[MLS] Why give the root a pk/sk?

Joel Alwen <jalwen@wickr.com> Mon, 11 May 2020 08:26 UTC

Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B2F13A0901 for <mls@ietfa.amsl.com>; Mon, 11 May 2020 01:26:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T0JYAY2GtqLo for <mls@ietfa.amsl.com>; Mon, 11 May 2020 01:26:15 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E356B3A0746 for <mls@ietf.org>; Mon, 11 May 2020 01:26:14 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id h12so7163988pjz.1 for <mls@ietf.org>; Mon, 11 May 2020 01:26:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:autocrypt:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=KVsWtVn+wuQ+vCKcVGqdDx/l/ToUQ6gzlgseIpFHQ1U=; b=FY16LiBzJgRoI7uy6h+oJ4vVa7o/REOjvaOnqJPUqkfGvgM/atqtoXsshyZKDXItXt jBkbOSua6+mYHh7CEH8wUczztwQhG/vDV20eSkIvy6Lhn3rPZQrpMR23xNHsScXy+cdL TmG/BhkvBIz1AEBlIykQ9rRv47BXzuvXCnzRQDGzggLu0BacENIwYi+OBydu11QJuuNF eS1ta2JEaGQECjzI5eBfX3105saZjU8p8QnGKpwgX4uFXmlZ6mFbuP6R7xYO27RhNsvO FYHlFqv0HGsMN8rrGDSu4VTF1UheXcv27LHgGsg9w/ohaeZqfvZ1FTH+TTTJtXaIC4Gl Lvdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:autocrypt:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=KVsWtVn+wuQ+vCKcVGqdDx/l/ToUQ6gzlgseIpFHQ1U=; b=b5QwjN7tk1aXyuUd1R396Gp0uhWBwA+xDnHUMMUuPSlAO95lCQKZjBy5n2imPfuLYZ eAajDgYeB8JGCnOPrgxCq9unbu+IJ0nd+GrtG2nc6QTtHLF05eiaYTEwPmV7kqZFlfXH zNu5Bh0Nt7RH0pu77hZ7920SyTayyNl79hO16mxfEqh8TLzo/qPSHirFfBDz/CxKhkns 0E+BiL56Unk5imOTFOA93L/MzuCq9Ob9zxr1k0zIS1DV90k19q8fJk42UOf3I8LGMn+z lU/XQ/SXd94q5EkmhehPlmTi3+thSRFynDZk9xwnpo6ijxriGQZPDu/of9kbamdUMLJ9 +Rsg==
X-Gm-Message-State: AGi0Pub6AFjW9HE5E9VrHUx/Vin72r5KjcONw2mrIthAEbFxhG8/aY9g ybYjPXl0B9Tr8O2jL6PrhESZSUCyoxE=
X-Google-Smtp-Source: APiQypKB39ImI9jlICoo+PkZQm60NcDsKeZeYctxVWiZuNob7HPykq9IyyX/6kN3WjXPJyfwgmT8iQ==
X-Received: by 2002:a17:90a:1941:: with SMTP id 1mr21140942pjh.65.1589185573929; Mon, 11 May 2020 01:26:13 -0700 (PDT)
Received: from [192.168.0.24] (zaq3dc06154.zaq.ne.jp. [61.192.97.84]) by smtp.gmail.com with ESMTPSA id j7sm8537756pfi.160.2020.05.11.01.26.12 for <mls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 May 2020 01:26:13 -0700 (PDT)
To: Messaging Layer Security WG <mls@ietf.org>
From: Joel Alwen <jalwen@wickr.com>
Autocrypt: addr=jalwen@wickr.com; keydata= mQENBFyIZvABCAC65JupY1w7gzhhNo41ftIk09n7Lid9p31jDR8Jefv9R5sWL+HZFGDeABAY 1J1JvV6vOaMsfdy9iUFfGS1GhMJ3+mh799SIsB3JSfPq/eq6Jut57D2yPtILmc7ZbuJyBHg0 xuYfKCQQAYikW+v2LJQU1Y+BUDbVldpzxSc8Z3PPSfunWdzhY6qAAhyCv+Y8EzJlQivMwD5B f6737krf8SoBsjsqCHQrRo/r+BSj5Wtd5/K3FkmWLOUAFoYK23+cpoFntGJKZfss27gDPhyS gX9ibXcBGQqBEF4qDPEzEHK8iQmXTxLul5Y7lQ6ADf69xH15WM4GmRBeCvR3Uanxcr2/ABEB AAG0HUpvZWwgQWx3ZW4gPGphbHdlbkB3aWNrci5jb20+iQFUBBMBCAA+FiEEYFNg9IH2SV6e 03O3FR5tDZv8eygFAlyIZvICGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ FR5tDZv8eyjSywgApQNIRcL4IKTJ0I4XwcQRhICu1Bht3c2fUnG2YziJXjGf6DZ49uKKtuIu fk8mNS+vKRLoLZ7+u+Pv/Yjmk8jtrr6Saz1vnfsle3GgmXG5JaKOM5cOfeo5JnlNUP3QonR7 LMZwY1qVKg2mzNmwi0jG1zIGgQ5fiAwqe+YTNFli5bc/H1O9LcSmbrLV9OyucARq11DIiAvU fDknZ17OahQls+9mgfAXH5vZjzo296tYvzkOJQ2A6GPxdMHIXGbJM/vjuMe2QJl6C0zaqOtm JvFcx/HpNhmugYI9OsNAd7846HASDp8BKyfY5FYP7bn0/JBuCpg18Aykru6xyFjG3gv0Lw==
Message-ID: <b52a9fa8-c09b-331b-0eb9-39a211190e96@wickr.com>
Date: Mon, 11 May 2020 17:26:12 +0900
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/y5QeiJIyUwU3ez6qkQvy15NgUr4>
Subject: [MLS] Why give the root a pk/sk?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 08:26:17 -0000

Quick question for the list. Why assign a pk/sk to the root of the ratchet tree?
(E.g. on Page 18 in the toy example root node G gets node_priv[1] and node_pub[1].)

The commit_secret is then derived HKDF-Expand-Label again on the path_secret for
the root.

Isn't it true that the only thing we ever encrypt to a node's pk is its parent's
path_secret? If so I'm not seeing the point of the pk/sk at the root and the
extra call HKDF-Expand to get commit_secret. Am I missing something?

- Joël