Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / 102 / 19 Jul 2018
Internet Engineering Task Force / 102 / 19 Jul 2018
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF102-MLS-20180719-0930

Description

MLS meeting session at IETF102
2018/07/19 0930

https://datatracker.ietf.org/meeting/102/proceedings/

A

Okay, hello, everybody and welcome to the first session of the MLS working group.

A

If you are here for another working group, please leave now and if you're here for MLS you're in the right place, so here's the note well you've likely seen this before. If you've been to any of these other meetings, please read it understand it. Take it to heart, it's very important.

A

So, in terms of before we start, we have a few requests minutes takers. We have a minute taker, jabber scribe. We have a jabber scribe and a follow up, jabber scribe and let's pass the blue sheets out.

A

As usual, we would like everyone to be able to understand who's who's saying what at the microphone. So you come up to the microphone state, your name. This is not only for the people in the room, but it's for the remote participants. We have at least six Omnitech, though right now, so please keep it professional and let's move on to the agenda.

A

Here's the agenda. Let's open this up to agenda bashing, does anybody have any questions about this or any suggested changes?

A

No okay! So we'll do administrivia charter review architecture and then several presentations about some of the documents that have already been presented and some of the ideas that have been discussed on the list and, at the end, we'll discuss a few at other extra topics that are unscheduled.

A

Let's start with the Charter Review so since the Boff MLS was incorporated- and here are some key excerpts from the Charter and I'm just going to go over these from a high-level right now, the main important pieces are that this working group is here to develop a messaging security protocol for human to human communication.

A

The above and there's that there's a list of properties in in the Charter itself. Specific security deployment properties and the goal of this is where applications to share code so that they can be shared by shared validation. The protocol, so everything that people use well underneath for this.

A

Anything that people use MLS work and can use share code basically, and the goal is not to enable full interoperability or Federation beyond the key establishment, authentication and confidentiality. So we're really looking at the crypto here, we're not looking at making sure that different messaging protocols from a high level can interoperate we're. Looking at standardizing the crypto and another point is that, while authentication is a key goal of the group, it's not the objective to develop new authentication technologies.

A

Hopefully what the result of this working group will be documents in which you could use x.509 or other authentication techniques and and plug them in similar to how TLS does not define which specific authentication technologies are used in okay, without will do an arc. The architecture review, slides I'm on.

B

Okay, hi everyone, I'm ed Amara from Google, so big here I, will cover tooth presentation. Today's architecture and message ordering both of them are basically overview of what we have today in the drafts, followed by a list of open questions to the group not necessary to get answered all of them today, but just only the discussions. Often you get some answer to most of them, so this is the same as I go through like a Chinese above because nothing has changed since then, but you could get through this in slides again.

B

So this is what a typical imaging system looks like server side, the client side several to services, most of the time to return to the same service, which is authentication, delivery. Clients are the members each member has a bunch of voices. Each device in MLS is actually a separate client. Each has long term identity. Key in this picture there's a group of a BNC. He has three devices vs 2 ones. He had one.

B

Okay, what syndication service, basically storage, mapping between long-term identity, keys between user name, ID, even long-term identities like email phone numbers to identities, the other service ensures reliable in order delivery for a message and attachments store. The init keys which are signed by that indicates and option is to grow membership. So everything has a straight core story. Here is one of the open questions we'll discuss event so store. Bro membership is one of the hoenn questions. Also, the reserved responsible for affecting long-term passive user is to ensure this year's client.

B

Yes, this is a typical client operations, st. John group, etc. Since devices are presented established client so basically invite member advice, all the simulation scene for remove member or remove device orgasm operations. So in this picture a one tries to create a group with DNC, so a one daily request in each case for a 2, a 3, B, 1, B, 2 and C 1 verify the signature in this key is created secret, encrypted message.

B

Then they want me to and see one receive the message we create the same chip, shared secret and decrypt a message function. Requirements, scalability obviously supports large groups. The number came up with 57 clients, a synchronous. All aggression can be done without having the call devices to me online. Most of all devices should be supported, natively because again voice. It just say. First client storing history is met requirements by the protocol, but again the application can support this client set recovery.

