[MLS] Quicker Provisional GroupContext
"Alwen, Joel" <alwenjo@amazon.com> Thu, 21 April 2022 13:32 UTC
Return-Path: <prvs=10327f731=alwenjo@amazon.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205573A11D0 for <mls@ietfa.amsl.com>; Thu, 21 Apr 2022 06:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.611
X-Spam-Level:
X-Spam-Status: No, score=-9.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epzCppCxngbY for <mls@ietfa.amsl.com>; Thu, 21 Apr 2022 06:32:09 -0700 (PDT)
Received: from smtp-fw-80007.amazon.com (smtp-fw-80007.amazon.com [99.78.197.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7712E3A0F0A for <mls@ietf.org>; Thu, 21 Apr 2022 06:32:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1650547929; x=1682083929; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=QOS3mHjRP0oF+DhXMEHlsgHaejR/5qNkHXwBDiP7TlY=; b=pPXpKd04EfTNHK+6xrsca7gBA1ODHDBtJWCZGx5dO2EMYHNaA0IrSgvv rrnWuBh7nE4DwIey0OoRd628sc7gurNwGV1ol2Bsv8juN/U7EtK4OqJWV IOj3C7SvvWtNnWZeQibWS78z6p89Z+UlpsETJ60f2QHWwU6kR7dDWDvFy w=;
X-IronPort-AV: E=Sophos;i="5.90,278,1643673600"; d="scan'208";a="81894347"
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1d-1c3c2014.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-80007.pdx80.corp.amazon.com with ESMTP; 21 Apr 2022 13:31:50 +0000
Received: from EX13D48EUB002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-iad-1d-1c3c2014.us-east-1.amazon.com (Postfix) with ESMTPS id DAF47C58DC for <mls@ietf.org>; Thu, 21 Apr 2022 13:31:48 +0000 (UTC)
Received: from EX13D48EUB002.ant.amazon.com (10.43.166.35) by EX13D48EUB002.ant.amazon.com (10.43.166.35) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Thu, 21 Apr 2022 13:31:48 +0000
Received: from EX13D48EUB002.ant.amazon.com ([10.43.166.35]) by EX13D48EUB002.ant.amazon.com ([10.43.166.35]) with mapi id 15.00.1497.033; Thu, 21 Apr 2022 13:31:48 +0000
From: "Alwen, Joel" <alwenjo@amazon.com>
To: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: Quicker Provisional GroupContext
Thread-Index: AdhVhArK4mRI1gOfQkCBIDygTOom8Q==
Date: Thu, 21 Apr 2022 13:31:48 +0000
Message-ID: <869a895159384e6497015f2f97d7043a@EX13D48EUB002.ant.amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.164.90]
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/vByUgUgulpYmZ38yae62yj-piGM>
X-Mailman-Approved-At: Tue, 26 Apr 2022 18:55:22 -0700
Subject: [MLS] Quicker Provisional GroupContext
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2022 15:13:48 -0000
Hey people, Marta, Tom and I had the following thought. When creating/processing a commit, clients must create a provisional GroupContext to feed as context to HPKE. The provisional GroupContext includes a "provisional tree-hash" i.e. of a tree-hash of the ratchet tree after the proposals have been applied but before the update path. That means we have to recompute a tree-hash which, for large trees can end up being a fair bit of work which we could avoid quite easily as follows. Instead, the context we give HPKE is defined to be the hash of 1) The old epoch's GroupContext and 2) The list of proposals. In terms of security & functionality this changes nothing as (1) and (2) combined fully determine the "provisional GroupContext" we currently use. In other words, the new context commits to the same info as now. But it avoids any, possibly expensive-ish, tree-hash computation / tree traversal since we've already got the old GroupContext from when we started the previous epoch. Are people OK with this change? We're willing to put together a PR to implement it. It should be very small. - Joël PS. Funny related observation: The role of the HPKE context is to bind the ciphertext as much as possible to its intended use e.g. to constrain as much as possible how an adversaries can reuse honestly generated ciphertext in injected traffic. So normally I'd say, lets add the specific node and/or public key to which our MLS ciphertexts are being encrypted since: why not? Bind to everything we can right? It can only make an adversaries life harder. Thing is, at first glance, provisional GroupContext only fixes the epoch's state but *not* the specific node to which we're encrypting. But if you unwrap HPKE, you'll see that context is bound to the HPKE ciphertext by feeding it to HKDF when deriving the DEM encryption key. As it turns out though, the receiver PK is *already* being mixed in to that key in an earlier HKDF call in it's derivation chain (just not as part of the "key_schedule_context" variable). So adding it to HPKE context would actually be redundant. In fact, this even locks down the node to which we're encrypting because we include tree-hash. Happy coincidence? Or clever engineering? I'm going with the latter. :-) In theory we could lock down things juuuuust a bit more by including the actual node index to which we're encrypting. E.g. in theory PK's could repeat at leaves, e.g. at a pair of leaves if one of them belongs to an adversary. But maybe that's just taking this whole context binding one step too far... Amazon Development Center Austria GmbH Brueckenkopfgasse 1 8020 Graz Oesterreich Sitz in Graz Firmenbuchnummer: FN 439453 f Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
- [MLS] Quicker Provisional GroupContext Alwen, Joel
- Re: [MLS] Quicker Provisional GroupContext Richard Barnes