Re: [MLS] Simplifying the key schedule
Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Sun, 24 February 2019 10:15 UTC
Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC530127287 for <mls@ietfa.amsl.com>; Sun, 24 Feb 2019 02:15:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNfJUtF53n_i for <mls@ietfa.amsl.com>; Sun, 24 Feb 2019 02:15:44 -0800 (PST)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFBF4126C01 for <mls@ietf.org>; Sun, 24 Feb 2019 02:15:43 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.58,407,1544482800"; d="scan'208";a="297142449"
Received: from 91-165-78-144.subs.proxad.net (HELO [192.168.0.3]) ([91.165.78.144]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Feb 2019 11:15:41 +0100
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
In-Reply-To: <88df2d10-8ffa-11ce-64a9-be2da501892a@wickr.com>
Date: Sun, 24 Feb 2019 11:15:41 +0100
Cc: ML Messaging Layer Security <mls@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <C729F309-0E84-4C7C-8047-F0E06F01EBE0@inria.fr>
References: <CAL02cgT_HiggpB6KDnXyqzyz5WUr=dAodmaRSPt+PfWj3BM3Mg@mail.gmail.com> <88df2d10-8ffa-11ce-64a9-be2da501892a@wickr.com>
To: Joel Alwen <jalwen@wickr.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/rf0vsYWTdyNtDEjK3XSffshrMsw>
Subject: Re: [MLS] Simplifying the key schedule
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Feb 2019 10:15:46 -0000
Hi Joel, > On Feb 24, 2019, at 6:17 AM, Joel Alwen <jalwen@wickr.com> wrote: > > Hi Richard, > > Sandro Corretti and I just discussed the questions you brought up in > your email about the key schedule and we've come round to the opinion > that of the options you present we prefer: > > - for the roster a merkle tree seems to be a good solution > - for the ratchet tree an ampelmann hashing scheme should work well > > In our opinion linear state size (with reasonably small constants) is > the lesser of the three evils when compared to needing extensive hashing > for each tree update and needing larger packet sizes for the protocol > (e.g. due to membership proofs). > > Having said that I wanted to suggest an alternative. Namely, including > the ID's of leaves as part of what gets hashed for the ratchet tree. > This makes including the roster redundant which means we would save on > all the merkle tree storage as well as the hashing during join/leave > ops. The only cost I see is that we might want to include the *hash* of > ID's as part of the state to avoid having to recompute when that party > updates their PK. (But that still needs less storage than a full merkle > tree on the roster so its also an improvement.) I am not sure to understand what you mean here :) while it might be poorly documented all the user init keys in TreeKEM are already mixed in the epoch secret because the Group AKE mandates to agree on whom is in the group at all times. Our issue is that a newcomer cannot use that information to explicitly check the identities. In general, I agree that the TreeKEM section of the draft lacks clarity on what it provides, and I believe it will be helpful to improve upon it so I will take a pass on it with Karthik before the interim. Cheers, B. > While we are on the subject of amplemann tree's I wanted to make a > suggestion for how to deal with blank nodes. I think its conceptually > simpler (and thus hopefully also less error prone / easier to code) then > using the resolution of blank nodes to define their values in the > ampelmann hash. We let the value of each node begin with an indicator > bit b (or octet if thats more practical). So node values are strings of > the form b || PK. (Alternatively for leaves it would be b || PK || > H(ID).) When b indicates the node is blank (b=1) we simply define PK > (and H(ID)) to be all 0s. > > I'm also in favour of Raphael's suggestion to define the hash of a node > to be H(L || R || V) where L and R are the hash of the left and right > child while V denotes the value of the current node. It seems simpler > than H(H(L || R) || V). > > - Joel
- [MLS] Simplifying the key schedule Richard Barnes
- Re: [MLS] Simplifying the key schedule Joel Alwen
- Re: [MLS] Simplifying the key schedule Benjamin Beurdouche
- Re: [MLS] Simplifying the key schedule Richard Barnes