Re: [MLS] Two poorly defined aspects of the spec

Cornelissen Eric <> Tue, 18 August 2020 14:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F2633A0B03 for <>; Tue, 18 Aug 2020 07:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UKR5b0fb2IlY for <>; Tue, 18 Aug 2020 07:27:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 64DFE3A0B3B for <>; Tue, 18 Aug 2020 07:27:16 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Email Security Appliance) with SMTP id 8752A271673_F3BE540B; Tue, 18 Aug 2020 14:27:12 +0000 (GMT)
Received: from ( []) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer " RootCA" (not verified)) by (Sophos Email Appliance) with ESMTPS id D364E271634_F3BE53FF; Tue, 18 Aug 2020 14:27:11 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Tue, 18 Aug 2020 17:27:11 +0300
Received: from ([fe80::4047:1ae:cfdf:c1a8]) by ([fe80::4047:1ae:cfdf:c1a8%18]) with mapi id 15.01.1979.003; Tue, 18 Aug 2020 17:27:11 +0300
From: Cornelissen Eric <>
To: Richard Barnes <>
CC: "" <>
Thread-Topic: [MLS] Two poorly defined aspects of the spec
Thread-Index: AQHWa9hzVoJJMfPk+kK5poDHTeMmXqkxOXWAgAG6Cor//+j8AIALIkv/
Date: Tue, 18 Aug 2020 14:27:11 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US, fi-FI
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_597d43a04e4947fb80a8fa6830f41a0daaltofi_"
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:mime-version; s=its18; bh=h4OdWyoweKYICJ97sgqcoZvX7eclZXlf569b01FkHjg=; b=XY+S+Mj6wnNxPK7TfT/XIhc0hLXNeRFIVqr6OEHVMjxveBnaIiUHTDwjOsimo/7b/u/v+prLS4BpYErjM7c+WmuILkDE6cq4agz/SrvDdZCuVF3Lc/I0ltiYDg5ND1CWGlkX42G4mUWUluUB11+jGWVpo3ELmDGMXo51gAUNFoUsEaulIoOrDVyDqdNsdbUKxU78AxN6ngNXgKYsurr5+Fdm9whmJv3JCQ3GKry5lwht9DKu8pjV8iXVlHPOycoBtd3eF9e8VmG9gQN/8Lrc1t269+JIgy3QqY/bhmzn8Mrye8OFhM7obxSplgakEnXukTemCpRe6MI+T2VpJ8ooqw==
Archived-At: <>
Subject: Re: [MLS] Two poorly defined aspects of the spec
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Aug 2020 14:27:22 -0000

Thanks Richard

Regarding my observations about Welcome. I would need some context about whether or not we want joiners to verify group creation. (*)

  1. We want to verify group creation.

  In this case, first of all, the changes in <> #385<><> need to be reverted (as pointed
  out in that thread and in #390<><>). Then, to prevent the attack for which that change
  was introduce I would propose the following: disallow the use of "add-only" commits
  on group creation AND requiring the initial group member(s) to verify that a "full"
  commit was used in the group creation.

  2. We don't need to verify group creation.

  In this case the only thing (I think) that has to change is that the last paragraph of
  the should be remove. (and #390<> can be closed.)

As I stated earlier, I would personally be in favor of option 2 as 1) it is the simpler solution, 2) the existing method of detecting group creation is not foolproof (**), and 3) I don't see a reason to verify the group creation process. In fact, a malicious client can always prevent joiners from being able to do this verification by simply performing a separate commit before adding the actual group members (***).

If you agree that 2 is the way to go, I'll get out a PR as soon as possible.


(*): The git history isn't of much help here. As far as I can tell the group creation verification paragraph was added in 5490d0e<>/2f2f5d8<>/#239<>tocol/pull/239>. None of which provide any insight into why the verification is useful. Perhaps this was discussed in a meeting somewhere?
(**): Nor do I think there exists any effective way of detecting group creation.
(***): In which case reverting #385<><> would only hurt the malicious client.

From: Richard Barnes <>
Sent: Tuesday, August 11, 2020 6:22:32 PM
To: Cornelissen Eric
Subject: Re: [MLS] Two poorly defined aspects of the spec

I filed #388 to fix (1) and (1a).

