Re: [MLS] Adapting Hierarchical Key Derivation for Ephemeral Signatures in MLS
Ted Hardie <ted.ietf@gmail.com> Fri, 12 October 2018 20:04 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D182126DBF for <mls@ietfa.amsl.com>; Fri, 12 Oct 2018 13:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obZ06hNS20bP for <mls@ietfa.amsl.com>; Fri, 12 Oct 2018 13:03:59 -0700 (PDT)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07FDD130E8F for <mls@ietf.org>; Fri, 12 Oct 2018 13:03:58 -0700 (PDT)
Received: by mail-ot1-x329.google.com with SMTP id l1so13489188otj.5 for <mls@ietf.org>; Fri, 12 Oct 2018 13:03:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SvD+3DBkKiVrahYsO5HVrSC9bxuq7S6vKSrYNLV0Xgw=; b=cLqK+L9D8jl+AJ0ImfRIBZC9xNWUkv8RNx1F/az0EjS6rBA9qqiYLLcpWq8w1n4TVk BW9OAHjczASqeQmB/mSnZI7CdrGsL6zySTqlYYD3+tDQIrxkTJadgN2xoEyeLDEzvs+3 vVEWtjKaDG63lzTsUwNlS36Phkw3PyJNaAjSETR8UfVx3c8ye7XVvkAcifwG/J7uqguk zkjFztqH5X95LYATEGSY/Ft+dy1/9GVQ9WSRjAR7Kbqf3LBcGtXgVHdqHjucM/JBfMt4 sWj6HNF36GJHjw9ATd7j6UhkNgeEG8kNOdBVHSdEcRvQt2kYseX/cacQfRangV1U6Kx1 fyzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SvD+3DBkKiVrahYsO5HVrSC9bxuq7S6vKSrYNLV0Xgw=; b=SqRPMPfA4f0QfkVzSgGNvdjQmhiuhbDx7GjDGemcN1j9XteKITPeYGkxwpvb8qO4gr Pfxww5ro6DI9sbHb8/699brta0AhT2N3w5Bz4BMhG8pB6T26VbBzn1HWDSL3mp4zusHn kh7QpYXxC2N3606SFKuTGjp5OeOJT0tTaT/kelZkcc2MhWcwbkMILIlSYjPEPe1VC7zx 39kgrwha78fdnedeBdVEuxOmsqL5qf27kAaGpr0LCCyb6WsItphlxGZJ4AMrUIw6aesJ /vCYpxKsO+6kAM7lUdbnAP9d+JyrWrIm+MInBA6F3F63nl4OJtQmrTqxGUnWwfyZQWQC NfsQ==
X-Gm-Message-State: ABuFfohWME2y0XTrPRIB6uwaXLZRqe3pG1wfYoMWZ2OYqr0fbjcBRTDM yEKLePDB6KNHsbRiZ0lH/iPdeQD3OX2l3u4OyOLXnb1W
X-Google-Smtp-Source: ACcGV62vlvQAfqrTIi6EakG4+2c+m45WuaINMuiG7GsJ1y+MXxbPi2HRVa81x/qzHu0DPPIItsqKMN/SV7FeJ3q6AxI=
X-Received: by 2002:a9d:2af:: with SMTP id 44-v6mr4458417otl.244.1539374636774; Fri, 12 Oct 2018 13:03:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAJR2JpgwrgykbRGCCaEutou7x6-j4SGKFXurKah8rya=jMJ2cw@mail.gmail.com>
In-Reply-To: <CAJR2JpgwrgykbRGCCaEutou7x6-j4SGKFXurKah8rya=jMJ2cw@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 12 Oct 2018 13:03:29 -0700
Message-ID: <CA+9kkMDPp15pCmSwy5TeubZWNii0+uweH1XQATktP6=w_LhZXQ@mail.gmail.com>
To: nadim@symbolic.software
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000066bbfb05780d96ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/mqLvKTFRmHykCDThNo2lG-S3oyk>
Subject: Re: [MLS] Adapting Hierarchical Key Derivation for Ephemeral Signatures in MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 20:04:02 -0000
Hi Nadim, I suspect I'm missing something simple here in your proposal. According to your reference 2, one of the issues with the derivation of this type of hierarchical key is: that knowledge of a parent extended public key plus any non-hardened > private key descending from it is equivalent to knowing the parent extended > private key (and thus every private and public key descending from it). > This means that extended public keys must be treated more carefully than > regular public keys. It is also the reason for the existence of hardened > keys, and why they are used for the account level in the tree. This way, a > leak of account-specific (or below) private key never risks compromising > the master or other accounts. > What I think that means is that if an attacker ever gets access to both an extended public key and any extended private key, we have lost forward secrecy for all the MLS communications covered by any keys derived from any of the epoch pairs. Is that correct? This appears to make handling required of the parent extended public key roughly equivalent to the handling of a private key, so that your step: Alice sends a public signing key to Bob during epoch n. means that Alice must refrain from ever using the parent extended public