Re: [MLS] ART Ideas in TreeKEM
Raphael Robert <raphael@wire.com> Tue, 26 February 2019 09:02 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC677130E9F for <mls@ietfa.amsl.com>; Tue, 26 Feb 2019 01:02:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-z378gt0g71 for <mls@ietfa.amsl.com>; Tue, 26 Feb 2019 01:02:00 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECDBD130E9E for <mls@ietf.org>; Tue, 26 Feb 2019 01:01:59 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id g20so744937wmh.5 for <mls@ietf.org>; Tue, 26 Feb 2019 01:01:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=et0FGulQz0MD/wckMsqj2M41ZI2ZxbXxs4ThreieLUI=; b=b62JHJtxN+8lkYmNrl1ziO8cKZUqPRCo44cu9Yv1rIjVGzGt1ZbZbIGoKqDPveIxFv YmAEPaQcAv3t7tt1VpN9aHhyy2gp8usU0jCK4iDpGrk7OCBgCvfS+h1Y7vWsjrYDQEaF 0zH9if8h8Je8QDzLAdpb7kpA6WzA+nJ+gSryOG7Nl2yL2wJtBErrNBYYUH3q7grOJN6T rZGnLYB3mVTHXsVSV/4X94NJUQKcWBJCuCgzSIY/e57+VkeT6flw2nJyC/IWbIPZQ884 Jy6Zn+gbfxqHLhomTDCHsYlxYmlmUwNQQftn/h5XIL0f2AMiU5pSIZ+84LQOlcwN7DGA k5ZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=et0FGulQz0MD/wckMsqj2M41ZI2ZxbXxs4ThreieLUI=; b=SzQ2Y4THSW2DlrAVy1JonppL0sfZPzJ8q3yVZPYtviMbpRHI0tdzKWIMp9Sm0q9aSg TJ5xBp9UJct/C2cPNtu+VkiBS4IxR3qGr/j88jvH14sxbP2WXzBQBzm8F6Njt7ZHlKYH O+urJX4S0tp3YaNx9CNGFLFfFeZ6iQ5PNT7UxZUL2vTbMkR9gT3/tX26GcFwC46B+xGV KOPXB3VcEa57fA+F5L5XdrQ+59OsKhcgL/1MPCVgJKTAI0IiN5UmibE+voutvWxPUc1D YeY+zkdHtIBm+ZypvcEm/grOtHOQe4a/FLQV/nN7vphNyU31RV/oY7ZBoTHih1NX/1/K PHjg==
X-Gm-Message-State: AHQUAuaOv7Mbz8Ap86v7Mv/JwXF6JRQ9chdeLyT/B1w8jNeaNO9HCtaj DQuN72z6QcNibkf+USSw6ZNT/eLNQWs=
X-Google-Smtp-Source: AHgI3IahCjQoo8WWJCcR70WpL7qtW5vGO2DBmAvBFicI5DEWgDI6vRyF7YSX0CnlTKtS4lLS1nJ8Rw==
X-Received: by 2002:a1c:23c4:: with SMTP id j187mr1792027wmj.13.1551171717747; Tue, 26 Feb 2019 01:01:57 -0800 (PST)
Received: from rmbp.wire.local (h-62.96.148.44.host.de.colt.net. [62.96.148.44]) by smtp.gmail.com with ESMTPSA id p6sm37576807wre.63.2019.02.26.01.01.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Feb 2019 01:01:56 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Message-Id: <BFE54756-A69C-4493-BE0A-CF3DFA1D6599@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DBF8A3D7-C74E-4E4A-AD94-A23E4E2DAE4C"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 26 Feb 2019 10:01:55 +0100
In-Reply-To: <CAL02cgS3VfEx7YCOw6Zc-ejMKE35Lzkt20+6e8UOGAq2LgpbGQ@mail.gmail.com>
Cc: "M.A.L. Weidner" <malw2@cam.ac.uk>, Richard Barnes <rlb@ipv.sx>
To: "mls@ietf.org" <mls@ietf.org>
References: <CADSARUs6Qt5srOTYGe6otaVfUZQK56+HZgVJpzhssh8ad1Ux+w@mail.gmail.com> <CAL02cgS3VfEx7YCOw6Zc-ejMKE35Lzkt20+6e8UOGAq2LgpbGQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/rqfVQ6vTDgNFEf9M1iJzbDS3vAE>
Subject: Re: [MLS] ART Ideas in TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 09:02:08 -0000
Hi Matthew, One of the convincing reasons we saw when looking into ART vs. TreeKEM was that the recipient of handshake messages can process them with O(1) DH operations with TreeKEM as opposed to O(log n) with ART. This sounds like a small difference at first, but we believe that it makes a big difference in real life scenarios. Clients will mostly process handshake messages (particularly in large dynamic groups), but only rarely send them. The hunch is that TreeKEM is roughly an order of magnitude faster for average operations in MLS. If we go back to O(log n) DH operations to derive the root secret we would lose the speed advantage. Raphael > On 25 Feb 2019, at 23:07, Richard Barnes <rlb@ipv.sx> wrote: > > Hi Matthew, > > Thanks for the thoughts. Would it be accurate to summarize your proposal as a "hybrid mode", where when you update: > > - If both of a node's children are populated, then you do an "ART step", generating the parent from the children > - Otherwise, you