[MLS] Re: New Version Notification for draft-sullivan-mls-attachments-00.txt

Nick Sullivan <nicholas.sullivan@gmail.com> Thu, 09 July 2026 02:52 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: mls@mail2.ietf.org
Delivered-To: mls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8CA3D113983E9 for <mls@mail2.ietf.org>; Wed, 8 Jul 2026 19:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783565549; bh=4wkKza8hLjqrHhF4e7VL8PT6LtLdCSkrKAPo8l4SJgA=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=vbdiC+kqNbnJD7PKgwQcIebd0SuIXKijJCCMbi9lrgj3OkH+B/EW08ORDW2x5gSz7 Uz7D9oisc93K8ADiZpfg4F+bjS3OHVKzTD8vL7Jxg/qTV30YJDNCQ7g+0L/czDtxB2 pDrYCRSIy4ds/oG6XRdDgnKQp6nrCUVDUqYXpn8E=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJWwYshS8dVN for <mls@mail2.ietf.org>; Wed, 8 Jul 2026 19:52:28 -0700 (PDT)
Received: from mail-yx1-xb133.google.com (mail-yx1-xb133.google.com [IPv6:2607:f8b0:4864:20::b133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B91D7113982CB for <mls@ietf.org>; Wed, 8 Jul 2026 19:51:33 -0700 (PDT)
Received: by mail-yx1-xb133.google.com with SMTP id 956f58d0204a3-664a09bc459so1916707d50.1 for <mls@ietf.org>; Wed, 08 Jul 2026 19:51:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1783565493; cv=none; d=google.com; s=arc-20260327; b=s8YdiQf9ndrttkxMaruFyyb7rwQHMGQJ9WPYl8LodfxIi+wRadTpJj5fpHt4d5kId8 aXnjs7JK1c7FB7CQ5aMq5nkWwbYeCkvJLGrZCPIF58ABWDzEu5VZYGxO3W/GPr0lJKU8 4WyPbfvf59PVsaUXrr15X/LP87rZMnE6/S7mXCdJE8dnA4LhwlDl/2IOIKoNQTYNfjjE z2qLfADAJ7ZMMyJ0VeaB2ZLJBgxAV0DAEbr2E2skrOCnYUKEobv6ZCayX16Zgr5OJ2vq 025wBK5hJ0AGRi4SiAOjLWXqtaqaUL8kAQ9f6Gl8jGkZ6UnxVaPWa58tc/+v10ULcBi2 Pexg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=C0PMstk6jtPmDBnGEK5yQdvjEX0tLJwUXppI8UYIzl8=; fh=RgW2ZT7NkD9yDzufJwzsU2bj+fqjeG2DaDqnOa1xiOM=; b=RaniwzZdQY6YxJY8Deabhs/RRF0hn3HKycRJYnlS1zhEoPAHLWs1MARxnfMJs6tD0D +JGGz6PphhZ0FlTUPmWEsAIMmMpwze2Rp6W7v3gwAn1rbjxXIy5A23Vz1N+D9jh0Puha Jnf+B4pFrKnCnlutYS3i3mq46aNVCyMOZHhw8FQFQFEeG6KAqs77swgS7QJjRJ5EYSeA 06cMcnLj+RjDxPbGlC4BnmXArtgMrJrad+YSTiThf0W49yn7HLi9ZgY8aauAJoVRSp8T EN8T51cFMZ9ZUeA/mU/NWWpDBvOqghciDN1az0e00YgGB3f6oIGCKBfH9gfEIzSuJ3yB tNwg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783565493; x=1784170293; darn=ietf.org; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to :content-type; bh=C0PMstk6jtPmDBnGEK5yQdvjEX0tLJwUXppI8UYIzl8=; b=mdWlVl5jyQ3eVqx3MX4GaKBxJCpfvDvAKuNVVk5IcNtNWjpjlAefL8DubTwbtMkgKz lV5FuBigQksZygZ8OQB6UIt5QDC+dwMehPrWXvX92nh5ftHMOs98ABEcexiNAm9neSX4 uKxG+ixMDLnX3A5BFr2y6+F2YRbWDFtJbB5rLBVAkWsEwmcWEuXH5+rD/y5PiuiZVBTJ Sn2lh+BzNF3Rkp/qP1L4cHQhC0mj2mOAcRwWz0+HsQDklcNlmCYYBy1pPFtTizoF/BuZ WcxDUReAQ/3sGNH5TYH4RXHL4PeKNztBvkOrvz5FAqKfcbir/s1dBUrzIH8BhEi/tX3J