxUUyYxi6JMuIh6yCBcs+czczawy+cwRfbb+HCsm90iiXDxqUcmSOJ7FF2YWEh 2GoAZfdvNelCKRl79W/2lqwSkoP55xd1ZD2RQ6amTYE5FdZmlDAAO3RwM4zP8tKqK6Uo uKI22UW2F7TEUi6RuHK9huN36kFEKxZpDdDUAuNKD93BxVNxTpgMkRpEnUy17Fzmco1I zoeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=l1+ppa/2OzvCjP9ndFwPJ+8ANkeAKFG/xC5J80CoD+8=; b=sEBRyG+u5tRLmRLdNixQwaZirxlqs4a910YV3cvQrFaB8RfCViufaLvDbeG2rUvETY lir2JLg3id+ZgJcsv0eH5PbemB1EO1fOffW0BYHpvvqylyzQ0p2XGSfKSKI7SB0U4J56 cxFe8eTPiy57LnC0EB836Bq+zgFR2Cmns6lAZ8Ed5OFK0eYAxOh9d6hHi/THSWL/HoDJ syrBqNW+11DpoBbTUJXfBSO7iHQe+cjbotCRpmWacwrsMjoax/iZszXdr9pGpe/Pn84j 9O38lc60zkzu5zQHgkPReNpE4+tkVw69/9m4eHyNTzHOhpPMW57ZGycJyiQ6wHPuMb/t w9gg==
X-Gm-Message-State: AOAM530OOKTRDFAnMZ3lY6X2cruJuPrPUzptlAqYYpJNPh+wDT8eNrCN rdWekYmLXK7S9tNK24ZA7NBHR8HoWIjWW5vx
X-Google-Smtp-Source: ABdhPJwGfN7s7SPv9RDdLdUjk+fEGYwpNpzYodSHiQM1we5MkFpGUEctkBA2VlIWCft5gBmCOn4Rjg==
X-Received: by 2002:a50:d642:: with SMTP id c2mr3801562edj.342.1603294724926; Wed, 21 Oct 2020 08:38:44 -0700 (PDT)
Received: from rmbp.wire.local ( []) by with ESMTPSA id v1sm2204638eds.47.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Oct 2020 08:38:43 -0700 (PDT)
From: Raphael Robert <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_529FB77B-6A4C-45D7-A6B1-F3C42810CBBB"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Wed, 21 Oct 2020 17:38:43 +0200
In-Reply-To: <>
Cc: Messaging Layer Security WG <>
To: Richard Barnes <>
References: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [MLS] Overflow discussion on #406
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Oct 2020 15:38:49 -0000

Thanks for writing this up, see my comments inline.

> On 20 Oct 2020, at 20:53, Richard Barnes <> wrote:
> Our interim call went about 30min past our scheduled end time today.  Since we were without chairs for the last 30min, that time was not official WG time, so we couldn't make decisions about PRs.  Luckily, we only had one PR remaining, and we couldn't come to agreement on it anyway :)
> Two remaining questions on PR#406, where the first is more important:
> 1. Should the GroupKeyPackage / GroupPublicState be signed?
> On the one hand, having a signature would remove any concerns about copy/paste recombination of the various constituent parts.  In particular, it would avoid the public key for one group being reused with another (up to reuse of signature keys across groups).
> On the other hand, Raphael expressed some concern about deniability, since this would be a public signature by a member of the group over the whole state of the group.
> Personally, signing seems like the conservative option to me.  But I haven't done much analysis here.

Joel brought up a question regarding tree signatures yesterday, that he said he’d describe on this list shortly. I see a lot of overlap between these discussion and would like to wait for that discussion to unfold before jumping to conclusions here.

> 2. Which transcript hash(es) should be included?
> (This is more of an engineering question than a security question)  To summarize how the transcript hashes / confirmation tag work:
> confirmed = H(interim || all_of_commit_besides_confirmation_tag)
> confirmation_tag = MAC(confirmation_key, confirmed)
> interim = H(confirmed || confirmation_tag)
> In a GroupInfo / Welcome based join, the joiner needs the confirmed transcript hash but not the interim.  The confirmation tag is provided in the GroupInfo and verified by the joiner, and can then be used to compute the interim transcript hash.  (This is a side effect of #416, which moved the signature from interim to confirmed)  In other words, the joiner starts at the second line above, since they don't actually see the commit.
> In an GroupPublicState / Commit based join, the joiner is computing the commit, so they start at the first line.  As a result, the joiner needs the interim transcript hash, not the confirmed transcript hash.
> I have implemented these changes (removing interim from GroupInfo and confirmed from GroupPublicState) in my draft implementation of #406 [1], and they do work.  I have filed a small spec PR to remove this [2] and suggested the corresponding changes in #406.

This looks fine to me, the hashes are now swapped in the PR.


> --RLB
> [1] <>
> [2] <>_______________________________________________
> MLS mailing list