key has a signing key, but must instantiate signing keys from the n + 0 epoch. Is that a correct understanding? Thanks, Ted On Fri, Oct 12, 2018 at 12:47 PM Nadim Kobeissi <nadim@symbolic.software> wrote: > Hello everyone, > > I've been working on adapting Hierarchical Key Derivation (HKD) in order > to obtain some kind of ephemeral signatures that may be useful in MLS. I've > arrived at a point where I'm optimistic that this is a direction worth > pursuing and might indeed be a solution to this problem. > > HKD was at some point a candidate for how signature keys are managed per > epoch in the Tor Hidden Service design [0]. HKD logic has also been > implemented in Bitcoin wallets for a while now [1]. HKD constructions can > be also derived from existing popular fast signature algorithms such as > Ed25519 with minimal changes [2], making them an easy fit for MLS. Very > simply, the functionality that HKD signature schemes bring to MLS is the > following: > > - Alice sends a public signing key to Bob during epoch n. > - At the onset of epoch n+1, Bob is able to immediately calculate > Alice's public signing key for epoch n+1 based purely on his knowledge of > Alice's public signing key for epoch 0. Alice doesn't need to send new > signing key information to Bob. > - At this point, Bob can delete Alice's public signing key for epoch n. > - More importantly, Alice herself can delete Alice's private signing > key for epoch n, keeping only her private signing key for epoch n+1. > > The way that this could work in MLS would be heavily based on > HDKeys-Ed25519 [2]. I'll resist paraphrasing the paper, and instead will > point out the relevant sections (which are short, well-written and worth > reading:) > > - Section 2 describes the original concept as used for Bitcoin wallet > derivation. > - Section 4 describes the modifications to Ed25519 to enable HKD > constructions. > - Section 5 describes how private and public child keys are generated > (Fig. 1 is also helpful.) > > My questions: > > - How are we deriving epoch identifiers? Are they simply counters, or > each epoch identified by a nonce that's communicated confidentially? If you > read [2], you'll see why this can be important. > - Performance impact seems to be negligible for Montgomery-based > signing primitives, but I'm interested in more insight on this. > - Is anyone else interested in having a standard > HDKeys-Ed25519 implementation? I've been working on one in JavaScript and > plan to eventually also write one in Go. Perhaps Richard would like to help > with a C++ version? > - I'm also interested in hearing your thoughts on this generally. > > During the interim meeting (as well as before it), it was frequently > discussed how ephemeral signatures may be useful for MLS. This also appears > to be slated as a discussion topic for IETF 103, so it would be great if we > could continue the discussion there as well. > > References: > [0] > https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n1979 > [1] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki > [2] https://cardanolaunch.com/assets/Ed25519_BIP.pdf > > Nadim Kobeissi > Symbolic Software • https://symbolic.software > Sent from office > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Adapting Hierarchical Key Derivation for Ep… Nadim Kobeissi
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Ted Hardie
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Nadim Kobeissi
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Nadim Kobeissi
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Raphael Robert
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Nick Sullivan
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Brendan McMillion
- Re: [MLS] Adapting Hierarchical Key Derivation fo… Jonathan Hoyland