[MLS] Deniability without pairwise channels.

Mathias Hall-Andersen <mathias@hall-andersen.dk> Wed, 22 January 2020 14:34 UTC

Return-Path: <mathias@hall-andersen.dk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AD491200F4 for <mls@ietfa.amsl.com>; Wed, 22 Jan 2020 06:34:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hall-andersen.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EsNBurcbXSWu for <mls@ietfa.amsl.com>; Wed, 22 Jan 2020 06:34:21 -0800 (PST)
Received: from mailrelay1-2.pub.mailoutpod1-cph3.one.com (mailrelay1-2.pub.mailoutpod1-cph3.one.com [46.30.212.0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 282AF1200E9 for <mls@ietf.org>; Wed, 22 Jan 2020 06:34:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hall-andersen.dk; s=20191106; h=content-transfer-encoding:content-type:mime-version:date:message-id:to: subject:from:from; bh=/I7oHqcjaVDYzaQKy+EfMa3A3vNsvautIbTB/zwTBqs=; b=o2HzoTF8qqTY2QltY6KsQToFfGyk2cNM4X2Z2kcd8Iyyn7mCmgwS5rPuRuwuSiNiFe0kgpnMTAuYm +/w/e3GelWLcMgf94wWseczsjZbVimi9TX7ktfL4VzJQ0OGKUYcauDyCrfPoWxV14SgoTFrmi9RDIY EZ167zupajoecsr4bIgyn+x57LKdiZreoN71kuw4/ZSLLkjkmuIRtCH8NKjckZ8Xa4DI9FY4ksu1wf zRDjevk5xb/hVn7+Tw9ZcOuE/HZPiHa4SnRt594NyMSck248OxDBqJMd97416Q62/U8QTjYsvxs7x+ csDicNhJeBbvR7PYjj8vwY8ZnxGMI3g==
X-HalOne-Cookie: d4c35728b72d44a9e8350ef7208f3c31e9abf47d
X-HalOne-ID: 451a8ca3-3d24-11ea-a05e-d0431ea8a283
Received: from [IPv6:2a03:8600:1001:4000::f8c] (unknown [2a03:8600:1001:1337::2001]) by mailrelay1.pub.mailoutpod1-cph3.one.com (Halon) with ESMTPSA id 451a8ca3-3d24-11ea-a05e-d0431ea8a283; Wed, 22 Jan 2020 14:34:17 +0000 (UTC)
From: Mathias Hall-Andersen <mathias@hall-andersen.dk>
Autocrypt: addr=mathias@hall-andersen.dk; keydata= mQINBFdJtPsBEAD5nXy+MWGA5JjWMaT9Si8pgzSI8RTxHWxBTnun5pEqFMmNflhUk3FDCSvW 5zdm5zccYH+bqoHX7hHuDl9IhCGhzgbiTtVOctQMz0DN5SBMVrrwz/ziaAxsYQT0pfWey4A7 q6TSTZhToZOQH+mjR+b6p9w0t1HP73YqNjr7OEFBdaJS9RZGsxD142PubPn1PV2Db7xP+nXx Pal884Okbwy2gjrITG91x9IoDYa6Z+RtVwM8E10/i8b6sGHXoN8Yk5adcj9NmXz2q2kVT7nG Ur93mx0zzjDnYNEhFJg+gHyRB5W8ru5m9IaKyrHWLJZoGYYw6ttWX5Q8AyyTYWSZ58eChfAT +BKSLnTYLpYfpeWVXdpd4tyYnQqYGOn2gpBZtTzzRuyDX6ONnQVA/e6fFBCsOkSvUQ2mVALZ q1VZ+DTmosTm6mbvtAwMfABALXYi5oiyPoyFO/P24/LC2tbgwrcHDXfJRmyI0B+3F6tk7RbX QjZn8cuEsek1WRzc4bcEZdWWDigNxLSmh8X2ddBWnJ/cFFAneXf6ffDURChtP8i6Rz9BbLzs bUO1kOk87+1ZmGG3fIOzlEHzL23wdoDfrkeZ1X7EewTT/e/FTznmg8Yw5xwnbbxNVAzEwfmt