Re: [MLS] Cost of the partial-tree approach
Raphael Robert <raphael@wire.com> Wed, 31 October 2018 15:45 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70B0C130E2A for <mls@ietfa.amsl.com>; Wed, 31 Oct 2018 08:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wn5n6nHEaqBO for <mls@ietfa.amsl.com>; Wed, 31 Oct 2018 08:45:12 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B384C130DDF for <mls@ietf.org>; Wed, 31 Oct 2018 08:45:11 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id e5-v6so14027004eds.6 for <mls@ietf.org>; Wed, 31 Oct 2018 08:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=lTXHZcEuPqv/g8Pg6OdHhfOU9pZr8IE622yeO4c7dKU=; b=S9BT8uWQcIBaQy5MWrHTktc+jAHidDkb4UGUtgfOlN6+Sabn3fEieDtuIsEJDKyGFf r5Y5b2hN/xaLNbYbVvPh9haqIv60llaBd+Xf0mXZEyBr6lxlm4Mgw9hnoDY1Ii8BdGag YMF9pkHMV5t8DKhecFEuBSB8kKVR/K5xvnJ4wgOWA5WhWQwLfyi+br/GPFtIAgpBcPgG EIIHsWadnTbHsSza3R15mlWzFvW4N44Pii9BQ7VJVpTozur1rNlZsarBqL8DJ3bhfGMM oqZNqOdJPuKlmq9N5FmjWe+0U42Vmn/OU2aEcqfYwMJGtKtiM/AdVq0Zi1MwyctiHgLv +G9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=lTXHZcEuPqv/g8Pg6OdHhfOU9pZr8IE622yeO4c7dKU=; b=X5ZnxtTUH5l1W1TBWfpbMKS2BPFoCVVzLsJJ9EK8bBah86vbpjDcoYkTS+kQp8Sh0g c7kHnMHE6lBZpjN/Aw/YKzICmvBaPRG3V2iEyOG9R8uNSWwIyd/n1O8fpPfyg2zBG1TY FpmwLrR3KuesdGXGH2KMUWISZXBU/liknYMsUl6JYZyz2EmbDyGieKtcn5kO/7c1b2/e dMDIfzJ0DL987REkMK5DNMMm4NltEPoC07nL9Hvxk2NMUSosZO22h9Jj+MBD/nAK8TyT btRhkURZTaVSbjEGW9zZSE/ZzNww2mwtL9BO/Sl2YNIRHbz1Jb50VZjX5TCnu7gmXk1E mcZg==
X-Gm-Message-State: AGRZ1gJAt5+BSCmcQz/HYmJQAa3b+mENqojsZC9VjHW6a18sGk/mV2qV Kf0hB5nWy3W+C41F6xBRc9pvt0HGCoE=
X-Google-Smtp-Source: AJdET5d59n4Yyzs09i3UOAJ7zYa5EJPv2ZKz/bLq+a9W2RFNYN3rTmljvavwwKsO4rzlWiIm10/09g==
X-Received: by 2002:a17:906:4e14:: with SMTP id z20-v6mr1850641eju.187.1541000709358; Wed, 31 Oct 2018 08:45:09 -0700 (PDT)
Received: from rmbp.wire.local (h-62.96.148.44.host.de.colt.net. [62.96.148.44]) by smtp.gmail.com with ESMTPSA id z13-v6sm2190366edm.67.2018.10.31.08.45.07 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Oct 2018 08:45:08 -0700 (PDT)
From: Raphael Robert <raphael@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_218D8AC2-2FE5-473D-B6AB-EDB056BFB59D"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Wed, 31 Oct 2018 16:45:06 +0100
References: <CAL02cgSJdxgNTvyfvGLnsqLkBWChnds9TM8Ua_S6Z2MwN_QiDw@mail.gmail.com>
To: mls@ietf.org
In-Reply-To: <CAL02cgSJdxgNTvyfvGLnsqLkBWChnds9TM8Ua_S6Z2MwN_QiDw@mail.gmail.com>
Message-Id: <E6BD470E-6F30-44F6-93F3-F5BCBEA9B5A8@wire.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/o2rcwoTiXHtaWid8nq0CHl66RMs>
Subject: Re: [MLS] Cost of the partial-tree approach
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 15:45:15 -0000
Having to choose between security and efficiency is always a terrible choice to make. I'd like to explore an idea where the only choice is about how the workload is distributed.
I made some simulations to see how quickly the workload converges from linear to ~log N for the partial-tree approach (see graph in [1]). The setup was as follows: the tree creator added 1k members to a tree at once. The members iteratively did updates in a random order. I measured the copath length after each update (min, max and average). The length of the copath is equivalent to the number of DH / KEM operations the sender has to do, and thus the size of the message. Note that in a punctured tree the copath is not the list of siblings of the direct path anymore, rather every node of the copath needs to be "resolved" if it is a blank node. In a tree with many blank nodes the new copath can therefore be quite long.
The graph clearly shows the efficiency is very bad for the initial set of updates, but also quickly converges after only a fraction of the updates have been done.
My conclusion from this is that a full tree is not necessary to address the efficiency issue.
Instead of pre-populating the whole tree with node secrets, it might be enough to only pre-populate a fraction of the nodes. With the blanking mechanism, nodes can be arbitrarily blanked/populated. The only rule is that leaf nodes need to know the node secrets of their (non-blanked) parent nodes.
This means that we can pre-populate whatever nodes are most suitable to improve efficiency. This happens to be the case with the top of the tree (the top being the part close to the root of the tree). The closer a node is to the root, the more likely it is to be part of an arbitrary copath. Conveniently, the same node is equally likely to be overwritten during an update, henceforth removing the double-join state for that node. Even more conveniently, the top of the tree contains far fewer nodes than the rest of the tree, making the pre-population quite cheap.