F49Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783565493; x=1784170293; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to:content-type; bh=C0PMstk6jtPmDBnGEK5yQdvjEX0tLJwUXppI8UYIzl8=; b=W0nCj+DL91fDQeItr9wsp1QaAiGM8bT2XclOXJLhEmKp0dt3Bu6f1HkIG18xHXNbEQ XI/42fsswVhdLXc1S8WK8tbzvAuPs4BnfSeCxXMw3YuIgRJEGS7AAGeVL1n+GIobwkVF ivY4Hx4s9OXjqF73G+Aa7mI2VDyQpNR1tyWnzjxA745k3noJnqa3Op0Xuv82ER34sbOr Mo/5xPlTUqTOdeC6QnYwiVaJJ6KphKjyLlvXwnM1F/Qf8UYIXfcdoDfkyLw9ME/r6OSf sCMobDT1i7Bc9ExkQ3Hfm7XqlkI6krHMw0s9QrAh7In94BG2cgOTvG0JJaNj/702+ekd sA0A==
X-Forwarded-Encrypted: i=1; AHgh+RoNB7pMjoEy5QMM9TB/hxfCU0rduni25gH2VpGZcev4Gi3oMUtBlAd+cXMwFgMzFAQjdBE=@ietf.org
X-Gm-Message-State: AOJu0Yy0E0a2vulQdC43Cbx9Qd2TfRQNgI/PuzVdf0v6Q3cgvGv8LEsy ctIMIEuDxBqedLpy+zd8PvIAKQMk3lautV8tukSAdT7ud0lTrBqCeAmwlQ1/CRNG28Q/n85ctum gpdCVGgAeMoRQkvqj8dWGgppzPRDZfgY=
X-Gm-Gg: AfdE7cnqP6b+ezInsb5eEzGRCOipJz4HfKyKjm3iBwV0XgRec373/GJzxJOxV5dhVjn jK8qW+AQJOkvuJHqr2J2SKJ/ffZEmrWpWa1Cyw65lbhHkW/kL0oT1Qyj3xYxroRmZMBq6UL41tU mp4M8oJ5WlCpKIoA3wM0SX5MxEG3rsQ1Eh0QdNMTstsMZCqlp450kiDtXmMqVLRw+RjuRMQ7FAS Qywl6rA9NTkfU4uyhm1sNuGHk6mzL5/rCoSJDjUoq+3JaP4g9aGfQK2iCoZUsoYUaD884R4bFbV ADfFRVhl5iSsATyYjocz9EvxzG8tkYtr/sI4J1VFuUvLV8RWVALeadxNFF/2skpWTe2CyB9RiKl TLPj9j04MCv+4U+p8ktset3olFybGHhs=
X-Received: by 2002:a53:c903:0:b0:667:8b91:2449 with SMTP id 956f58d0204a3-6679f2a7c4fmr2776147d50.96.1783565493022; Wed, 08 Jul 2026 19:51:33 -0700 (PDT)
MIME-Version: 1.0
References: <178337870324.318357.13322910138192240453@dt-datatracker-57b5d8f849-zrqfx> <CAOjisRxNSjO4DsT8zOJ5qDuNzQLY0sZGiXynM5JRbgWgLfaEpA@mail.gmail.com> <CAJTd26+m=+yxutdxVDRNnZn1SA2Jpbuuia=op1_FFh88eKgn1Q@mail.gmail.com> <CAOjisRwZ2K4KwXh8MpFCpRknVtdQ6jXLwB4a0CGvKepnHv=auA@mail.gmail.com> <CAJTd26Jt5g2hG+heKmPAQKTV64ouJUZKBdvvE1dx=PBYMJaw8A@mail.gmail.com>
In-Reply-To: <CAJTd26Jt5g2hG+heKmPAQKTV64ouJUZKBdvvE1dx=PBYMJaw8A@mail.gmail.com>
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Thu, 09 Jul 2026 03:51:21 +0100
X-Gm-Features: AUfX_mzoVXdOXh47npfZbqBp-h_BYBadoE9fbs6tnSgpvffkiwVXjjIpAKsk93A
Message-ID: <CAOjisRwkoAm6vK10EGxHKm1w_d8JuRkgKmEThy+Ef=Ej9PqyvQ@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a53364065624b3f0"
Message-ID-Hash: WQUU7K6EGVJ3NLNAHHNLIU2B3I26U7CT
X-Message-ID-Hash: WQUU7K6EGVJ3NLNAHHNLIU2B3I26U7CT
X-MailFrom: nicholas.sullivan@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: soatok.dhole@gmail.com, mls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [MLS] Re: New Version Notification for draft-sullivan-mls-attachments-00.txt
List-Id: Messaging Layer Security <mls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/kHNoUFyT2wRgbERSCPPlO_E9WuI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Owner: <mailto:mls-owner@ietf.org>
List-Post: <mailto:mls@ietf.org>
List-Subscribe: <mailto:mls-join@ietf.org>
List-Unsubscribe: <mailto:mls-leave@ietf.org>

