Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)

Chris Brzuska <chris.brzuska@aalto.fi> Fri, 31 July 2020 07:22 UTC

Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC093A1025 for <mls@ietfa.amsl.com>; Fri, 31 Jul 2020 00:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIFtXpmIKzhn for <mls@ietfa.amsl.com>; Fri, 31 Jul 2020 00:22:17 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (smtp-out-02.aalto.fi [130.233.228.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053013A0EA7 for <mls@ietf.org>; Fri, 31 Jul 2020 00:22:16 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 7E8A1271590_F23C6A2B for <mls@ietf.org>; Fri, 31 Jul 2020 07:22:10 +0000 (GMT)
Received: from exng1.org.aalto.fi (exng1.org.aalto.fi [130.233.223.20]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng1.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id 0680F27158E_F23C6A2F for <mls@ietf.org>; Fri, 31 Jul 2020 07:22:10 +0000 (GMT)
Received: from exng6.org.aalto.fi (130.233.223.25) by exng1.org.aalto.fi (130.233.223.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Fri, 31 Jul 2020 10:22:09 +0300
Received: from [192.168.1.116] (130.233.0.5) by exng6.org.aalto.fi (130.233.223.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Fri, 31 Jul 2020 10:22:09 +0300
To: <mls@ietf.org>
References: <682de0fe-41c2-9b96-067b-6cb4b08e1e7c@aalto.fi> <7028_1594089739_5F03E109_7028_154_1_B0D017EB-1A15-4C96-84C8-1E202A5A51EF@nps.edu> <4ceb1790-ef66-0113-0f59-023ab1e713e7@aalto.fi> <21383_1595613267_5F1B2052_21383_1688_1_CAL02cgTLkZrUBAD3LLKtgwfg+eNZKWMn0qEJ7=H98pRM=gzYxQ@mail.gmail.com>
From: Chris Brzuska <chris.brzuska@aalto.fi>
Message-ID: <176aefff-5394-b496-d649-fb7d4e430847@aalto.fi>
Date: Fri, 31 Jul 2020 10:22:10 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <21383_1595613267_5F1B2052_21383_1688_1_CAL02cgTLkZrUBAD3LLKtgwfg+eNZKWMn0qEJ7=H98pRM=gzYxQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------709A1B6E95C1F3E66A856F75"
Content-Language: en-GB
X-Originating-IP: [130.233.0.5]
X-ClientProxiedBy: exng4.org.aalto.fi (130.233.223.23) To exng6.org.aalto.fi (130.233.223.25)
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=subject:to:references:from:message-id:date:mime-version:in-reply-to:content-type; s=its18; bh=LhOuEVVoK6G8bMPN59At6s2rDacvfwXIG6CL/pf2pp8=; b=twPLf1qM12eo0FJI3+y+/UhwvPDW4s5SJ6YgT/yCm1gLX95YaeXvtnYrf4VYldLap64bw64CbHLImEeD+v90p985RWoJiqQPM/woTsdbKAgbs3Gpscyeq1nr/Tn6rJzSLX3AdhMR8AXD/bN8DCWi/JAxOHjldiwNjzpT4CDnO2+AQrGnZwOB7XSpCYB3W1RZanvhE/0gmfyyVHvA6CF3pQmrTnSH18WlTsnQutGOgWVnMqvg8mHwxA9T96RGgFdBZyIy88TKtaa3qj+8OG2503k+RT1ZvxkLfpJaLZULrMZRVeoL7gT9xnnJ2sxYPo1U0t3FOMNrtg91EGrXCiX8jg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/nsUOy8VlgXzQKeu9YNd0PupUN0s>
Subject: Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 07:22:28 -0000

Hi Richard,

I came to the conclusion that none of the concerns you brought up 
affects the nPRF suggestion at its core. The issue of the welcome secret 
is unnecessary (see separate eMail which I just sent since I think that 
the use/generation of the welcome_secret is of independent interest). 
The other interface mismatch which you identified is that the key needs 
to be partially shared before, but this is not a problem: You can share 
the xor of the two input keys or the concatenation of the two keys to be 
xored.