B

If the client was staged to be able to restore the state without corrupting the entire group mitigate the collection, this is for protecting the privacy, so the both EDR years and years should be collected. The minimum yes I needed to deliver the message Federation as I mentioned in what we discussed earlier, is that wouldn't expect introverts application layer like, but most of ammunition should be able to integrate versioning I'm going to talk more about this at the end, but we should really support version negotiation and have mitigation for downgrade attacks security requirements.

B

Of course, message: secrecy in terms of medications. Message should be decrypted by only existing with the group, and only existing members can send this message. Another asterisk in your message appearing to prevent traffic analysis. So this is optional for secrecy and post command security to refresh our minds forward secrecy. It means if the attacker has all traffic history and key k1 should not be able to decrypt any messages before key one would scheme would be for k1.

B

The other way around is pcs is if taker has k1 and some encrypted traffic and in the time time, T Prime. The key has to Quito shouldn't be able to decrypt any traffic after Quito little membership Secotan, who all never should have the same thing of group members. This can be done by using merkel, cheese, proof commitments.

B

Client who joins the group should not be able to decrypt any message before joining clients from removed from the optional be able to encrypt messy after leaving attachment security should have all the security semantics of any message, except the encryption key. She tends to be longer because of that attachment. Netta origin authentication means new impersonations, so Alice can't impersonate pops in the message as pop this usually done by having signature and every message.

B

Typically, this we can use the long-term energy for signature, but if wanna provide deniability to will be optional, we'll have a secret nature cave and the signature keys would be to change it over than average channel security consideration.

B

So what happened? Delivery service compromised, so the most of us can always do the US, which there is nothing towards this, but it should not be able to do inject a message or reorder and if it happens, the clan should be able to take this.

B

If authentication services compromised our it's, it's it's more serious because it can allow impersonations so a condition in encrypted engines and concerns pretty loving or something like it, transparency to do so, if, if this client compromised, this is the worst case, because attacker will be able to encrypt and decrypt messages, but it can be defeated after the compromised. Client has been updated that give material, but it should not be able to do any newest attacks again. It's other beers in the world I gave this is a list of open question.

B

We have today notice it's come up or answer today, but solving for discussion. The first one should the drive to find the frequency of zob this or key is completely open to that.

B

The other question is came up during the path. It's something too concerned about exposing the user devices, and this is a privacy concern.

B

Third question: is the server trusted the store group membership and last one should address communication for traffic analysis or just forget about it.

C

Yeah, so is this the time for discussion great, yes, so yeah MT just remind.

D

Me one at a time so I'll just start.

C

With the first one shouldn't you have to find the frequency of key update or leave it up in the application. I think the answer is yes,.

D

I.

C

Think, oh there's nothing! We can do with the voluntary standard. Yeah I'm elaborating here so I think we should both provide guidance on the frequency of key update but be realistic about how tightly constrained applications. So, for instance, we might say we really strongly recommend that you have a do. You update your key at least once per day, but they're gonna be things that are offline, that are gonna, miss that budget, and so it's gonna be up to the applications and to make their best effort to meet virtually.

B

Just just accommodation looking for thing anything yeah.

C

I think that's right! It's it's gonna, be about. You know what the defaults normal case, behavior of the app is and they're gonna. Have it. They're gonna violate their their update budget. Sometimes.

A

We have a remote question from from vendor. Oh.

E

Can I respond to it? He just sat first, yes, um shouldn't frequency be a function of how secure the key is. If you have weak keys and you want to refresh them more frequently, I.

B

Think that one element.

F

Regarding the question whether the server can be trusted to store the group, membership I think in a number of vacations, this wouldn't be an issue, but there are some applications where it would be an issue. So I think it would be a good idea to have it optionally work in a way that the server cannot infer who the group members are from persistent data.

F

Okay,.

A

Okay, we're gonna take a question from the queue here: I'm sorry ruff, hi Robert from wire. Let me take another question from online Ben.

D

Everyone so I'm Ben, the Uche I'm working with Karthik in Paris yeah, so I wanted to discuss what what a Matt say and a child about I. Think it's good to have a recommendation in the spec about the dating of the be.

G

Louder, yeah.

D

And you got me now.

B

More please: okay, cream.

D

Okay, um you know.

A

We can hear you but you're quiet, so speak as loud as you possibly can. Okay,.