e52lcfqPEJHK/XrTB73XZJiM0FpjQEXZFhrEY0DykuApqLb9AQARAQABtDBNYXRoaWFzIEhh bGwtQW5kZXJzZW4gPG1hdGhpYXNAaGFsbC1hbmRlcnNlbi5kaz6JAk8EEwEIADkCGwMCHgEC F4AECwkIBwQVCgkIAhYAFiEEceHsK3eHRXEGZ9UdrjMbILPIpcIFAl11SRIFCQgMx5cACgkQ rjMbILPIpcIiMQ/9FLvQ9uqlZgiF2QJv0a2UD0ZXZ3t9R2bUR8K8M8iuwHjoJURS/kbeGJCH J4Z+V5Kswh/C018TNwuXsQ44bTI5MxgAYBsxQQb2gGwJc8eNqDvOgdUgLP0R6SNbEwUrd52z ZPMXTGlEaik/4wnkOqc1LKC/ATvE3yy/Snv7iLe3mKSIy6QmtjqlrZ9RrNni7OEqp3VEhfkP Nx8w0Z6o7dHJIdw9v2Feh1dcGJFQDg6zD7PV0BPE82CzQcJzWa50+zEnQABlTZSZb909WBVk pDCtAhMsS5lsQGwy9BFBqx/l/p+6dMb/uOKRKH4BqT27u8+4+/anGgmF3TK3RWaXvIunqIlc 6oYJ7HZO2wReVHwHyuM0rY15hLOIdIzlS4PYXIuP7aV4ByAlDCBeD6cdYn/TGdCe1DYmvf7N fQumnxXi3od7lAxeIb8hYrwdYNXbJHVnhRoJXuGUe/ajn8y41GvTMmXj+UMeU31Dc/Fog+yk 4DBenTNem40vaZyhoejzb4Azb/rKDL6LGhk1UhySLE9tPr8H2cigPmP1Nnj2/Sm1ydILLwVv fdpoYTPvxBJ1dCCn0DDZt4fW7RNd/sLvomHyeiJumYFvQk2XWdSZxjardR87lf772T7RMfYf mJI22m1V/FGsIs+eJWBEqT7R5ldZYebbsE5ulG7o0wEJFGMi30K5AY0EW5Fy8AEMANje3aYX afeLWkAYBJBQJFP+VOjmE4cdjWjVXCNeQpvp1P34g3Qn7KYMUmul8zYtQEjJdkQDR5r2pZU6 pQyaotoukJfBHWGhuoURhpyNqsUpqqi87prpL384MRjYko4zFvwJ5+wTLHBv/v6xvcoMkEA+ 7FrOVnip0khVDrKVuTAU9yXy4AEUY4t27vQVjOGpt0Edp8pbLS/7sCBelMIMYsQrtO9fcQrm Exjh0uQPleJNw9+fnZTwSRRmsW4wdMexzS6sAY8BodSfk4IYYHsJe0EB71qARUEkB5/73WzK Bxj4da4OPIep/bInTgaHrvU3qFJ2JqogSWDY+LdXn9uV7cNKQERSuwfqsYJnagwq4Um46ucM xZKurvVrZ+N8dI3DADZWy72FVHmLxoN4m/swqIw/lJ67/3z55ebMlTFtQFvWQsUJEGpd4La4 7k0dInGsJBZQWHH61eMzd4YSVHPDl+WAxk94D+Xnu79Esck3G8xZZhIJxpuIGyivc1txWo1t 0wARAQABiQPyBBgBCAAmFiEEceHsK3eHRXEGZ9UdrjMbILPIpcIFAluRcvACGwIFCQPCZwAB wAkQrjMbILPIpcLA9CAEGQEIAB0WIQSSt85lBh7XyseHy+Y/bnj7qjtU2QUCW5Fy8AAKCRA/ bnj7qjtU2UojDACt5kZtcXZrYiWrmdyeMUSQbGqx+qRTy2Rdd0VYCfyLeZ5GvdbBew1K9wxZ xWOa/LNWBdt8FqgITnuAu239ULLoiIgwSr5iZWS93R7Nf0nfKOIBTYhbbWs95HPR+Y9ylnE9 O9OWVcQvlkaWsaXWBqUd8DtisQAcXg0iM1UF6yeuDg/8+Vo75WmId1QiQVXU0R2rT/TzbhHL jKttm7Kc5Nzu/GVovMKPqbfqUtAqUGpfWAn8Xz4blrdvgdmkopUufOYdjwij/7f52CTeG9zL hThRhwotClARdQPlj9FlxHUq4a+a0EEykWqwDeem01FP5QnU6nIPI96y9dM8AKtPIifbFaIA Lml9sL51mImm0eL52xoiIfhgm1PCCkg2os1nVCeLlK/09sz9eY8JBN24BDSd0KGEq0LhNSOZ AeUgyPtAVhuvwrNYBflpbIp9KiJzpCkhw5m+abiZaExtkr2/zgY3afGRPUGumW2Wan3aSx+V qQMroh4kQzd61iKJHUFnhSqq3A//Rl9hDZ2QY3aKrnG1QJrN8ky2p16imwNTk6V8TMssGVhT 4TZIEl6qrBfee+UIzz28h1RAMtV2bW27OLAf3ZVeUGBg5vzfjStox2pkdCgJz1SgU606aQgO HYOvUSlc7BUpQ6DTqbwRMBqnAXGBL3SHdQpzSyf8CCxwZ03TUTMcbibcKjXU9atgsD3Vyn0z