An example in numbers:
A tree is vertically divided in "levels". A tree with 1k leaves has log2(1k) ~ 10 levels. Let's say we pre-populate the upper 5 levels of the tree (the "top"). The top contains about ~3% of the total number of nodes in the tree. After only 1.5% of the members have updated (assuming an even distribution of members who update) the top of the tree does not contain double-joins anymore. The copath length for early updates is drastically reduced as can be seen in [2]. The comparison with the empty tree can be seen in [3].
However while this effectively increases efficiency, the double-join issue remains during the early epochs of a tree. Now since the number nodes that were pre-populated is relatively low, it might just be practical to use a bookkeeping mechanism to track those nodes.
If a node secret is known to a member that is not a descendent of that node, this is considered to be a double-join. For every such node, we can simply keep a list of illicit owners.
Whenever a member is evicted from the group, additional blanking has to be done: So far only the nodes in the direct path of evicted member had to be blanked, now we also blank the nodes the evicted member double-joined. It is important that all of blanking happens before new values are KEMed to the resolved copath of the evicted member. This guarantees that the evicted member doesn't have any access to any node secrets anymore.
The entries of the bookkeeping (the "book") have to be shared with newly invited members. It is important that every member has the same view of the book to guarantee that eviction can always be fully achieved. Passing the book to a new member therefore has to be tamper-proof, because especially inviting members might have an incentive to lie about the nodes they double-joined. The book could simply be added to the group state, so that its content is "pinned" when deriving epoch secrets. This would guarantee that a new member either sees the same book as the rest of the group, or they cannot derive the same epoch secrets.
The same mechanism of pre-populating nodes in the tree ("warming up" the tree) could be used more generally when adding new members to the group. Instead of just adding the UserInitKey of the new member, the inviting member could warm up the direct path of the new member (except the leaf node of the new member). This would avoid inserting new blank nodes in the tree when adding a new member.
Conversely, this could potentially also be done when evicting a member. Instead of blanking the direct path of the member, the evicting member could simply overwrite all or a part of the blanked nodes, avoiding a punctured tree at the expense of increasing the bookkeeping effort. Note that if a blank node is overwritten, the children of that node need to know its secret. The secret needs to KEMed to all children. This happens implicitly when overwriting a direct path, but needs to be done manually when overwriting arbitrary blank nodes, which could occur as a result of the bookkeeping. This could lead to a high number of KEM operations, and blanking double-joined nodes (that are outside of the direct path of the evicted member) might just be cheaper. As mentioned above, the blanking has to be done before new values are KEMed to nodes in the tree.
It remains to be seen in which situations this makes sense in terms of efficiency and what the best balance is between additional bookkeeping and puncturing the tree. Aside from some ground rules, further simulations could give an indication.
Assuming the bookkeeping mechanism works as intended and no other problems arise, the choice comes down to how much warming up is desired. Ultimately, this choice could be left to the members themselves, assuming they all have the tree efficiency as a common interest. This would allow for dynamic decision taking based on the tree structure.
Raphael
[1] https://imgur.com/a/wZtueOX
[2] https://imgur.com/a/My8anBs
[3] https://imgur.com/a/ZvmdfeH
> On 1 Oct 2018, at 18:17, Richard Barnes <rlb@ipv.sx> wrote:
>
> Hey all,
>
> There was some debate at the interim about the performance implications of the "partial-tree" approach to adds and removes [0] (derived from the "remove-without-double-join" approach described on the mailing list [1]). In particular, EKR expressed concern that this approach would cause message size to degrade from log to linear. To test this out, on the plane home I wrote a simulator that performs random group operations and compares two approaches:
>
> 1. The "full-tree" approach, which has optimal efficiency but also has double-joins
> 2. The "partial-tree" approach, which has no double-joins but sub-optimal efficiency
>
> I've made a little visualizer here:
>
> https://ipv.sx/treekem/blanking/ <https://ipv.sx/treekem/blanking/>
>
> The tl;dr is that the partial-tree approach is only very bad if you have a very sparse tree, in particular, if you follow the "Init w/o 2J" approach of [0]. In all other cases, as long as updates happen sufficiently frequently, the two approaches are within a small constant factor of one another. The intuition here is that adds / removes degrade the tree (since they add blank nodes) while updates heal the tree (since they fill in blank nodes).
>
> If you have the simulator start out with a sparse tree (untick "Start full"), you'll see that initially, the "partial-tree" approach is very bad, pretty much linear, but it gets better as nodes update, and eventually merges with the "full-tree" line. If you start with a full tree, the lines don't diverge.
>
> Obviously, this isn't dispositive in one direction or another. But ISTM that this experiment indicates that the cost of the "partial-tree" approach might not be too bad, given that it clears up a significant ambiguity / saves the cost of double-join bookkeeping.
>
> --Richard
>
> [0] https://github.com/mlswg/wg-materials/blob/master/interim-2018-09/no_more_double_joins.pdf <https://github.com/mlswg/wg-materials/blob/master/interim-2018-09/no_more_double_joins.pdf>
> [1] https://mailarchive.ietf.org/arch/msg/mls/Zzw2tqZC1FCbVZA9LKERsMIQXik <https://mailarchive.ietf.org/arch/msg/mls/Zzw2tqZC1FCbVZA9LKERsMIQXik>
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
- [MLS] Cost of the partial-tree approach Richard Barnes
- Re: [MLS] Cost of the partial-tree approach Raphael Robert