D

So I think the recommendation from from Richard seems a good idea to me like when updating the key, the GUP key one per day. The coop secrets once per day seems like a reasonable recommendation to me, especially because some security properties will actually depend on that secret and maybe I'll come back to it a bit later in the message protection part, but typically depending on.

D

If you want to get pcs for the message, protection for them for the messages and not for the group secret, you will need to to update more or less frequently the the top secret. In that sense, I think updating once a day is all about. You.

B

Just to be clear, I'm not asking what should be them at the time I'm just asking. Should the draft proposed recommendation yeah.

D

My answer to that is yes, we should have a comment, something like one or one updated a.

H

Feature that we should add some guidance about what to do with it and I think that there are a lot of techniques that you may know that in Safari we have a document about regime that is close in to is G period, that there can be some key Iraqi. That key can be changed, for example, once a day and the session keys can be changed frequently. But yes, I totally agree that we should add such issues in the draft.

H

The document may be as a guidance or as best practices, but we should address this issue because we know some examples of messengers, for example, which care of this problem with keys that are not being changed. So, yes, this must be addressed in my opinion and second question I have here: do we address authentication techniques, indication methods as part of the key texture or as completely independent, separate document and separate since this to discuss so.

B

Right now is indication is a lean out-of-band, but I guess reach out more about syndication. You mean user authentication or message authentication.

H

Okay, thank you.

I

Every scroller so I guess in sequence. Yes, we should provide some guidance on key update. There are actually three reasons why you might want to do key update one. The one was alluded to by the previous speaker. Well, not previous previous speaker or not likes.

D

It.

I

No stops but on which is, uh you know, wikis, that's probably not really an issue in this case. um You know you. um If you know, if you, if you rotate your keys, you know like once a day you basically get here. You get said you get something like you know like four or five extra bits of security. That's really get you very much, um but the reason is to do it. Our four key exhaustion in terms of aes keys is GCM keys and also for PFS and pcs.

I

So we should provide some guides on that on though perhaps it should be him. I tried to guide people I had to think about the problem as well. It's just read numbers um um I know: DK, do you want to talk about the protocol high user devices, whatever he's about to say, I? Don't we of course wrong.

I

Exactly.

I

Yeah more seriously, um I think would be good if it was able to, but I don't think it's I, don't think that um there seem to be some seem to be a bunch of I get. The problem is that well that'd be a nice feature. It comes along with a lot of package, so if they analyze with that packages and whether that baggage so I guess you want to where my sense from current analysis is, it is not, but it's not just a yes/no kind of question um with regard to the server being trusted store.

I

Group membership, I'm actually again, two issues here right, one is: is this her trusted to accurately report group membership and the second is the server trusted to know group membership. The the server should not be trusted to act. The group membership for obvious reasons, um and that should be pretty easy to cryptographically fix um in terms of sorts or be entrusted to know.

I

Group membership G would sure be nice if we're able to bolus system that didn't require that, but I suspect, when a system practice will end up having that information any case on so again, we have to figure out the baggages their motor systems on familiar with on as a practical matter. If you know, group membership anyway, so doesn't make that much difference. um Finally, the guard traffic analysis mitigation on I think we should not do anything here.

I

I think there should be a like a section that says like this is like a huge source of like information leakage, um but like every time I've seen anybody tried is it turns into enormous rathole, so I, don't think we'd actually do anything. Separate traffic analysis on mitigation document that'd be fantastic and I'm kind of hoping that hair, RG or whatever they're called, will actually give us some help here, but I think we shouldn't like. We think like that's, that that could show a lot of working your time for not much value. Let's.

A

Close the line after Richard hi.

J

John Milliken.

A

And.

J

So on the topic of defining our frequencies of he updates or recommending I think we should include something on it, but we need to be careful. That's what we say will make sense for both groups and three puzzle groups.

J

So, for example, if we were to specify to do it every day for fifty thousand person group with far more.

D

Key.

J

Update messages and processing you actually have useful messaging, but in fact very well, maybe that the security properties of when you get to that scale me are somewhat modified or at least what the expected security properties are modified, so that slight a different PA schedule would make more sense, whereas yeah, if you've got a very I, think.

B

For Beth of users, it's okay, don't sending updates for a long time, but once it start sending messages and if your combination is one day and they have been sending a message for two days with the first message, we should issue an update from users. I think there is no need to object.

D

Compromise.