An additional advantage of the updated nPRF construction (in addition to 
better assumptions and parallel computation) is that it combines entropy 
additively, i.e., if several secrets have low entropy, but together, 
they have enough entropy, then extracting from the concatenation of all 
of them will yield a good key although neither of the secret was good. 
This is useful regardless of the number of keys we combine.

Chris

On 24/07/2020 20:53, Richard Barnes wrote:
> Hey Chris,
>
> I was looking again at the key schedule as I was drafting #362 [1].  A 
> couple of things occurred to me:
>
> 1. You can't add the commit secret and PSKs in the same operation, 
> because you want new joiners to put in the PSK, but you don't want 
> them to have to know the commit secret.
>
> 2. The nPRF construction you propose has the same number of HMAC 
> invocations as the chained-HKDF-Extract stuff that's in the current 
> draft / 362.
>
> Given those observations, I wonder how much an nPRF is really buying 
> us.  It's not saving us any HMAC calls, and relative to #362, it would 
> only coalesce two DPRF calls into one nPRF call.
>
> Maybe there's some benefit if there are multiple PSKs?  But even then, 
> it seems like you could add a layer, computing a synthetic PSK from 
> the multiple ones, and keeping the main key schedule simple.
>
> At this point, given the above and the novelty of the nPRF 
> construction, I'm inclined to just stick with HKDF and merge #362 
> instead of #336.
>
> --Richard
>
>
> [1] https://github.com/mlswg/mls-protocol/pull/362
>
> On Tue, Jul 7, 2020 at 5:30 AM Chris Brzuska <chris.brzuska@aalto.fi 
> <mailto:chris.brzuska@aalto.fi>> wrote:
>
>     Thank you for the pointer to Carter-Wegman MACs.
>
>     >>> This style of combing hash outputs does affect collision
>     resistance [4], and some discussion on relation to that would be
>     nice to see.
>
>     That's an excellent point. In addition to pseudorandomness, we
>     prove the collision-resistance of our construction. I.e., assuming
>     that no unique value is used twice and assuming that HMAC is
>     collision-resistance, then the final Expand operation guarantees
>     unique outputs. I.e., by including the unique value into the final
>     Expand operation after the xor, the construction recovers from any
>     collisions incurred by the xor.
>
>     Chris
>
>     On 07/07/2020 05:41, Hale, Britta (CIV) wrote:
>>
>>     This is an interesting proposal. It is closely related at a high
>>     level to Carter-Wegman MACs (i.e. for random seed r, MAC((k1,
>>     k2), m) = PRF(k1, r) XOR MAC(k2, m)). Quite a few MACs fall into
>>     this category in practice. Considering the use of a MAC-based KDF
>>     and the proofs of [3] on DPRFs, there is an overlap between NPRFs
>>     and extrapolation of the above (based on iteration of the PRF
>>     guarantees).
>>
>>     This is worth noting from an assurance standpoint: there was
>>     discussion at the virtual interims with respect to the current
>>     formulation of MLS key derivation, which has a “TLS precedence”,
>>     yet this proposal is not without precedence itself. Ergo, such a
>>     change should not necessarily be concerning based on differing
>>     from current practice.
>>
>>     This style of combing hash outputs does affect collision
>>     resistance [4], and some discussion on relation to that would be
>>     nice to see.
>>
>>     Britta
>>
>>     [1] Carter, Wegman. Universal classes of hash functions.
>>
>>     [2] Carter, Wegman. New hash functions and their use in
>>     authentication and set equality.
>>
>>     [3] Bellare and Lysyanskaya. Symmetric and Dual PRFs from
>>     Standard Assumptions: A Generic Validation of an HMAC Assumption.
>>
>>     [4] Bernstein. What output size resists collisions in a xor of
>>     independent expansions?
>>
>>     *From: *MLS <mls-bounces@ietf.org> <mailto:mls-bounces@ietf.org>
>>     on behalf of Chris Brzuska <chris.brzuska@aalto.fi>
>>     <mailto:chris.brzuska@aalto.fi>
>>     *Date: *Tuesday, June 9, 2020 at 10:32 AM
