IETF Logo Mail Archive

Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)

Chris Brzuska <chris.brzuska@aalto.fi> Sat, 25 July 2020 21:36 UTC

Return-Path: <chris.brzuska@aalto.fi>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B41A03A087F for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 14:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aalto.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAvwMbuy2RJz for <mls@ietfa.amsl.com>; Sat, 25 Jul 2020 14:36:50 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (smtp-out-02.aalto.fi [130.233.228.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4181F3A087D for <mls@ietf.org>; Sat, 25 Jul 2020 14:36:48 -0700 (PDT)
Received: from smtp-out-02.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 317422713F0_F1CA5EEB; Sat, 25 Jul 2020 21:36:46 +0000 (GMT)
Received: from exng4.org.aalto.fi (exng4.org.aalto.fi [130.233.223.23]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng4.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id AB53427138F_F1CA5EDF; Sat, 25 Jul 2020 21:36:45 +0000 (GMT)
Received: from exng6.org.aalto.fi (130.233.223.25) by exng4.org.aalto.fi (130.233.223.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sun, 26 Jul 2020 00:36:45 +0300
Received: from [192.168.1.116] (130.233.0.5) by exng6.org.aalto.fi (130.233.223.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Sun, 26 Jul 2020 00:36:45 +0300
To: Richard Barnes <rlb@ipv.sx>
CC: Messaging Layer Security WG <mls@ietf.org>
References: <682de0fe-41c2-9b96-067b-6cb4b08e1e7c@aalto.fi> <7028_1594089739_5F03E109_7028_154_1_B0D017EB-1A15-4C96-84C8-1E202A5A51EF@nps.edu> <4ceb1790-ef66-0113-0f59-023ab1e713e7@aalto.fi> <CAL02cgTLkZrUBAD3LLKtgwfg+eNZKWMn0qEJ7=H98pRM=gzYxQ@mail.gmail.com> <5754afd7-f05f-2844-5656-4f4572b49fab@aalto.fi> <CAL02cgTQonKgoh4trxpQxY9ONVvM_b6U+hFif+9Tahf7or9rmg@mail.gmail.com> <0c22bb51-6ef2-a55c-0c3a-14e0b590d7c7@aalto.fi> <064ad211-9f5f-7254-aa48-d7aea0ca2c7f@aalto.fi> <CAL02cgQrHK4-Hv1MQCDt_GcDQ-Rz2mQMCzdprink5jTfetdSAw@mail.gmail.com>
From: Chris Brzuska <chris.brzuska@aalto.fi>
Message-ID: <7c3c0f7f-58d2-acfb-d5d6-e8e5e80299da@aalto.fi>
Date: Sun, 26 Jul 2020 00:36:44 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgQrHK4-Hv1MQCDt_GcDQ-Rz2mQMCzdprink5jTfetdSAw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4EC37C874B10A6B6185A4D37"
Content-Language: en-GB
X-Originating-IP: [130.233.0.5]
X-ClientProxiedBy: exng5.org.aalto.fi (130.233.223.24) To exng6.org.aalto.fi (130.233.223.25)
X-SASI-RCODE: 200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=subject:to:cc:references:from:message-id:date:mime-version:in-reply-to:content-type; s=its18; bh=J+YoIJ+hF2PoXkvo0kmKw8RTBRSngHBGI65Pqp+ROYY=; b=raq6WdNN9Qzn7cF3rA3IFiqEF5fFIys61siHah7xxUDX618ffnl2t0BSCAiJslc2cw/84LvomVDrcNIoTAIiK81VYtMr6SGaGTefn6F3AbkSn/G2L8oveHehpg7JG6YolVl3fc3/gfYaoCWtk0kRwecfy8UnrGswP4KxbKUdBmafXw1brisQvz37ZvLImfD/oTabSQCKzhQv4d94rfPDphBKkj7aLnQeABR8nO615+FpYx5jKzi7l43+VwCWOLk5sHW8x4LP+bHMjgTjwzTgojkW3yOyuokNlLJIY5RFKsKabHivsZE6wDLbkxDh2c7UZ4HDbKJSmXsfVy9tM7zrTg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/oQD5wUzDhLaUaIrYOqxUV37RWZg>
Subject: Re: [MLS] Key Schedule: Replace DPRF with multi-input PRF (NPRF)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jul 2020 21:36:54 -0000

Thanks!

Another clarification question: I am confused about why GroupInfo and 
GroupSecrets are not encrypted using the same key? Since the 
welcome_secret can be derived from the GroupSecrets, the use of the 
welcome_secret does not seem to add security. Is this an efficiency 
optimization?

Chris

On 26/07/2020 00:14, Richard Barnes wrote:
> Think about the order of operations a new joiner goes through:
>
> 1. Decrypt the EncryptedGroupSecrets (including the joiner_secret) 
> using the relevant HPKE private key
> 2. Compute the welcome_secret, welcome_key, and welcome_nonce
> 3. Decrypt the GroupInfo using the welcome_key and welcome_nonce
>
> My presumption is that the joiner will only know that it needs the PSK 
> after step 3, when it can read the GroupInfo extensions.  (See 
> https://github.com/mlswg/mls-protocol/issues/367) That means that the 
> welcome_secret can't depend on the PSK.
>
> On Sat, Jul 25, 2020 at 4:09 PM Chris Brzuska <chris.brzuska@aalto.fi 
> <mailto:chris.brzuska@aalto.fi>> wrote:
>
>     Hi Richard,
>
>     I have a quick question: An additional change in your key schedule
>     is that the welcome_secret is now derived *before* including the
>     PSK. What is the motivation behind this?
>
>     Thanks!
>
>     Chris
>
>     On 24/07/2020 22:18, Chris Brzuska wrote:
>
>>     I see, thanks for clarifying. Obviously, with these requirements,
>>     pull request #336 does not work as is. I think that the
>>     conceptual issue of how to best combine two, three keys and more
>>     keys, remains, now with an additional requirement to combine two
>>     keys separately first.
>>
>>     Will think about it, thanks for clarifying the requirements!
>>
>>     Chris
>>
>>     On 24/07/2020 21:47, Richard Barnes wrote:
>>>     Your confusion is understandable -- the document is wrong right
>>>     now!  You are correct that the current design prohibits new
>>>     joiners from participating in the PSK proof, but that's a bug,
>>>     not a feature.  The epoch secret should verify that *all members
>>>     of the current epoch* know the PSK, not just the ones inherited
>>>     from the last epoch.
>>>
>>>     That's why #362 rearranges the key schedule as follows:
>>>
>>>         init_secret_[n-1] (or 0)
>>>                             |
>>>                             V
>>>        commit_secret -> HKDF-Extract = joiner_secret
>>>                             |
>>>                             +--> Derive-Secret(., "welcome")
>>>                             |    = welcome_secret
>>>                             |
>>>                             V
>>>           PSK (or 0) -> HKDF-Extract = member_secret
>>>                             |
>>>                             V
>>>     GroupContext_[n] -> HKDF-Extract = epoch_secret
>>>
>>>     (I also promoted the GroupContext to the main key schedule.) 
>>>     That's the context for my earlier comments.  With that picture,
>>>     the only thing you're coalescing with nPRF would be the latter
>>>     two HKDF-Extract calls.
>>>
>>>     Hope that helps,
>>>     --Richard
>>>
>>>
>>>
>>>     On Fri, Jul 24, 2020 at 2:32 PM Chris Brzuska
>>>     <chris.brzuska@aalto.fi <mailto:chris.brzuska@aalto.fi>> wrote:
>>>
>>>         Hey Richard,
>>>
>>>         thank you for looking into this. I think, I need more
>>>         explanation to understand the following point:
>>>
>>>         >>>  You can't add the commit secret and PSKs in the same
>>>         operation, because you want new joiners to put in the PSK,
>>>         but you don't want them to have to know the commit secret.
>>>
>>>         The current draft sais the following about the PSK:
>>>         "Groups which already have an out-of-band mechanism to
>>>         generate *shared* group secrets can inject those in the MLS
>>>         key schedule to seed the MLS group secrets computations by
>>>         this external entropy. At any epoch, including the initial
>>>         state, an application can decide to synchronize the
>>>         injection of a PSK into the MLS key schedule. This mechanism
>>>         can be used to improve security in the cases where having a
>>>         full run of updates across members is too expensive or in
>>>         the case where the external group key establishment
>>>         mechanism provides stronger security against classical or
>>>         quantum adversaries."
>>>
>>>         As I understand this paragraph, the PSK is known by all
>>>         group members and not related to new joiners. Maybe, the
>>>         requirements and/or design changed in the meanwhile, and I
>>>         am not aware of it. I interpreted the paragraph this way,
>>>         since the current construction (posted below for
>>>         convenience) also requires to know the commit_secret to
>>>         derive the epoch_secret (from which the welcome_secret is
>>>         derived). Where did I go wrong?
>>>
>>>         Thanks!
>>>
>>>         Chris
>>>
>>>                         init_secret_[n-1] (or 0)
>>>                               |
>>>                               V
>>>              PSK (or 0) -> HKDF-Extract = early_secret
>>>                               |
>>>                         Derive-Secret(., "derived", "")
