Re: [MLS] New Parent Hash
Hubert Chathi <hubertc@matrix.org> Thu, 31 December 2020 16:37 UTC
Return-Path: <hubertc@matrix.org>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF6713A0D9C for <mls@ietfa.amsl.com>; Thu, 31 Dec 2020 08:37:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matrix.org header.b=R50H8sQT; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jdbLH+gY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpYL1FBcNrSL for <mls@ietfa.amsl.com>; Thu, 31 Dec 2020 08:37:16 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D10583A0D9B for <mls@ietf.org>; Thu, 31 Dec 2020 08:37:16 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 370141710 for <mls@ietf.org>; Thu, 31 Dec 2020 11:37:16 -0500 (EST)
Received: from imap22 ([10.202.2.72]) by compute1.internal (MEProxy); Thu, 31 Dec 2020 11:37:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matrix.org; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=5xjME xa/AGnyZSyVmxDfcjaG+kdIGQgmzYJhX+wcCuA=; b=R50H8sQTWqZdIgAdTy3Rq 2DDsat4/wurbeSnE5fkEjTRo3whvVfpAv5wi0aN3zVcrE5AvOJ6MwacoEfpVorCY zJSqAjoEZX3w7IXyNhfHt4hN/q+DR50jvrkcBnBfbeUm6262Z2w44kXmzMK1A8gF BzjKHsRq3a2KxB9z1MXx+OPHEgstVZBkNV7CnswA+UTXE0CAkMN+6P4+W6tK10oN lu1xSwXvaoWcRRo/7C0MZe5pGf8ni06kgmHlynEOcCMWevtxujn47ynU2HtU5lfq 6o2P10EeB1pznw3FIpOpCRugxzmWOt4LkLapBRX4O6UVq2RxevuW5Y7Asj4IzdB/ Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=5xjMExa/AGnyZSyVmxDfcjaG+kdIGQgmzYJhX+wcC uA=; b=jdbLH+gY5zZyoL04zKK2Us1lIChmos9i9FlRlfOcXvtXsc0cf31VPzPdz p1gJWjIFEnqlIZpZJA/5AWmXW19FrH4E1G0xg1R4/VrzxWMV1zHfZBmD5AODyHnb TQ+015cHEwcgMsgbPrDNdUDGsdpMLUrKswHky8XIoKT/B+qfkYx+YP7c0MFll2WR iDEhWqV5NpMzcfISnPT0OHdHszxjKngNKtXzOFJx8ou+nBmp83ftTq6dnd0wQbGu +wCwllJ7t6kKr8il08fmiUiqKkiajzDw6ZTyY63wcHVQ2tIowe1/1SxQJs5DokxB AkKk1HQfO+bi3AtVsptnnDS/LYYDg==
X-ME-Sender: <xms:Ov7tX7SiQaIufeP90jWnEVYRoKtMJVa8ZWsDfFNVCDsSyOLVQB7Ztw> <xme:Ov7tX8waBmxotMK43XOQnLn_5KTCdnAkSVf-H3q5EETxWMUevrqrQSzJ7ZMf7rS8e 37jAe8fLQG_nGtGBu4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvddvhedgleduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdfjuhgsvghrthcuvehhrghthhhifdcuoehhuhgsvghr thgtsehmrghtrhhigidrohhrgheqnecuggftrfgrthhtvghrnhepfffgveeiueefffeuke eugffgledvuefgvdeikeelvdekhfefleettdejteeuleffnecuffhomhgrihhnpehivght fhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehhuhgsvghrthgtsehmrghtrhhigidrohhrgh
X-ME-Proxy: <xmx:Ov7tXw0JHQ6mwu5t4loQP5sN2VaVHhCx44OkiV57RJxFMt5M6jIo3Q> <xmx:Ov7tX7D0XftaUyW8o825LLmwryaVjkxm2lfqu5uTndFwxc3OMIFRaQ> <xmx:Ov7tX0gTW99pR_2POJI8-AdBdlGacJ-lVq99E4zq5WiiON1I5dteeA> <xmx:O_7tX3tB6pl6T5iA3qnNCc4qTx8PYIboxE570e84rv3mySiCpeGJtw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B6C3D62A005E; Thu, 31 Dec 2020 11:36:18 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.1-61-gb52c239-fm-20201210.001-gb52c2396
Mime-Version: 1.0
Message-Id: <c069219e-2738-4cd3-b796-9f695b95c729@www.fastmail.com>
In-Reply-To: <7A25FA3A-25E9-47AD-9D8F-112F24748062@wire.com>
References: <68acccb2-9e5f-f52d-b32c-3b6e3195bc2d@wickr.com> <7A25FA3A-25E9-47AD-9D8F-112F24748062@wire.com>
Date: Thu, 31 Dec 2020 11:36:53 -0500
From: Hubert Chathi <hubertc@matrix.org>
To: mls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/vdBVqwcxnAoy_fuWMqmp8wyAYK0>
Subject: Re: [MLS] New Parent Hash
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 16:37:19 -0000
I think that if you use "descendants" as you define it, then calculating the parent_hash will become O(n) all the time, rather than O(log n) in the best-case, since the size of the descendants list will be O(n). I'm not sure if there's a good way to maintain O(log n) and still provide the desired security.