J

Or the global pcs guarantee would be that if any group member is compromised that there will at some point to be the group, security will be healed. So if we want to aim for that, then we may have to consider positive members, but in general.

B

I agree.

J

With you and that's for most operations, thank you.

K

And this is Daniel Caine Gilmore, so I do believe that the draft needs to specify strong recommendations for key update. We have experience of not recommending key update schedules and other protocols and people done don't implement them at all. Maybe they won't, even if we recommend, but if we recommend that we give him a chance, I recommend framing it as a minimum and maximum key update range, because you want a maximum and.

L

Frequency.

H

Or or or.

K

Period, but if people read it too fast, then we get that we run into this problem that that John describes and if they update you slowly, then we know that the PCs, but we should put in a concrete recommendation and I agree with John that thinking about how we frame that with regard to number of groups, is important as far as hiding the user devices. I've mentioned this on list the current arrangement, where we are currently saying well, you know multiple members and each have multiple devices and the devices are visible.

K

That is a strict superset I. Think of what we minimally need to do minimally, we need one device per user and the user could do something like MLS between their own devices to synchronize, whatever key storage and state, they need to synchronize. If the user doesn't do that, then they end up showing up as multiple devices. The reason I think we should avoid trying to get too deep into the weeds of a multiple in the multi device case, aside from it being more than we need to do to get something.

K

Working is because I believe that the multi device case, where every peer can see everybody every other peers device. It has two problems. One problem is that I, don't necessarily want you seeing my devices and I, don't think we have a good sense of how we can explain to the user a choice of.

K

Do you want to expose that you have multiple devices or do you want to just pretend to have one right, I think that's a that's a bad question for user interface and we don't want to give users the choice of switching in between there, and the second reason is because, once your keys are being updated like that, and it appears that you have a new device. You're gonna increase the number of notices that new devices show up or you'll start removing those notices because they just get in the way and so in the fourth.

K

In the first case, you end up with security fatigue, which means you don't notice the actual big devices where a user gets read, which is the wiretap scenario and in the second case, where it's all hidden, you can't notice it so I think that when we, if we go into the point of exposing multiple user devices, it leaks privacy and it increases the problem that the the ease of inserting an additional key for a wiretap scenario, which I think we should be avoiding. We should be avoiding making this wiretap facilitation scenario.

K

I will not comment on the third one, but on the fourth one we need to include a mechanism for traffic padding. We do not need to specify exactly how to pad, but for the protocol messages, in particular all of the stuff that I've seen across the ITF. The application layer is what knows best how to pad, and so somebody who wants to write a draft should be able to do that at the layer of MLS. But we don't need to include the specific advice in the first round here.

K

We just need to make sure that we have a mechanism for padding that someone can write a document that describes the standard pattern. Thankee I.

M

Lucia Ballard from Apple just a comment on the first point. I think having the recommendation here would be really useful. Having a strict requirement would potentially be a hurdle to adoption or if you go with the minimum maximum idea and making sure that minimums pretty generous just because I'm thinking potential clients adopting this are in the very hugely in their expected group size in their sort of expected connectivity for group participants and in the amount of already deployed infrastructure at scale that they have to deal with so making sure that there's some flexibility there.

M

It would be very helpful for the.

B

Charters to have you thank you.

N

Bob Mascis HT consulting I'm, going through the list, I've seen so many scenarios, but ripping the IOT arena where I think good guidance in different classes. Scenarios will be very good because one community, we may be very insular and not being able to think really out of their own box of what they may be doing. So they can see how, in this particular case, a different key update method will maybe use may open their eyes to a broader view of it.

N

But in IOT arenas with some multi-class case, I seem like you're, not gonna get key exhaustion for a few years, and devices are not going to be updated for even maybe more years than that. So they don't even talk about key update in those arenas because of that. But but even so those people should still think about some of the other cases. So good guidance, I think is what's needed in the key update arena and and strong recommendations in certain for certain scenarios.

N

I would like to see how you're going to be able to hide the privacy of the user devices, and this is really really hard and I'd be really interesting to see, see how you're gonna recommend that, because it might be interesting or we may just be wasting a lot of effort to make to to have some smoke mirrors.