>>     *To: *"mls@ietf.org" <mailto:mls@ietf.org> <mls@ietf.org>
>>     <mailto:mls@ietf.org>
>>     *Subject: *[MLS] Key Schedule: Replace DPRF with multi-input PRF
>>     (NPRF)
>>
>>     Hi all,
>>
>>     I would like to open a discussion on a suggestion for a change in
>>     the key schedule. In the current draft, we use the Extract
>>     function twice as a dual pseudorandom function (DPRF) when
>>     combining 3 keys (*) and interleave them with an Expand call.
>>
>>     The suggestion [1] is to replace these 3 calls by a multi-input
>>     PRF (NPRF) which is especially designed to return a pseudorandom
>>     key when at least one of the input keys is pseudorandom. The new
>>     suggestion relies on standard PRF security rather than
>>     DPRF-security of Extract.
>>
>>     You can find the accompanying paper with pictures, discussion and
>>     security reduction for the design principle here [2]. I include a
>>     summary of the main points in the end of this eMail.
>>
>>     Please comment/share your opinion. Thanks!
>>
>>     Chris
>>
>>     (*) commit_secret, PSK and init_secret
>>
>>     [1] Pull Request:https://github.com/mlswg/mls-protocol/pull/337
>>     <https://github.com/mlswg/mls-protocol/pull/337>
>>
>>     [2] Paper: http://chrisbrzuska.de/2020-NPRF.html
>>
>>     *--------------------------------------------------------------------------------------------------------------------*
>>
>>     *Summary of main points:*
>>
>>     The current key schedule
>>     - uses Extract as a dual pseudorandom function and assumes that
>>     HMAC is a dual pseudorandom function
>>     - applies Extract after Expand, i.e., after applying a function
>>     which generates a pseudorandom value
>>     - iterates Extract-then-Expand sequentially to combine more than
>>     2 keys
>>
>>     The pull request suggests to
>>     - replace the ad-hoc assumption that Extract is a dual
>>     pseudorandom function
>>     - remove Extract steps when applied after Expand
>>     - use a provably secure NPRF construction which allows to combine
>>     more than 2 keys and is based on a standard PRF assumption and
>>     statistical properties of xor.
>>
>>     Efficiency:
>>     - The suggested construction has higher parallel efficiency. It
>>     increases the overall number of HMAC evaluations by 1.
>>
>>     Assumptions:
>>     - HMAC is a standard PRF.
>>     - Relies on a unique value, the group_context was suggested.
>>
>>     Construction:
>>     (1) Use unique value to expand each key and xor the result
>>     (2) expand resulting key, including unique value into the context
>>     again
>>
>>     Security argument:
>>     - Pseudorandomness: unique value ensures that each outcome of
>>     Expand in (1) is used only once in a xor combination, thus
>>     allowing on one-time pad argument of xor.
>>     - Uniqueness of resulting keys: (2) ensures that if HMAC is
>>     collision-resistent, then the result is collision-resistent.
>>
>>     Variants:
>>     - It is possible to use an NPRF variant called NameNPRF [2] which
>>     has 3 HMAC evaluations more and relies less on the unique value.
>>     I.e., NameNPRF is secure in the same scenarios as DPRF: Keys only
>>     repeat if the input keys repeat *and* the group context repeats.
>>
>>     Questions/Comments that came up:
>>     - Barnes, MacMillion suggested group_context as unique value
>>     - MacMillion wondered about removal of Extract: One can add an
>>     extract operation for the psk. For other input keys, it does not
>>     seem needed, since they were returned from Expand.
>>     - Wood: Can we replace HMAC by arbitrary PRF? Yes. For uniqueness
>>     of output keys, the PRF needs to be collision-resistant, too.
>>
>>
>>     _______________________________________________
>>     MLS mailing list
>>     MLS@ietf.org  <mailto:MLS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/mls
>     _______________________________________________
>     MLS mailing list
>     MLS@ietf.org <mailto:MLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/mls
>
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls