IETF Logo Mail Archive

Re: [MLS] UPKE for X25519/X448

Yevgeniy Dodis <dodis@cs.nyu.edu> Mon, 21 October 2019 22:15 UTC

Return-Path: <zaumka@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077FA120891 for <mls@ietfa.amsl.com>; Mon, 21 Oct 2019 15:15:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ko_hz7E4Qb_U for <mls@ietfa.amsl.com>; Mon, 21 Oct 2019 15:15:40 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A69D7120A5F for <mls@ietf.org>; Mon, 21 Oct 2019 15:15:40 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id c6so17861982ioo.13 for <mls@ietf.org>; Mon, 21 Oct 2019 15:15:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M+yIKDQrrLo7ikijFIThevWGqfNaXLjFQ8XIai9a10A=; b=cSBssgHXNsQ4cXsjeQDyLPL0ImLsGeTSFBl9l6vu6iFWW1Wy+NpMw+Qi/579uP7dK3 ammmtbpRN9y46wCBMBgXGVLr5/ZwXo1auKqMV6WpMGHXEcOttFxR+3O5cS+dNCtbcLeA hJEGuxbMudvHhbpKqt4oh/SVKhXltfZIfR5ar3oZzSpkCP8vOC6iVqm8NDLmpxIjR+8b DS5qZpXxbCE+fCc1wJH7zXij71IEQMLINuDragrES/AOkvllmjpRs4f/lL226ThjkGOQ M1LtAN0u83ssXLhM+LE4LuhagYXDvi/HuyF0y0M3c/h0nDWje2OROE3Ul4N9LniTkLIa GRKg==
X-Gm-Message-State: APjAAAWLKwl5ORUoQ0tiLwQYW7VjmOluZ+Px/zRayP6XzXAfiscYJrYM FwtdU5dvNJ4f210Z4PCljNL5AwaEdF8QdB1DmXo=
X-Google-Smtp-Source: APXvYqzjdmVXX0Q4ilRkXyrkpPBfja2baAwhyzj4gHJPtukCqcPMJSF7Ctk7q8d5EnCROnjSMH7YuiHwPebJEm1XmkA=
X-Received: by 2002:a6b:f708:: with SMTP id k8mr538540iog.188.1571696139521; Mon, 21 Oct 2019 15:15:39 -0700 (PDT)
MIME-Version: 1.0
References: <71e63449-abba-854d-2962-eac3a64a80d0@wickr.com> <8E0E25A7-2839-4D45-8C8E-07B79637FABC@inria.fr>
In-Reply-To: <8E0E25A7-2839-4D45-8C8E-07B79637FABC@inria.fr>
From: Yevgeniy Dodis <dodis@cs.nyu.edu>
Date: Mon, 21 Oct 2019 18:15:28 -0400
Message-ID: <CAMvzKsh=PpYk7mvJ6kyg7jSsO82WY6hmOhXmavqXEP6FiaH-rw@mail.gmail.com>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Cc: Joel Alwen <jalwen@wickr.com>, ML Messaging Layer Security <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017536f05957306d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/xEBElbIuPWY4pDCjDHb3dyGyFMU>
Subject: Re: [MLS] UPKE for X25519/X448
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 22:15:43 -0000

Thank you Benjamin.

We hope there will be no more surprises, like the lack of additive
homomorphism for the X-curves. So we would certainly love to get
guidance from other people on the list, in case we missed something else.

There is definitely some cost involved, but we hope it is small, and we
believe using UPKE in place of PKE gives a substantial security
enhancement to justify the (small) cost.

We could also follow Karthik's nice suggestion to compare our scheme with
"naive" UPKE, where for each updated tree node one prepares K (say, 100)
public-secret key pairs, and erases them one-by-one as they get used on
various co-paths. If one runs out of fresh pairs, the last key pair is not
erased, and gets used until the update happens. Ironically, K=1 corresponds
to the current scheme, so in this sense the naive scheme -- call it
K-TreeKEM -- is a natural generalization of TreeKEM. However, we believe
already for small K (like 3 or 4), K-TreeKEM will start becoming less
efficient overall than RTreeKEM, while still offering inferior security.
But this is a good thing to test if people are interested.