Not sure what to do with your observations about Welcome.  If you have thoughts about how to clarify, please send a PR!


On Tue, Aug 11, 2020 at 9:47 AM Cornelissen Eric <<>> wrote:

Hi Richard,

1. In that case I would agree that clarifying the indices is the way to go. I personally think just adding interim_[0] = 0 to the current definition would suffice and be clearer than your suggestion here, but that's just personal taste.

2. The "secrets" array makes a ton of sense.

If the welcome is ignored when the verification fails, then the fact that this is not strictly true seems to make it impossible to continue with a group after all but one person left (unfortunately, the paragraph doesn't specify what should happen if the verification fails). This is not a cryptographic problem, but I'd imagine this being confusing for end users if the application layer doesn't deal with it properly.

However, as I just pointed out in #385<>, it seems that we (I) made it impossible for joiners to verify group creation at all.



From: Richard Barnes <>
Sent: Monday, August 10, 2020 5:22:47 PM
To: Cornelissen Eric
Subject: Re: [MLS] Two poorly defined aspects of the spec

Hi Eric,

Thanks for the analysis here.  More good finds.

1. I think the right answer is a little of both.  If you initialize a one-member group, before any Commit messages have been sent, then it should be the zero-length octet string.  But then as soon as the group is used for something, it is updated.  Maybe the way to clarify this is to fix the indices.  If we have the interim hash belong to the new epoch, then we could have something like the following:

interim_[0] = 0
confirmed_[n] = Hash(interim_[n] || MLSPlaintextCommitContent_[n]);
interim_[n+1] = Hash(confirmed_[n] || MLSPlaintextCommitAuthData_[n]);

1.a. BTW, this raises another issue: I had thought we had removed direct dependencies on hash functions when we move from invoking HKDF to invoking the KDF from HPKE.  But this points out that we still have raw hash invocations.  I filed an issue for this:

FWIW, I think the latter course there is the right answer, i.e., to keep the raw hash invocations and clarify that the ciphersuite specifies a hash function.

2. It seems like the right reference here is probably to the "secrets" array in the Welcome message.  There's one entry there for each member being added, so if len(secrets) = len(group_info.tree.leaves) - 1, then there was only one member in the group to start with.  It's not strictly true to say that this is a new creation, since one commit could remove all but one of the members of the group and re-add a new set of members.  But this distinction doesn't really seem salient.

On Thu, Aug 6, 2020 at 6:02 AM Cornelissen Eric <<>> wrote:

Hi All,

I have two questions about things that are unclear to me in the current state of the spec as they are undefined/poorly defined.

1. What is the intended value of interim_transcript_hash_[0]?

>From the current draft I cannot definitively (i.e. with 100% certainty) say whether the value of the first interim_transcript_hash should be:

a. "the zero-length octet string" following the last line of Group state section<><>up-state>, or
b. a value derived based on the MLSPlaintextCommitAutData for the first commit concatenated with 0:
        = Hash(confirmed_transcript_hash_[0] || MLSPlaintextCommitAuthData_[0])
        = Hash(0 || MLSPlaintextCommitAuthData_[0])

The draft strongly suggests to me that it is the former, but the latter seems to more accurately reflect the statement "The confirmed_transcript_hash field contains a running hash over the messages that led to this state."

In the case that a is correct I would suggest updating the definition of interim_transcript_hash_[n] to:

    interim_transcript_hash_[0] = 0
    interim_transcript_hash_[n] =
        Hash(confirmed_transcript_hash_[n] ||

In the case that b is correct I would suggest adding a "warning" that says something along the lines of "as a placeholder value" to the place(s) where the draft says that the interim_transcript_hash of a group is initialized to 0.

2. What is the `members` array mentioned in the Group creation section<>?

In that section it is stated that "A new member receiving a Welcome message can recognize group creation if the number of entries in the `members` array is equal to the number of leaves in the tree minus one." First of all, it is not clear what this `members` array is. It seems this refers to a field of the now-removed Init struct. Interestingly this struct was removed in the very same PR that added the above sentence (see #239<>). But I wasn't able to really figure out what the draft-09 equivalent of it should be.

In addition, I'm pretty sure this technique would no longer work to detect group creation (but that would depend on how the sentence should be updated).

MLS mailing list<>