Re: [MLS] somewhat better PCFS for cheap
Russ Housley <housley@vigilsec.com> Fri, 17 April 2020 14:02 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80B0C3A07BD for <mls@ietfa.amsl.com>; Fri, 17 Apr 2020 07:02:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8HWU4ytMs2q for <mls@ietfa.amsl.com>; Fri, 17 Apr 2020 07:02:24 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BEF93A092C for <mls@ietf.org>; Fri, 17 Apr 2020 07:01:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C038E300B5E for <mls@ietf.org>; Fri, 17 Apr 2020 10:01:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id DW4AU6PrRJxB for <mls@ietf.org>; Fri, 17 Apr 2020 10:01:12 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id B634F300A02; Fri, 17 Apr 2020 10:01:12 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <C9FCC6A0-2F9F-45A6-8B5B-DF113F0E6474@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B0833351-000A-46F4-852B-6FC3083946CB"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Fri, 17 Apr 2020 10:01:13 -0400
In-Reply-To: <CAL02cgRFq_WmCwYfk8gCcrsyUw61JcceWQCD-2X=ZxVfYqgi8A@mail.gmail.com>
Cc: Messaging Layer Security WG <mls@ietf.org>
To: Joel Alwen <jalwen@wickr.com>
References: <17d24e72-c331-3a2d-3d33-5dfd59d069ab@wickr.com> <CAL02cgRFq_WmCwYfk8gCcrsyUw61JcceWQCD-2X=ZxVfYqgi8A@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/sqejpowZoEkLXA7x3ousWwK_TUg>
Subject: Re: [MLS] somewhat better PCFS for cheap
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 14:02:27 -0000
Mixing new and old is a clean solution. Thanks for writing it down so clearly. Russ > On Apr 17, 2020, at 9:32 AM, Richard Barnes <rlb@ipv.sx> wrote: > > Hi Joël (and Sandro), > > Thanks for the thoughts. I agree that Option 2 makes sense. In fact, I think it agrees pretty much with what I was thinking, and the current doc is wrong. In particular, where it says "the HPKE secret key "leaf_hpke_secret"" in the text you quote, I would have expected that "leaf_hpke_secret" to be a secret from which the leaf HPKE private key was derived, basically the same as your pre-seed. > > One note to all this, though: None of this is visible to anyone except the holder of the leaf. So the other members of the group have to trust that the leaf holder is doing the right thing. The issue is the same as with decoherence higher up the path; either way, we lack a way to prove that two public keys correspond to private keys that are derived from sequential path secrets going up the tree. As before, I don't think this is fatal, and we should proceed. > > Do you want to draft a PR? > > --Richard > > > On Fri, Apr 17, 2020 at 3:51 AM Joel Alwen <jalwen@wickr.com <mailto:jalwen@wickr.com>> wrote: > Hey Everyone, > > Sandro Coretti and I have the following suggestions for how "hash up the tree" > during a Commit works. (C.f. Section 5.4 in MLS protocol version 9). The goal is > to (cheaply) fix the FS of TreeKEM (ergo the PCFS of MLS). > > The Issue: Currently all new keys inserted into the ratchet tree in a commit > (not to mention the resulting commit_secret) are all derived deterministically > from leaf_hpke_secret of committer's new leaf key. That value is in turn sampled > freshly at commit time by the committer. > > For concreteness: offending lines in mls-protocol-09 Pg. 17 > -------- snip ---------- > The generator of the Commit starts by using the HPKE secret key > "leaf_hpke_secret" associated with the new leaf KeyPackage (see > Section 7) to compute "path_secret[0]" and generate a sequence of > "path secrets", one for each ancestor of its leaf. > > path_secret[0] = HKDF-Expand-Label(leaf_hpke_secret, > "path", "", Hash.Length) > -------- snip ---------- > > The Problem: Suppose Alice commits. If her resulting leaf HPKE priv key ever > leaks, the adversary learns all keys generated in her commit. Thing is, thats > true even if all those keys have since been overwritten and removed from her > state by the time her state leaks. Her leaf priv key alone is enough to > re-derive all of them. Zooming out a bit, for TreeKEM this means poorer FS than > need be. Zooming out further, for MLS we get poorer PCFS than need be. > > Proposed Solution: We say "poorer than need be" because there are many easy > fixes here. E.g. > - Option 1 (simplicity) sample the HPKE leaf key pair using fresh random bytes. > Also sample a "derive_secret" independently for doing the deterministic deriving > up the tree. > - Option 2 (saves on consumed random bytes) sample a pre-seed. Expand it (e.g. > with HKDF-Expand) to two independent secrets. Use one to generate HPKE pub/priv > key pair for leaf. Use the other to do the hashing up the tree. (This is how we > modeled TreeKEM in eprint/2019/1189.) > > Personally, I'm partial to 2 because, as a general rule of thumb, I like to > conserve entropy demand. It can be a rare commodity in some deployments and when > implementers start doing things like calling /dev/random instead of /dev/urandom > you can end up depleting entropy. > > So, for concreteness how about this? > > -------- snip ---------- > pre-seed <-- {0,1}^secparam > > //first half of output goes in seed, second half in leaf_hpke_secret > seed, leaf_hpke_secret = HPKDF-Expand(pre-seed, "leafgen", > "", Hash.Length) > -------- snip ---------- > > leaf_hpke_priv, leaf_hpke_pub = Derive-Key-Pair(seed) > > > - Joël & Sandro > > _______________________________________________ > MLS mailing list > MLS@ietf.org <mailto:MLS@ietf.org> > https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls> > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls
- [MLS] somewhat better PCFS for cheap Joel Alwen
- Re: [MLS] somewhat better PCFS for cheap Richard Barnes
- Re: [MLS] somewhat better PCFS for cheap Russ Housley
- Re: [MLS] somewhat better PCFS for cheap Joel Alwen