N

Also in many again, it depends on the multicast cases, whether you can really can not store the group membership, so that's really related to what you're doing with with multicast and and so how does MLS or have really anything to say to the group about what they're doing in terms of group memberships store. So I think that's out of scope for MLS and on the last one I assume you're talking about traffic analysis of MLS, not traffic, analysis of how those keys are used.

N

Therefore, I strongly think that MLS itself needs to include traffic analysis mitigation and, in that and I hope that that's what that point is talking about now: traffic analysis for other multicast protocols, Rob, secure protocols.

A

Hey Richard we're gonna have a quick question from Karthik Karthik. If you can keep it short and then we'll Richard y'all have the last word hi.

O

Guys this is Karthik I come from India, just a small question about or small comment about, group membership, which is that I think it's an important question to ask at this early stage what we really expect from tanam about I. Think a few other questions have raised this point too I mean.

O

Is it actually necessary for every member of the group to actively maintain a group membership list to know immediately who the members of the groups are whenever the group changes, or is it something that you want to be able to query on demand from some distributed set of participants say- and this is just I'm just throwing this out as maybe it's not clear-cut- that everybody should always be able to know who the other members of the groups of the group are okay,.

C

Thanks Karthik this Richard Bruns, again I spoke about the first one already I'll just cover the other three briefly, which is largely plus one of those. Some other folks have said too, with regards to Bob's question about hiding devices. I think the flavor of hiding we've discussed here is a John. John Milliken came up with phrase. Pre trees, where you might have a leaf node in the mls tree, actually represents a whole subtree of devices that belong to a user's perspective of the overall group.

C

You would just see the user as one node in the cryptographic State, even though there might be that no, it might be a compound with other ones. That's kind of I think what ml d kg was referring to take your three-letter acronym Dicky was referring to you when I was talking about running the protocol among your own devices, which I think is exactly the right way to think about this I. Don't think we really need to get into the details of how you might go about hiding things.

C

We don't need to treat that as a first case use case here just as I think we can just note that one could do this if you wanted to protect device privacy I'm largely on the same pages I could with regard to storing group membership, the only thing I wanted to know was something that I think John and Raphael raise pointed out to me was that we might not.

C

We might you know, use the the server as a cache of some information, but not require it to store the whole membership of the group. So you might, you know, trusted the store. You know a collection of public keys for nodes in a cryptographic state but divorced from identity. Information about the participants and I think John's, nodding, I think that's sort of already saying, so we might trust the server to cache some stuff, that's kind of not identifying a participants and so not sensitive, but I.

C

Think the general requirement here is: let's just think about how much we require the server to cache versus what would be useful for it to cache in terms of distributing information. Finally, traffic analysis mitigation. It's a Bob's point about what we're talking about mitigating I, think the intent here. I, don't think anyone at least I've been chatting with Alice has been thinking about protecting the MLS key exchange method messages. I think we weren't even thinking about encrypting those. So those those are just like handshake messages that the system can see.

C

I think the concern here is traffic analysis mitigation. With regard to the messages that would be protected by a message: protection scheme that Benjamin is going to talk about in a couple presentations and I think the answer is roughly what I forget prior person said that we should have some padding mechanism in here, but leave it to the applications to decide how? How do you so.

B

To summarize, we almost all agree that we have some guidance for the first question like min and Max style should prefer other devices. I guess we might add option for this, but I still continue discussion. For this part, its server trust, stewardship, I guess our conclusion adjust may be optional, but don't require per se and the last one we should include some include some can even but it leave it to that aside, how to do it. Correct, okay, so.

C

Question for you, and that is as editor of this document you feel like you- have guidance to go off and I think so great.

A

Great, thank you. So the next next week come on.

P

Before that happens, can I see a show of hands of who is read this draft a fair amount, that's good! Whichever previous draft a lot.

B

Could I should write yeah cuz.

P

What we'd like to do is do a working group adoption hum, so if you've never done, this I'm gonna, like Nick, do the actual hum. But the idea is that we have an individual draft now and we're gonna make it a working group top so that we can take it I think it was good that we have these open questions because it shows we've got work to do so. It's not fully baked. So that's that's perfectly. Okay, but we've got a good basis of a place to start there.

P

Anybody else who has a competing drought that they would like to throw into the right you. You cannot do that. Alright,.

A

Okay, so the hum is going to be for adoption of the draft of the draft as a working group document. The draft specifically is amounts of architecture draft, so.

