IETF Logo Mail Archive

[MLS] KDF instead of hashing up the tree

Konrad Kohbrok <konrad.kohbrok@datashrine.de> Wed, 23 January 2019 13:58 UTC

Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72DDD128CE4 for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 05:58:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQv3eeGG2LIL for <mls@ietfa.amsl.com>; Wed, 23 Jan 2019 05:58:34 -0800 (PST)
Received: from mx2.mailbox.org (mx2a.mailbox.org [IPv6:2001:67c:2050:104:0:2:25:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16F29126C01 for <mls@ietf.org>; Wed, 23 Jan 2019 05:58:33 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 49CAAA16FE for <mls@ietf.org>; Wed, 23 Jan 2019 14:58:30 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id XmMHpG2Mc1AR for <mls@ietf.org>; Wed, 23 Jan 2019 14:58:28 +0100 (CET)
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
To: mls@ietf.org
Message-ID: <dc702cea-d780-216b-ab8e-1eba99a2bace@datashrine.de>
Date: Wed, 23 Jan 2019 15:58:25 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/wJs8lH1s_-qEPZPuhSlw1n7NXpc>
Subject: [MLS] KDF instead of hashing up the tree
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 13:58:36 -0000

Hey everyone,

I just discussed the current draft with my advisor Chris Brzuska and he came up
with a suggestion that I thought I'd just quickly relay here. As I have only
started following the discussion recently, I apologize if this was already
brought up in the past.

In terms of key separation, wouldn't it make for a cleaner design, if we used a
KDF instead of a hash function? Instead of  generating a new leaf-node secret
and then hashing it to compute the new secret for the parent node, it would be
better to generate a new secret and then from that secret independently (i.e.
with different labels) compute the new leaf secret and the new secret for the
parent node. This key independence would also make the proof easier. In terms of
overhead, this would mean two KDF operations instead of one hashing operation.

Cheers,
Konrad

v2.23.0 | Report a Bug | By Email