On Thu, 31 Dec 2020, at 06:47, Raphael Robert wrote:
> Hi Joël, Daniel and Marta,
>
> I just implemented the stronger parent hash scheme you proposed in the
> way it is described in the spec now.
> The good news is that it is implementable, the bad news is that is does
> not solve the problem you initially describe. Specifically, swapping
> out two leaf nodes still goes undetected.
>
> I think it is due to a terminology conflict, but it would be great if
> you could validate that assumption.
> In 7.4 you introduce the notion of “original child resolution” as " the
> array of HPKEPublicKey values of the nodes in the resolution of S”. The
> term “resolution” is defined in 5.2. It is essentially a way of dealing
> with blank nodes by substituting them with the first non-blank
> descendants you find when descending the subtree of a node.
> Here is my assumption: You probably thought the resolution would cover
> all non-blank descendants of a node, not just the first non-blank
> descendant. In that case we would need another function that does that
> (let’s call it “descendants”).
>
> If we look at the example of 5.2:
>
> - The resolution of node 3 is the list [A, CD, C]
> - The descendants of node 3 is the list [A, CD, C, D]
>
> - The resolution of node 5 is the list [CD]
> - The descendants of node 5 is the list [CD, C, D] (we just need to
> additionally filter out C, because it is an unmerged leaf of node 5)
>
> Here is a code snippet of what the “descendants” function would look
> like (sorry that it’s Rust, not Python):
>
> fn descendants(x: NodeIndex, size: LeafIndex) -> Vec<NodeIndex> {
> if level(x) == 0 {
> vec![x]
> } else {
> let left_child = left(x);
> let right_child = right(x, size);
> [
> descendants(left_child, size),
> vec![x],
> descendants(right_child, size),
> ]
> .concat()
> }
> }
>
> There’s a more efficient implementation of course, this is just to illustrate.
>
> In other words, the new “original child resolution” of S would be the
> subtree under S, but with filtered-out blank nodes and unmerged leaves
> of S.
>
> If my assumption is correct, I’ll follow up quickly with a PR since
> this is currently a blocker for interop based on draft-11.
>
> Thanks
>
> Raphael
>
>
>
> > On 12. Nov 2020, at 22:14, Joel Alwen <jalwen@wickr.com> wrote:
> >
> > Hey people,
> >
> > Just a quick heads up that Daniel, Marta and I put in a PR with a new version of
> > strong parent hash to prevent the attacks from the earlier thread. We tried to
> > make it as minimal as we could to help with deniability while still preventing
> > the attacks permitted by weak parent hashes.
> >
> > In a nutshell, when computing parent_hash at node v with parent p and sibling w
> > we include
> > - p's HPKE pubkey
> > - p's parent_hash value and
> > - HPKE pub keys in the resolution of w except for those belonging to leaves
> > unmerged at p.
> >
> > As a sanity check, notice that as long as p's keys remain the same one can
> > always recompute the same parent_hash value at v as was initially computed by
> > the member that set p's keys. (In other words, new members can verify that the
> > stored parent_hash values match whats in the tree.) In particular, that's coz as
> > long as p's keys are unchanged so is the resolution of w. The only exception are
> > leaves being added as unmerged at w. But those leaves are also added as unmerged
> > at p so they are left out of the hash.
> >
> > As for deniability, at least parent_hash only binds HPKE keys and nothing else
> > (like, say, credentials or signatures). Its the best we were able to come up
> > with for now...
> >
> > - joël
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>
- [MLS] New Parent Hash Joel Alwen
- Re: [MLS] New Parent Hash Raphael Robert
- Re: [MLS] New Parent Hash Mularczyk Marta
- Re: [MLS] New Parent Hash Raphael Robert
- Re: [MLS] New Parent Hash Hubert Chathi
- Re: [MLS] New Parent Hash Mularczyk Marta
- Re: [MLS] New Parent Hash Raphael Robert
- Re: [MLS] New Parent Hash Joel Alwen
- Re: [MLS] New Parent Hash Raphael Robert
- Re: [MLS] New Parent Hash Joel Alwen
- Re: [MLS] New Parent Hash Richard Barnes
- Re: [MLS] New Parent Hash Joel Alwen
- Re: [MLS] New Parent Hash Richard Barnes
- Re: [MLS] New Parent Hash Raphael Robert