Re: [MLS] May 2019 Interim Registration and Issue discussion

Karthikeyan Bhargavan <> Thu, 02 May 2019 08:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C0CF1120145 for <>; Thu, 2 May 2019 01:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x3dXcMdpDnjk for <>; Thu, 2 May 2019 01:03:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C4F61202FD for <>; Thu, 2 May 2019 01:03:01 -0700 (PDT)
Received: by with SMTP id h11so1328241wmb.5 for <>; Thu, 02 May 2019 01:03:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZKubZfCvc0zgOU4HwOZTTVx2+h2yJn9oRWUUgfLVwyk=; b=vM5dkU0vTqkBazCY6z6m3y93Kytma/O1E2YcXtIp/n0O/VIG3GpddwR4yiKGtqm+6T 07cuzTC87n+SdMAdr718ZGyhAVglSmHmfl5XKiKsv5PtvGG9OTFpYikI57yCh+AwsMvM KKEY3cUhhdBpOpxeolCwpqTbGJ3JXllV6M2HKPRmAnSQqbom0MZUDGCP2P1Ze4UJuNvy MLvpGJTJrEBH7XpSq53lDMloJFufITYzmlcRxnjJVARoIAWulsJPdj4WZw2qz1qjEd9E myqUfs2J/PftD0AOxNkV/dULVeiLf3xkudLEUAODQo9EKg6FKe7psviaTT9wOjcB75K/ uTxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZKubZfCvc0zgOU4HwOZTTVx2+h2yJn9oRWUUgfLVwyk=; b=ISdLalBRcpis39pfqY3NAC/kTwAsRQnPl0hCfc5hb2yuC6ftb7yGFG3iUnIEFg4xcf tz/Z1I++eyCkcPpyOq+pHKqACNIQagwRq6Uy2+ekNGdkDZpJVoe8AXEVxwl6reMFBihu WcKGBpAs3afUl56JfYTWqnac0cusenmmo8VAxlH53rF90KytVdSrWFfa4urTWrz9bmd4 bJgbUrWlWsCvXEq3rzDBP96lX/dAZPeepBkQr9UqdC5om6xUUjofMFhPqB+FUj8gAWS5 Aage8+4sOkJ97uXvgkTkI2B+/96zclXYEuSE0b21YleGGtGEeNI//DVJwSczeiqxkDu1 +USw==
X-Gm-Message-State: APjAAAUn9oa5xC9B6J7J24KunqlnvsimOOlk80sHzkj5p/bOIdB3NwtC Xa4skjQcmcw7ZM2SfL0dLKEa1QJv3IE=
X-Google-Smtp-Source: APXvYqzUxexN2uZ/AJ5uYDDXL1C0IFq617QpeCTklrdbBvIxyzKu/ZhGl+G2cD09VcTPlwr4/Uyphw==
X-Received: by 2002:a1c:1903:: with SMTP id 3mr1277425wmz.103.1556784179723; Thu, 02 May 2019 01:02:59 -0700 (PDT)
Received: from ( []) by with ESMTPSA id n63sm6749443wmn.38.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 May 2019 01:02:59 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Karthikeyan Bhargavan <>
In-Reply-To: <>
Date: Thu, 2 May 2019 10:02:58 +0200
Cc: Nick Sullivan <>, Messaging Layer Security WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Richard Barnes <>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <>
Subject: Re: [MLS] May 2019 Interim Registration and Issue discussion
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 May 2019 08:03:05 -0000

Looking at:

I see that there is a change in metadata encryption:

>       "sample = ciphertext[:Hash.length]
> 	mask = HMAC(sender_data_secret, sample)[:8]
> 	encrypted_sender_data = sender_data ^ mask
> 	~~~~~
> 	This approach is similar to the one used for protection of header
> 	information in QUIC (see Section 5.4 of {{?I-D.ietf-quic-tls}}).
> 	Note that the sender data values are authenticated by the AEAD
> 	and the signature, while the masked_sender_data is not and only
> 	benefit from passive security because it depends on the ciphertext

I disagree with this change, because it is too early to put in optimizations,
especially those that rely on non-standard cryptographic constructions.
I would prefer that we go back to using plain AEAD for the sender_data,
and that we add this kind of optimization once we have a proof that it is secure.


> On 25 Apr 2019, at 19:50, Richard Barnes <> wrote:
> Couple of notes on plans for the protocol document:
> As Nick notes, we are hoping to publish draft-05 of the protocol document before the interim.  I have marked a handful of PRs for inclusion in that release:
> If folks could review those PRs ASAP, that would be helpful, as we will be working to get a few major things merged next week.  Thanks to Joël Alwen and Michael Rosenberg for reviews so far.
> In general, my thinking is that draft-05 will be a "feature release" and draft-06 will be a "performance relase", in the following sense: In draft-05, we're getting in a lot of the big changes to the security model (tree hashing, common signing/encryption).  We'll try to keep these things stable for a bit, to let some analysis get done.  While that's going on, we can focus on issues that relate more to performance / scalability / maintainability, such as server assist, server-initiated add/remove, or KDF trees for application secrets.  I've already put a few issues / PRs into the draft-06 milestone:
> --Richard
> On Thu, Apr 25, 2019 at 1:38 PM Nick Sullivan <> wrote:
> The date and location are set for the May 2019 Interim meeting. It will be on May 16 at the Wire headquarters in Berlin. More details can be found on Github:
> Please register with the following form if you intend on attending either remotely or in person.
> Registration Link (
> Registration deadline closes on May 2nd.
> We are soliciting proposals for presentations to add to the agenda for the meeting. Please send proposals to Due to time limitations, these should be restricted to discussions about current active drafts.
> Here are the active documents:
> Protocol (
> Issues:
> Milestones:
> Architecture (
> Issues:
> Federation (
> Issues:
> As a reminder for the working group, the target milestone for the -05 draft of the protocol document is May 1st, 2019. There are still a number of open issues that should be discussed here: We encourage the authors and other participants to read these issues, distill the main questions raised by them and propose answers for discussion on the list in the coming week.
> Nick and Sean
> _______________________________________________
> MLS mailing list
> _______________________________________________
> MLS mailing list