On Thu, Jul 9, 2026 at 2:17 AM Brendan McMillion <brendanmcmillion@gmail.com>
wrote:

> Is non-repudiation important for MLS attachments in general? If not, the
>> design sketched out in the draft already provides ciphertext integrity.
>
>
> I would personally say it's important. It seems bad to say that if I send
> an attachment in a group, somebody else in the group can completely change
> its contents. Especially if the modified attachment could still look in the
> chat's UI like "I" sent it.
>

Agreed. Signatures are necessary for sender authentication within the group.


> The solution I'm writing up (it didn't land in raae-01) is to define a
>> snapshot authenticator that includes a hash of each ciphertext segment
>> as part of the existing metadata and a keyed KDF over this set.
>
>
> You're saying that the metadata will contain a list of the hashes of each
> segment? That would make the metadata pretty large. In fact, it seems
> pretty likely that your metadata would almost always be larger than your
> segment size. Going back to my original thought, it does seem better just
> to sign the individual segments. If the concern with signing each segment
> is that it would be too slow or that the signatures would be too large
> (something post-quantum), you could define (or more likely, leave it for a
> future document to define) a "signature" algorithm that's implemented as a
> Merkle tree or as a skip chain.
>

Or just a flat signed manifest in the case I’m describing.

The segments are 64KiB and the per-segment metadata is the AEAD tag (16
bytes for AES-GCM-128). The hashes are 32 bytes for SHA-256. You store one
per segment and front-load them before the ciphertext so they can be
fetched together. This adds around 0.05% to the length for multi-segment
attachments, or one new segment of metadata per 128MiB (check my
math). Then you combine them via a KDF, or if you’re fancy, a Merkle tree.
The higher-layer protocol can either sign every segment, or take advantage
of this shortcut and sign the KDF output, which is what I’m proposing.


> The skip chain "signature" idea seems more correct, since the encrypter
> can produce all of the signatures and ciphertexts in a single (reverse)
> pass over the attachment.
>

Of course, you’ll need all the hashes to validate the signature in a flat
or merkle scheme. Is the concern here around validating segments before the
entire object is encrypted, like you would see in streaming encryption? The
receiver won’t be able to validate any sections until the entire object’s
metadata is produced and read in this design, which could be an issue for
peeking into large files that haven’t been fully encrypted.

The skip chain idea is interesting because it can allow incremental
validation in the case of streamed objects that haven’t been fully
encrypted. The downside is that you fully lose the O(1) read random-access
property. That’s the main design point here, in my mind. Depending on
whether the attachment use case is streaming encryption or random-access,
different trade-offs apply and you have different optimal designs. The one
I went for here is focused on random-access, but if the streaming case is
more interesting, that’s also worth exploring.