HiIuclVLz1vfqx155o7TvLx2UlbLYWpm/ljvJbuNVqA7AHRtNkr4gsrisgA6XHmzSyPFxTQt VyzJRssLqBX8uOISwdnHdbcdmTqGusf7aV82VfW+LDhEdKiXMzd1qbMmhDI7vQnxlFxXAKZk DOxo8x9EkldkWrVRPV8E7UQ387wdZFVRsdbXAWXmW1fRCFjDVaKuVKxeenk57ho//9xzBhAb toTM6wiWwscSJVPcG1b5+vOmAQPnqskRiS5h3rgbw0W60P7scvMlv0OMrUsuqZi2RKHTCfJl HpVH9kNaGyI3fJeZnj9voRHgZaOEpCvWxgfLTavshcvQAAC2NpLpYMqEwJBF/TlvQIlslsIk Z+qWVhWlbMUeeDVU70AuEHGEDnK5vJ0uQ6T0w3PsKNfjsyMDJQghvV/UBqRuit4H4o9p5bA/ +cQn5z5Rpj1tryX2eD5BODd2DiM4lf4h/NDma4OkonnbjG7bIVWJs66w4+bJ6py5Ag0EW5F0 KQEQAOd6Fjr2dctjm+LtOQzfKNJ3zrnzg3jNhv+VvZY5Rx59pxQG29sYdh2sCGZF3dKLME0u B33npTZ/AqjqNyq71KwSWJOygO2Bz1oFDM2R3x193b2LrCWpdL8BRkn74e2UJIxEEUrT0iPh mw7dlzB/NHdMlJPYhXyrJBWg1sPuqwyqUkqgxxeetaQW4lr59uejAHG3HoPjTZcuE8Iuz1jm gKTuC8QHdGkNScu5Ys05VRKzDLFzePN8j3NJ8ZnUoEpO3p4oW4vELarGSB9TibjVhCf9S0xN ejrcAIGHPcDx52h15H9HkR3SNSqxqpHAOkz/AIyIsL3i6rZ/OosK/AxBYenBivEBWa3KEMFq ynpQT6T5/yaDlGclYzXqJ1mcKNxDFqnt2yzbB0NiAc0Co0kHq+pQCcdNBiocPhnCwYV62JVg aYGQ4ip/nFKZpqZ8dGf2x9F/tuuf/y59neFMSzMt6jxhYhKpZYNxmcNTKGmL7gqivLBYcT7T ExafCcqDbtxpZhuqZRaXsbcGzcrwevV+zRQM7k2gYxbdlt7qcmfiVCA7x7vD/69TxFZnvLyX 6mNw4QO41kyKcrxXWs/+rhJMa3uynLRudI7dTSS8m604eRRSv/uRcdFsmaR8ENoMy/7ImCDe mFVlVYJ9nmTrIEmmjG5oDb+xarnvFPDaISLR7dmZABEBAAGJAjwEGAEIACYWIQRx4ewrd4dF cQZn1R2uMxsgs8ilwgUCW5F0KQIbDAUJA8JnAAAKCRCuMxsgs8ilwhopEADCM4+Mz8Ea+DR8 kr1xURXb5NcO38AMk63yRPH1KSfqAcwmUP/4yXzedlmyih20PZEJier4CxiGNWNp5QFoTlpG z8OMRxKSw3wMpaSFizfGuVXtAuIxQWWsMbN3tiVjTAi4nkmMZISG0emoFdTkmWV/LpCV/1Mx GAuFW6UKVeKnqK7i2Sc/KI81GJWajzgNCiSiZwCSpSk3QULba0LgB++BXJwzzQHhl/qMJ0Cb nWF2PaUwgI2ZoVqgAF10Yw7zVL5jE7CB1n1MK/jyi/KfqW2z//aJGLeV6GPU2CQPZRwCW9El 9y20J/kiwcWMqJs1PKA6rydwa1IpTX6cq9PSy1WE6LbOzsnrX/w/kbkrYswPsInO2nUWrkdf OqzpnjBiqk9GuAiPd29w1h+6XibDFxeLrItZz2jREW1A0T77y4YXH6yBSrEZcwEB9hK5jQy3 56vHs16BTh3OACqrNoDDATiujjy2WTVY73uNLE4MvuBRPVO/pxSoXy+v4jo6tV+4tYovP/tt C/w+lY1vhRJH5m+L67R3B+MHVeY6kGErE04FkyKR2+NCaVf/6HJ54tSOJ46JOJ1vdFR35G6D K5Xc6EQIsNlAPZQLkK8mWK6xkNA+o7SLnsv78oy0c9klEspI478nZTfRXvBkqtrLQHOBFZY7 ZVHHJNWtNRM7CqRKtPDkCw==
To: mls@ietf.org
Message-ID: <42f46da8-aca8-d63c-4672-e06bd84f8e5f@hall-andersen.dk>
Date: Wed, 22 Jan 2020 15:34:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/sDdGKZWmWz-oMEsCdkJOuT70J0o>
Subject: [MLS] Deniability without pairwise channels.
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 14:35:06 -0000