>>>                               |
>>>                               V
>>>         commit_secret -> HKDF-Extract = epoch_secret
>>>
>>>
>>>         On 24/07/2020 20:53, Richard Barnes wrote:
>>>>         Hey Chris,
>>>>
>>>>         I was looking again at the key schedule as I was drafting
>>>>         #362 [1].  A couple of things occurred to me:
>>>>
>>>>         1. You can't add the commit secret and PSKs in the same
>>>>         operation, because you want new joiners to put in the PSK,
>>>>         but you don't want them to have to know the commit secret.
>>>>
>>>>         2. The nPRF construction you propose has the same number of
>>>>         HMAC invocations as the chained-HKDF-Extract stuff that's
>>>>         in the current draft / 362.
>>>>
>>>>         Given those observations, I wonder how much an nPRF is
>>>>         really buying us.  It's not saving us any HMAC calls, and
>>>>         relative to #362, it would only coalesce two DPRF calls
>>>>         into one nPRF call.
>>>>
>>>>         Maybe there's some benefit if there are multiple PSKs?  But
>>>>         even then, it seems like you could add a layer, computing a
>>>>         synthetic PSK from the multiple ones, and keeping the main
>>>>         key schedule simple.
>>>>
>>>>         At this point, given the above and the novelty of the nPRF
>>>>         construction, I'm inclined to just stick with HKDF and
>>>>         merge #362 instead of #336.
>>>>
>>>>         --Richard
>>>>
>>>>
>>>>         [1] https://github.com/mlswg/mls-protocol/pull/362
>>>>
>>>>         On Tue, Jul 7, 2020 at 5:30 AM Chris Brzuska
>>>>         <chris.brzuska@aalto.fi <mailto:chris.brzuska@aalto.fi>> wrote:
>>>>
>>>>             Thank you for the pointer to Carter-Wegman MACs.
>>>>
>>>>             >>> This style of combing hash outputs does affect
>>>>             collision resistance [4], and some discussion on
>>>>             relation to that would be nice to see.
>>>>
>>>>             That's an excellent point. In addition to
>>>>             pseudorandomness, we prove the collision-resistance of
>>>>             our construction. I.e., assuming that no unique value
>>>>             is used twice and assuming that HMAC is
>>>>             collision-resistance, then the final Expand operation
>>>>             guarantees unique outputs. I.e., by including the
>>>>             unique value into the final Expand operation after the
>>>>             xor, the construction recovers from any collisions
>>>>             incurred by the xor.
>>>>
>>>>             Chris
>>>>
>>>>             On 07/07/2020 05:41, Hale, Britta (CIV) wrote:
>>>>>
>>>>>             This is an interesting proposal. It is closely related
>>>>>             at a high level to Carter-Wegman MACs (i.e. for random
>>>>>             seed r, MAC((k1, k2), m) = PRF(k1, r) XOR MAC(k2, m)).
>>>>>             Quite a few MACs fall into this category in practice.
>>>>>             Considering the use of a MAC-based KDF and the proofs
>>>>>             of [3] on DPRFs, there is an overlap between NPRFs and
>>>>>             extrapolation of the above (based on iteration of the
>>>>>             PRF guarantees).
>>>>>
>>>>>             This is worth noting from an assurance standpoint:
>>>>>             there was discussion at the virtual interims with
>>>>>             respect to the current formulation of MLS key
>>>>>             derivation, which has a “TLS precedence”, yet this
>>>>>             proposal is not without precedence itself. Ergo, such
>>>>>             a change should not necessarily be concerning based on
>>>>>             differing from current practice.
>>>>>
>>>>>             This style of combing hash outputs does affect
>>>>>             collision resistance [4], and some discussion on
>>>>>             relation to that would be nice to see.
>>>>>
>>>>>             Britta
>>>>>
>>>>>             [1] Carter, Wegman. Universal classes of hash functions.
>>>>>
>>>>>             [2] Carter, Wegman. New hash functions and their use
>>>>>             in authentication and set equality.
>>>>>
>>>>>             [3] Bellare and Lysyanskaya. Symmetric and Dual PRFs
>>>>>             from Standard Assumptions: A Generic Validation of an
>>>>>             HMAC Assumption.
>>>>>
>>>>>             [4] Bernstein. What output size resists collisions in
>>>>>             a xor of independent expansions?
>>>>>
>>>>>             *From: *MLS <mls-bounces@ietf.org>
>>>>>             <mailto:mls-bounces@ietf.org> on behalf of Chris
>>>>>             Brzuska <chris.brzuska@aalto.fi>
>>>>>             <mailto:chris.brzuska@aalto.fi>
>>>>>             *Date: *Tuesday, June 9, 2020 at 10:32 AM
>>>>>             *To: *"mls@ietf.org" <mailto:mls@ietf.org>
>>>>>             <mls@ietf.org> <mailto:mls@ietf.org>
>>>>>             *Subject: *[MLS] Key Schedule: Replace DPRF with
>>>>>             multi-input PRF (NPRF)