do a "TreeKEM step", encrypting the next secret to the resolution of the other child > > (Remove is probably similar; for Add there's no change needed.) > > Assuming that's right, this honestly doesn't sound like a tremendously compelling proposition to me. Your evaluation on the overhead seems mostly correct, but there have already been some complaints on the list about hashing overhead, so I'm not sure trading DH+smaller_messages for hashing is going to suit. I'm also worried that this hybridization will introduce a bunch of new complexity into the protocol and make it harder to implement and analyze. Open to arguments if other folks are enthusiastic, though. > > --Richard > > > > > > > > On Mon, Feb 25, 2019 at 4:37 PM M.A.L. Weidner <malw2@cam.ac.uk <mailto:malw2@cam.ac.uk>> wrote: > Greatings MLS Working Group! > > I have been studying the proposals for TreeKEM, and earlier, ART, and noticed a way to use ART's DH tree ideas in TreeKEM, without sacrificing the ability to merge updates or use blank nodes. My apologies if this has been discussed before or if there are any mistakes. > > My main motivation here is to reduce the size of update messages, since the key encrypted keys in addition to new public keys means that they are ~2x as large in TreeKEM as in ART. > > Basically, we use TreeKEM, but with ART's key derivation "as" H(X). That is, when a node C1 gets the new secret X, instead of H(X), its parent gets the new secret > > H2(DH(X, priv(C2))) = H2(pub(C2) ^ X) = H2(pub(X) ^ priv(C2)) > > where C2 is the neighbor of C1, for some hash function H2. Since TreeKEM is agnostic about H, we can "define" > > H(X) := H2(DH(X, priv(C2))) > > in this way without issue, noting that the only users who will have to compute H2(DH(X, priv(C2))) are descendants of C1 (who know X) or C2 (who know priv(C2)). > > We can merge updates as with "pure" TreeKEM, choosing one update to dominate at nodes where they conflict. This will cause the tree to cease being a DH tree, which is fine. Note that descendants of C2 will have to keep around priv(C2) for a short time after it is overwritten in case of simultaneous updates (so that they can compute the parent secret), but that is true for TreeKEM anyway, since any simultaneous update will send data encrypted under pub(C2). > > Blank nodes can be handled by reverting to pure TreeKEM: if a node with new secret X has a blank neighbor, set the parent's secret to H(X) and send that separately to every public key in the resolution. > > Now instead of including > > pub(X), Enc(pub(C2), H(X)) > > in the RatchetNode struct for node C2, we need merely include pub(X), saving bandwidth. > > Pros: > - reduces the update message size by about 50% in the typical case (I think). > - we can build a ternary tree using 3-party Joux DH (as with ART), giving a further log_3(2) ~ 0.63 scaling on update message size. (I think it's possible to do this with pure TreeKEM as well, by replacing the ephemeral DH exchange with a Joux DH when doing asymmetric encryption.) > > Cons: > - forced to use a DH style cryptosystem (bad for post-quantum?) (as with ART). > - need log(N) DH operations to compute the new key, instead of log(N) hashes (as with ART). So this is a bad deal if CPU cycles are more expensive than bandwidth. > - can also reduce bandwidth by 2 just by ratcheting half as often. > > I hope you may find this interesting. > > Best, > Matthew Weidner > MPhil student, University of Cambridge > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls> > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls
- Re: [MLS] ART Ideas in TreeKEM Richard Barnes
- [MLS] ART Ideas in TreeKEM M.A.L. Weidner
- Re: [MLS] ART Ideas in TreeKEM Raphael Robert
- Re: [MLS] ART Ideas in TreeKEM M.A.L. Weidner