A

If you want this draft to be, if you agree that this draft should be adopted, please hum now.

A

If you disagree that this drop should be adopted, please come now pretty clear.

P

The.

Q

Remote was also yes thanks,.

A

Our team on, let's move over to the next one handshake message ordering perfect.

B

So handshake message.

A

Ordering so.

B

This is physically specified in that protocol. Draft I'm gonna quickly explain the problem and the solution described in the draft and again open question then. So what are the handshake messages? They are any messages change. The group stays like group in each other ad group. Add remover update. Each handshake message is based on the current groovy state. I will choose a pop field for this. Of course, conflicts can happen if two or more clients issue a same handshake message on the same group state.

B

Usually this can be solved using server-side, enforcing or client-side enforcing, in both approaches that might call the starvation's. So a given client may not be able to send handshake message because it's always get rejected, so we understand art forces Tekin. However, you know correcting the difference more in the next presentation.

B

Three Kim doesn't have this problem because it's able to marriage concurrent updates without rejecting any of them, so the wave server forces ordering the message you will have authenticated equation number, which is a book field and the delivery service will just process them in order and if it receives two or more message on the same sequence number, it will just pick one of them and reject all the others, and the rejected client will reach for again after update English states,.

B

The way underst client first identified correct me if I'm wrong it spins in two steps we're at sea. This is how its described today is the critical draft. The client proposes the update first and since update if it gets fifty plus percent by other clients. It's a question. You know what, if most of the clients are offline, like fifty percent from the online user, which is a security issue or how it works.

B

So these are the three open questions about this. The first one should this section be moved to the optical dock instead of the protocol like covering this message or drank the problem, is this only specific for any protocol that has shared will be state if or even something like sender, kids, they will not have this issue so the question: should we this PR overall, in the pressure block or not again back to the server the server divisive is Trust? Is the delivery service trusted to enforce our drink?

B

What's a security consideration if it does and regarding starvation, is actually a problem in in busy groups or in gratitude to a teammate might never happen like someone eventually, it will eventually issues our update and it's all in from discussion again.

C

So yeah I think it would be good for the architecture document to have a very clear statement on this. The the question here is what assumptions the protocol document can rely on if the protocol can basically assume that clients are presented with a linear sequence of handshake messages, that dramatically simplifies the client logic you're going to have to put put into your into your stack so I'm very much in favor, of making a clear statement in the architecture that, whatever the delivery service is. That's, do it that's providing delivery for this protocol.

C

It ensures that all of clients receive handshake messages in the same order, and that frees us up at the in the protocol document from having to do anything about what happens when things arrive in different orders at different clients. This is a simultaneous at or simultaneous update question. So you, okay with a set of our trusting yeah I, am comfortable with trusting the server to enforce ordering.

C

But as long as we can assure in the protocol that the only thing that that can result that the only thing the server miss ordering things could result in is a denial of service condition, so we should make sure that it's that the trust in the server is bounded, but as long as the server can't do anything besides deny service or fragment the group I'm comfortable with that agree of trust in the server, because the server can can cause fit those sorts of failures anyway, on the starvation question, I think that's a real potential problem, but I think it's something we're just tactically speaking.

C

I I would be comfortable pushing forward with a solution that had some risk of starvation. Doing some prototyping dropping again getting some experience in real ish environments, and then you know if starvation looks to be a problem in some cases. Looking for some methods, we could use to try and address that as an addition to a baseline protocol. That's linearly oriented.

B

I'm going to comment that the concern I have it with several cross to death. The server might reject a specific, a bid for a specific client, so which means risk is the PCs for specific clients, but if we have like, if we do like bundles update with the message itself, this means that mass will not be accepted on slaves. Objects is accepted. Okay. This is just an idea.

K

This is d kg so on the security considerations, side back on 14 and says modified reordered or replayed messages must be detected by the clients in the event of delivery service compromised. So I think that goes to what Richard was saying that there needs to be a detection. I confess I'm, not sure that I know.

B

That well, if I hear so, there is no reordering, this would be preventing from updates. So the client who rejects updates so if it is a vos at that, so the server will reach its updates. This means I'm.

K

Trying to address the questions about forcing the ordering not about starvation. Ok,.

B

Wait sorry yeah.

K

Sorry I wasn't clear about that.