>>>>>
>>>>>             Hi all,
>>>>>
>>>>>             I would like to open a discussion on a suggestion for
>>>>>             a change in the key schedule. In the current draft, we
>>>>>             use the Extract function twice as a dual pseudorandom
>>>>>             function (DPRF) when combining 3 keys (*) and
>>>>>             interleave them with an Expand call.
>>>>>
>>>>>             The suggestion [1] is to replace these 3 calls by a
>>>>>             multi-input PRF (NPRF) which is especially designed to
>>>>>             return a pseudorandom key when at least one of the
>>>>>             input keys is pseudorandom. The new suggestion relies
>>>>>             on standard PRF security rather than DPRF-security of
>>>>>             Extract.
>>>>>
>>>>>             You can find the accompanying paper with pictures,
>>>>>             discussion and security reduction for the design
>>>>>             principle here [2]. I include a summary of the main
>>>>>             points in the end of this eMail.
>>>>>
>>>>>             Please comment/share your opinion. Thanks!
>>>>>
>>>>>             Chris
>>>>>
>>>>>             (*) commit_secret, PSK and init_secret
>>>>>
>>>>>             [1] Pull
>>>>>             Request:https://github.com/mlswg/mls-protocol/pull/337
>>>>>
>>>>>             [2] Paper: http://chrisbrzuska.de/2020-NPRF.html
>>>>>
>>>>>             *--------------------------------------------------------------------------------------------------------------------*
>>>>>
>>>>>             *Summary of main points:*
>>>>>
>>>>>             The current key schedule
>>>>>             - uses Extract as a dual pseudorandom function and
>>>>>             assumes that HMAC is a dual pseudorandom function
>>>>>             - applies Extract after Expand, i.e., after applying a
>>>>>             function which generates a pseudorandom value
>>>>>             - iterates Extract-then-Expand sequentially to combine
>>>>>             more than 2 keys
>>>>>
>>>>>             The pull request suggests to
>>>>>             - replace the ad-hoc assumption that Extract is a dual
>>>>>             pseudorandom function
>>>>>             - remove Extract steps when applied after Expand
>>>>>             - use a provably secure NPRF construction which allows
>>>>>             to combine more than 2 keys and is based on a standard
>>>>>             PRF assumption and statistical properties of xor.
>>>>>
>>>>>             Efficiency:
>>>>>             - The suggested construction has higher parallel
>>>>>             efficiency. It increases the overall number of HMAC
>>>>>             evaluations by 1.
>>>>>
>>>>>             Assumptions:
>>>>>             - HMAC is a standard PRF.
>>>>>             - Relies on a unique value, the group_context was
>>>>>             suggested.
>>>>>
>>>>>             Construction:
>>>>>             (1) Use unique value to expand each key and xor the result
>>>>>             (2) expand resulting key, including unique value into
>>>>>             the context again
>>>>>
>>>>>             Security argument:
>>>>>             - Pseudorandomness: unique value ensures that each
>>>>>             outcome of Expand in (1) is used only once in a xor
>>>>>             combination, thus allowing on one-time pad argument of
>>>>>             xor.
>>>>>             - Uniqueness of resulting keys: (2) ensures that if
>>>>>             HMAC is collision-resistent, then the result is
>>>>>             collision-resistent.
>>>>>
>>>>>             Variants:
>>>>>             - It is possible to use an NPRF variant called
>>>>>             NameNPRF [2] which has 3 HMAC evaluations more and
>>>>>             relies less on the unique value. I.e., NameNPRF is
>>>>>             secure in the same scenarios as DPRF: Keys only repeat
>>>>>             if the input keys repeat *and* the group context repeats.
>>>>>
>>>>>             Questions/Comments that came up:
>>>>>             - Barnes, MacMillion suggested group_context as unique
>>>>>             value
>>>>>             - MacMillion wondered about removal of Extract: One
>>>>>             can add an extract operation for the psk. For other
>>>>>             input keys, it does not seem needed, since they were
>>>>>             returned from Expand.
>>>>>             - Wood: Can we replace HMAC by arbitrary PRF? Yes. For
>>>>>             uniqueness of output keys, the PRF needs to be
>>>>>             collision-resistant, too.
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             MLS mailing list
>>>>>             MLS@ietf.org  <mailto:MLS@ietf.org>
>>>>>             https://www.ietf.org/mailman/listinfo/mls
>>>>             _______________________________________________
>>>>             MLS mailing list
>>>>             MLS@ietf.org <mailto:MLS@ietf.org>
>>>>             https://www.ietf.org/mailman/listinfo/mls
>>>>

v2.23.0 | Report a Bug | By Email