Re: [MLS] Improving entropy in MLS

Benjamin Beurdouche <> Tue, 30 March 2021 07:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 971283A2A5C for <>; Tue, 30 Mar 2021 00:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5Nv5oxtemH15 for <>; Tue, 30 Mar 2021 00:54:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BAEF13A2A59 for <>; Tue, 30 Mar 2021 00:54:50 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.81,290,1610406000"; d="scan'208";a="500641265"
Received: from (HELO []) ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Mar 2021 09:54:48 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Benjamin Beurdouche <>
X-Priority: 3
In-Reply-To: <>
Date: Tue, 30 Mar 2021 09:54:48 +0200
Cc: ML Messaging Layer Security <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Konrad Kohbrok <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [MLS] Improving entropy in MLS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Mar 2021 07:54:56 -0000

*ouch, sorry about all the spelling mistakes… :D

> On 30 Mar 2021, at 09:53, Benjamin Beurdouche <> wrote:
> Hi all,
> I like this idea. I am not fully clear about the threat model, though.
> From reading this, it looks like we assume that the adversary that compromised a 
> principal doesn’t have complete control the entropy pool.
> This is in contrast over what we assume of the AEAD keys or even the KEM keys
> where a full state compromise will gain access to the values.
> However it looks very close to the assumptions about additional protections for signing keys.
> E.g., not directly accessible, and behind an interface that an adversary can query for certain operations
> through an API (e.g. when is stored in an HSM, co-processor or a functional secure enclave).
> Am I reading this properly?
> If yes, I can understand the value in this threat model, but we should make it clear that the
> entropy pool has to get these additional protections to provide these good properties.
> Seems to me like a good improvement in all cases anyway, so I think we should consider it.
> Thanks!
> Ben
>> On 30 Mar 2021, at 09:27, Konrad Kohbrok <> wrote:
>> Hi everyone,
>> MLS is a protocol that is very vulnerable to individual parties with bad randomness. For example, when a party joins a group, the secrecy of the group's key material relies on the quality of that party's key material. Similarly, when doing an external join, the groups entropy is completely replaced by that of the joining member.
>> There are multiple ways to mitigate this threat and Joël and Sandro proposed a few of them in the following mail to the list:
>> Concretely, there were two approaches: one that would be baked into the protocol (essentially using a secret derived from old path secrets to inject into new ones in addition to the current approach) and one that would mandate the use of an entropy pool.
>> The ideas were discussed a bit at the time, but nothing has happened since then. Joël, Sandro and I have just opened a PR with a concrete design for an entropy pool that is modeled after the key schedule ( Concretely, it allows gathering entropy over time and for parties with a bad entropy source to profit from parties with a good one without compromising security.
>> While for future iterations of MLS, we might want to consider a solution that is more integral to the protocol, we are aware that the authors want to avoid breaking changes at this point. With the entropy pool, we thus propose a solution that does not affect the protocol flow, but that still offers significant advantages over no mitigations at all.
>> Cheers,
>> Konrad
>> _______________________________________________
>> MLS mailing list