Thank you in advance for your comments,
Yevgeniy

On Mon, Oct 21, 2019 at 5:57 PM Benjamin Beurdouche <
benjamin.beurdouche@inria.fr> wrote:

> That look excellent !
> If that works as expected, that would indeed be very nice… : )
>
> B.
>
> > On Oct 21, 2019, at 11:20 PM, Joel Alwen <jalwen@wickr.com> wrote:
> >
> > Hey,
> >
> > This is a follow up to the earlier Re-Randomized TreeKEM email. (Its a
> > separate thread as it changes whats in that first email and I didn't
> > want it getting lost in the other thread when people evaluate whether to
> > adopt RTreeKEM for MLS.)
> >
> > In short, after some very helpful back and forth with Mike Hamburg, it
> > is looking like we have a reasonable way to do Re-randomizable TreeKEM
> > (RTreeKEM) based on the X25519/X448 ciphersuits. That would mean we no
> > longer have to choose between RTreeKEM and those suits. IMO that removes
> > the biggest barrier to using RTreeKEM.
> >
> > To be clear, we're still doing a some coding & testing to build
> > confidence. And we will also run it past the CFRG / a few more ECC
> > experts besides Mike, to make absolutely sure it works as intended.
> > But at this point we are pretty optimistic already.
> >
> > The rest of this email contains the details for how RTreeKEM can be made
> > to work with the X* groups.
> >
> > - Joël
> >
> > -----------------------------------------------------------
> >
> >
> > Essentially, all we really need for RTreeKEM is to build "Updateable
> > Public Key Encryption" (UPKE) as defined in [1].
> >
> > Rather than the construction in [1] which is based additive
> > key-homomorphism we can use the following construction based on a
> > multiplicative key-homomorphism. (It turns out the later is easier to
> > implement for X* groups than the former.)
> >
> > To minimize the diff between current TreeKEM and this new variant of
> > RTreeKEM, the new construction is formulated it to use HPKE and HKDF as
> > black boxes.
> >
> > Inherited from Cipher Suite
> > ---------------------------
> > - sksize = # of bits for secret key scalars. (e.g. 32 for X25518)
> > - order = order of prime-order subgroup (e.g. as in RFC 7748)
> > - DH(A,b) : A Diffie-Hellman function. (E.g. X25519 or X448)
> > - Mult(a,b) : Multiplication of secret keys. See below.
> >
> >
> > Multiplication
> > --------------
> > - NIST curves : Mult(a,b) = a*b mod order.
> > - X25519 : let Clamp(k) = decodeScalar25519(k) as in RFC 7748.
> > - X448 : let Clamp(k) = decodeScalar448(k) as in RFC 7748.
> >
> > For both X25519 & X448 use
> > Mult(a,b) {
> >   c = (Clamp(a) - Clamp(b)) mod order
> >   if msb(c) = 0
> >     c = (order - c) mod order
> >   return c
> > }
> >
> >
> > UPKE Construction (from HPKE & HKDF)
> > ------------------------------------
> > - UPKE-KeyGen = HPKE-KeyGen
> >
> > - UPKE-Encrypt(pk, m):
> >  d'  <-- {0,1}^secpar
> >  d   := HKDF(sksize, d', "", "derive UPKE delta")
> >  c1, context := HPKE.SetupBaseI(pk, "")
> >  c2  <-- context.Seal("", d' || m)
> >  pk' := DH(pk, d)
> >  return ((c1, c2), pk')
> >
> > - UPKE-Decrypt(sk, (c1, c2)):
> >  epk, context := HPKE.SetupBaseR(c1, sk, "")
> >  d' || m := context.Open("", c2)
> >  d := HKDF(sksize, d', "", "derive UPKE delta")
> >  sk' := Mult(sk, d)
> >  return (m, sk')
> >
> >
> > References
> > ----------
> > [1] http:\\ia.cr\2019\1189.
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email