Nick

>
> On Tue, Jul 7, 2026 at 6:40 AM Nick Sullivan <nicholas.sullivan@gmail.com>
> wrote:
>
>> Hi Brendan,
>>
>> This is the right question to ask. The signature part of this document
>> is under-specified and one of the trickier aspects of this
>> construction. What's the point of random-access encryption if you
>> don't have assurance that the entire attachment is signed, or you have
>> to decrypt or read the entire object to verify it, right? The answer
>> is a bit subtle because none of the AEADs specified in MLS are
>> key-committing, which makes SEAL's existing snapshot authenticator
>> insufficient for sender attribution.
>>
>> The solution I'm writing up (it didn't land in raae-01) is to define a
>> snapshot authenticator that includes a hash of each ciphertext segment
>> as part of the existing metadata and a keyed KDF over this set. The
>> snapshot authenticator is signed by the sender, and the recipient
>> verifies it. Per-segment authenticity is guaranteed by the AEAD;
>> segment placement within the file and authorship are validated by the
>> metadata, and signature over the authenticator proves attribution.
>> There are fancier tree-based designs, but this flat derivation
>> provides sender authenticity for segments at the cost of sending one
>> hash per segment (essentially adding a key commitment to the AEAD).
>>
>> The draft will need revision in any case because, as described,
>> ra-CMT-p (the position-commitment property defined in the raAE paper)
>> holds only under honest keys with a non-committing AEAD. A signed
>> digest transcript re-establishes the same position-commitment
>> guarantee under adversarially chosen or shared keys, grounded on
>> collision resistance rather than the AEAD's (absent) commitment
>> property. Key-comitting AEADs don't have this issue (cc: Andres in
>> case I'm wrong).
>>
>> It should be simpler than it sounds. What do you think?
>>
>> Best,
>> Nick
>>
>> On Mon, Jul 6, 2026 at 11:25 PM Brendan McMillion
>> <brendanmcmillion@gmail.com> wrote:
>> >
>> > Hi Nick
>> >
>> > It's interesting that this doesn't authenticate the sender of the
>> attachment, when that's typically the status quo for messages in MLS. Is
>> signing all of the segments not a reasonable thing to do?
>> >
>> > Section 7.5 briefly mentions that I could sign the object or the
>> reference. I'm not sure how signing the reference helps if the segments are
>> still symmetrically encrypted.
>> >
>> > On Mon, Jul 6, 2026 at 4:20 PM Nick Sullivan <
>> nicholas.sullivan@gmail.com> wrote:
>> >>
>> >> Dear MLS,
>> >>
>> >> We've submitted a new individual draft,
>> >> draft-sullivan-mls-attachments-00, "Encrypted Attachments for MLS." It
>> >> specifies write-once, large encrypted attachments carried alongside an
>> >> MLS group. Content is encrypted under a key derived from the MLS
>> >> exporter and protected as a SEAL-attachment object, so a receiver can
>> >> decrypt and authenticate a byte range without processing the whole
>> >> file.
>> >>
>> >> https://datatracker.ietf.org/doc/draft-sullivan-mls-attachments/
>> >>
>> >> We'd welcome feedback, especially on:
>> >> - Is deriving the attachment key from the MLS exporter, in the SFrame
>> >> style, the right approach?
>> >> - Is the object_id model, including deterministic derivation, the
>> right design?
>> >> - Is this a direction the working group would consider adopting?
>> >>
>> >> Test vectors under each MLS cipher suite will follow in -01.
>> >>
>> >> Best,
>> >> Nick (& Robert)
>> >>
>> >> On Mon, Jul 6, 2026 at 7:04 PM <internet-drafts@ietf.org> wrote:
>> >> >
>> >> > A new version of Internet-Draft
>> draft-sullivan-mls-attachments-00.txt has been
>> >> > successfully submitted by Nick Sullivan and posted to the
>> >> > IETF repository.
>> >> >
>> >> > Name:     draft-sullivan-mls-attachments
>> >> > Revision: 00
>> >> > Title:    Encrypted Attachments for MLS
>> >> > Date:     2026-07-06
>> >> > Group:    Individual Submission
>> >> > Pages:    15
>> >> > URL:
>> https://www.ietf.org/archive/id/draft-sullivan-mls-attachments-00.txt
>> >> > Status:
>> https://datatracker.ietf.org/doc/draft-sullivan-mls-attachments/
>> >> > HTML:
>> https://www.ietf.org/archive/id/draft-sullivan-mls-attachments-00.html
>> >> > HTMLized:
>> https://datatracker.ietf.org/doc/html/draft-sullivan-mls-attachments
>> >> >
>> >> >
>> >> > Abstract:
>> >> >
>> >> >    This document defines random-access authenticated encryption of
>> large
>> >> >    write-once files for Messaging Layer Security (MLS) groups.  A
>> file
>> >> >    is encrypted so that a receiver can decrypt and authenticate any
>> byte
>> >> >    range without processing the whole file.  The encryption is SEAL-
>> >> >    attachment, SEAL's named write-once attachment scheme (raAE),
>> >> >    parameterized by the AEAD and key derivation function of the
>> group's
>> >> >    MLS cipher suite and keyed from the MLS exporter.  The encrypted
>> >> >    bytes are carried by any means, and a recipient needs only a small
>> >> >    reference (the object's identifier and length, and an optional
>> >> >    locator) to fetch, key, and verify the object.  MLS application
>> >> >    messages cannot carry large files, and existing attachment
>> encryption
>> >> >    produces an opaque, immutable blob with no partial access.  This
>> >> >    extension supplies the random-access layer those uses need.
>> >> >
>> >> >
>> >> >
>> >> > The IETF Secretariat
>> >> >
>> >> >
>> >>
>> >> _______________________________________________
>> >> MLS mailing list -- mls@ietf.org
>> >> To unsubscribe send an email to mls-leave@ietf.org
>>
>