Dear MLS group,

In MLS: since all group members share the same secret,
the application of an AEAD does not provide authentication within the group,
MLS mitigates this using sign-then-encrypt with a long-term signing key.

> [[ OPEN ISSUE: Signatures under the identity keys, while simple, have the side-effect of preclude deniability.
> We may wish to allow other options, such as (ii) a key chained off of the identity key,
> or (iii) some other key obtained through a different manner,
> such as a pairwise channel that provides deniability for the message contents.]]
>
> -- Section 12.2 Authentication

If deniability (without pairwise channels) is a desired feature in MLS,
has the group discussed the feasibility of applying a "sign & reveal" type scheme?
There are essentially two different options:

1. Short-term credentials:

Clients would generate temporary "credentials" pk_{temp} for the group,
by creating a certificate under their long term credential pk_{long term}:

S <- Sign(sk_{long term}, <Group Identifier, Expiry, pk_{temp}>)

Publish (S, pk_{temp}) to the group.

Then when sending messages apply sign-then-encrypt using the short-term credential:

S_{msg} <- Sign(sk_{term}, m)
c <- Seal(k, .., .., <S_{msg}, m>)

Later, e.g. in lock-step with updates to the ratchet tree,
the client publishes sk_{temp} to the group and generates a new short-term credential.


2. One-time credentials:

When sending messages apply sign-then-encrypt using a one-time credential:

S_{cert} <- Sign(sk_{long term}, <Group Identifier, Message Index, pk_{temp}>)
S_{msg} <- Sign(sk_{term}, m)

Then encrypt:

c <- Seal(k, .., .., <S_{cert}, S_{msg}, sk_{old}, m>)

Where k is the group key and sk_{old} is the sk_{temp} from the previous message.

Best Regards,
Mathias