Re: [MLS] Include signature in the confirmed transcript hash?

Mularczyk Marta <> Mon, 21 September 2020 12:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4DDF63A0D22 for <>; Mon, 21 Sep 2020 05:17:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CsP92ccaPfCK for <>; Mon, 21 Sep 2020 05:17:05 -0700 (PDT)
Received: from ( [IPv6:2001:67c:10ec:5605::21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 30A293A0D12 for <>; Mon, 21 Sep 2020 05:17:04 -0700 (PDT)
Received: from (2001:67c:10ec:5602::28) by (2001:67c:10ec:5605::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Mon, 21 Sep 2020 14:16:54 +0200
Received: from (2001:67c:10ec:5603::27) by (2001:67c:10ec:5602::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Mon, 21 Sep 2020 14:17:02 +0200
Received: from ([fe80::48e5:b9c:79eb:9d16]) by ([fe80::48e5:b9c:79eb:9d16%4]) with mapi id 15.01.2044.004; Mon, 21 Sep 2020 14:17:02 +0200
From: "Mularczyk Marta" <>
To: Messaging Layer Security WG <>
Thread-Topic: [MLS] Include signature in the confirmed transcript hash?
Thread-Index: AdaM+cw1naH5WIHWRqeI4Wc/P/8CggANlpoAALg5wmo=
Date: Mon, 21 Sep 2020 12:17:01 +0000
Message-ID: <>
References: <003401d68cf9$d7c5d420$87517c60$>, <>
In-Reply-To: <>
Accept-Language: en-US, de-CH
Content-Language: en-US
x-originating-ip: []
x-tm-snts-smtp: 5C89B846DFFC53E2B84951DB1D012A2B45CF37D030D5DFA83D0117FD2E7100A52000:8
Content-Type: multipart/alternative; boundary="_000_305ae673cfd74c7da0c151e5c6c06d0cinfethzch_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [MLS] Include signature in the confirmed transcript hash?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Sep 2020 12:17:08 -0000

Hi Richard,

Thank you for the comments and for pointing to TLS! It's reassuring that TLS uses a very similar mechanism.

Yes, the order you gave is exactly what I meant. But I'm not sure about including the confirmation tag in the interim_transcript: if the MAC is unique given the key and the message (since for many MACs, including HMAC, verification works by deterministically re-computing the tag, this seems reasonable), then there's no need to include it. And if it's not unique, then we get the same problem as with signatures but with confirmation tags, right?
Another option (discussed at some point in the list) would be to publish the confirmation key instead of the MAC.

Anyway, we'll think what to do with the syntax issue :-)


From: Richard Barnes <>
Sent: Friday, September 18, 2020 12:21:40 AM
To: Mularczyk Marta
Cc: Messaging Layer Security WG
Subject: Re: [MLS] Include signature in the confirmed transcript hash?

Hi Marta,

Thanks for writing this up.  This analysis seems sound to me. It reminds me of the structure of the server's first flight post-ServerHello in TLS [1]:

    AEAD(EncryptedExtensions Certificate CertificateVerify Finished)

That means you end up with (1) message content, (2) signature over message content, (3) MAC that confirms agreement on the derived secrets (4) AEAD authentication tag that verifies membership in the prior group (established by the ClientHello/ServerHello).  Which I think is the same order you're proposing here.  Just to restate to confirm I'm understanding:

MLSPlaintext.signature = Sign(sig_private_key; MLSPlaintext.group_id, ... MLSPlaintext.proposal/commit/application)
confirmed_transcript_hash = Hash(confirmed_transcript_hash, MLSPlaintext.group_id...MLSPlaintext.signature)
MLSPlaintext.confirmation_tag = MAC(confirmation_key, confirmed_transcript_hash)

I don't think this completely gets us out of the need for the interim_transcript_hash.  We will still need it if we want to include the confirmation_tag in the transcript.  This seems like a good idea, analogous to TLS including the Finished message in the transcript for post-handshake messages [2].  (For the same reason, I would argue that the membership_tag would *not* need to go in the transcript.)

There's also a bit of weirdness here arising from the fact that we use the same framing for Commits, Proposals, and application data (MLSPlaintext/MLSCiphertext).  In particular, the signature part is shared.  So on the one hand, the natural syntax given the above is to put the confirmation_tag after the signature (so that the signature covers everything above it).  But on the other hand, that's weird because what do you do with the confirmation_tag for non-Commit messages?  ("Leave it empty" would be the obvious answer.). You could leave the confirmation_tag where it is syntactically, and just change the computations, but that would break the (admittedly aesthetic) property that the signature covers everything above it.

Overall, though, I think this is worth writing up a PR on.  I look forward to your proposal for how to resolve the syntax issue :)

Thanks again,


On Thu, Sep 17, 2020 at 1:43 PM Marta Mularczyk <<>> wrote:
Hi all,

Together with Joël Alwen and Daniel Jost, we noticed some unexpected (at least to us) effects of the way transcript hash is computed. What are your thoughts on this?

Details: Say Alice and Bob each processes a commit packet and they end up with the same epoch secrets. Expected guarantee: agreement on the secrets implies being in sync -- agreement on the group state, and being able to continue progressing epochs.
Problem: the latter is false if the packets processed by Alice and Bob only differ in the signature string (it's easy to come up with many equivalent ECDSA signatures, given only the signer's public key). Now Alice and Bob agree on the confirmed_transcript_hash, and hence on the current secrets, but not on the interim_transcript_hash, so they won't agree on the next epoch secrets. Result: they will never accept the same commit (due to not matching confirmation_tag) and so they'll never be in sync in the next epoch.

This can be solved by including the signature in the confirmed_transcript_hash and not signing the confirmation_tag (the tag is also not part of the transcript_hash). We claim that this doesn't affect security. Assume Alice sends a commit and the adversary intercepts the packet. Consider these 3 cases:
- if the adversary doesn't know the current epoch secrets, then he can't modify any part of Alice's packet (due to AEAD/MAC security of the message framing).
- if he knows the epoch secrets but not Alice's signing key, then the only thing he can, in principle, modify is the confirmation_tag. However, the tag is fully determined by the signed part of the commit (and the transcript history).
- if he knows both, then the adversary can already produce any packet he wants on behalf of Alice.

An additional advantage of this solution is that it simplifies the protocol by removing the interim_transcript_hash.

In detail, a commit now proceeds as follows:
1. construct the MLSPlaintext with the Commit object and confirmation_tag=0,
2. sign the MLSPlaintext and include the result in the confirmed_transcript_hash,
3. advance the key schedule and update the confirmation_tag in the MLSPlaintext.

If the working group generally agrees on the above approach, we'll be happpy to draft a PR.

MLS mailing list<>