K

So I confess I am NOT in sure that I understand what reordered means in a distributed messaging system like what does it mean to say that the that the server if the server reorders the message, that's detectable by the clients when we're talking about a messaging system where there is no canonical source of truth about when the message was originated? Well,.

B

If two messages coming from the same client, for example, can send two before one so we're talking about just about. It is the way the ordering works right as a replay attacks, replaying the same message multiple times or the order machine from the same client. So.

K

Just from the same client, yeah I would.

C

State it a little differently, I I, think the risk here is in handshake messages, so the key exchange protocol I think we can tolerate arbitrary ordering in the message. Protection as Benjamin will talk about a second but I.

C

Think the risk here is that the key update messages are premised on a given state, and so, if those are delivered in a you know, in an order that doesn't correspond to a linear evolution of states and or if they're delivered in different orders to different clients that can cause clients to end up in inconsistent states and so I think that's the type of reordering. That's the concern here is that there's not a consistent ordering in terms of sorry, if all clients don't receive key exchange messages in the same order.

C

The objective here is to have clients, agree on a sequence of cryptographic states, and so, if they, if the server, can reorder messages to to change to cause clients, not to agree on that, like that's, that's the type of reordering I'm concerned about anyway, anyway,.

K

It sounds to me like we're, not entirely clear that we're all talking about the same thing, so it might I think.

B

Sorry I think they're talking about regular messages are Fisher's presentation and Richard talked about the handshake messages here. Right, I'm.

K

Talking about the handshake message.

B

On appengine yeah I mean I, think there's.

K

A separate set of questions about a transcript consistency which I'm not trying to cover right now.

I

So this time, I will agree with EKGs um I I.

I

Think it's clear that, like the system can't enforce like strong ordering like guarantees between two simultaneous up this year, different people um like Eric, Ries, Corolla, um uh no I mean like if you and I you and I, send updates like at the same time like approximate the same time, they're like no there's like no way for the system to guarantee that the one that was like sent and like like I was in order quality in like Walcott I'm like two milliseconds before the other is the one is delivered first, like the server.

I

Obviously word of them in anyway of leases so huh like unless you men, ISM news to go dater because I'm, not aware of so so so I mean the best. In that respect, what we can do is we can guarantee. um Is we can guarantee that the messages within a client or say are delivered in the right order? Handshake or not handshake on the? UM Similarly, like the server can obviously suppress that you know, the server can obviously suppress messages from any client it chooses, and so what I think um the I was over?

I

What I mean as I think we agree, there has to be trust, consistency, otherwise the system doesn't work properly and to what Ahmad was saying earlier is the we should be targeting here.

I

Is you can't selectively suppress handshake messages while delivering application, their messages and in terms of being able to detect reordering and resolution, then that's what that gives you, which is to say that if you have consistency with if your consistency within a client and I receive like you know, messages two three and five and they're all messages and then Irish I'm, missing message for that I know: I know that's been deleted and um and then you have to like come with. Why did the server not delivered that now?

I

um If you want to go beyond detection is suppression? One might wish to make handshake messages in some way indistinguishable from from from from application their messages, so that it was difficult for the server to selectively, suppress those, um but there's only so much.

I

You can do I do think by the way that, on to Richard's point that I think that's totally reasonable at this point to say we're not effect if we trust the server to do this properly and then attempt to detect when it fails to, rather than try to build a system which operates properly in the face of an arbitrary, malicious, all right, nobody difficult! Thank you.

F

Yes, refer Robert so to the first question. I think it should be part of the architecture document, especially if the answer to the second one is yes, because the server is then very much part of the architecture and so to answer the the second one. We have to look at what the options are.

F

So one thing is what you outlined amad is that it's being decided on the client side, and for that we would need some sort of mechanism where clients can actually decide on the order without relying on the server and- and that is difficult because you pointed out that it has to be asynchronous or finding some consensus.

F

Asynchronously sounds a bit contradictory happy to be proven wrong there, but sounds like a tough problem to solve, especially if you don't want to add a lot of overhead and the other option would be if ordering is not really that necessary. So this comes down to art or tricking, which I think John will mention later so for art, orderings, absolutely necessary and for trick em. You have a little bit of flexibility, some messages because some stuff can be merged, but it's it's still not very flexible, so I think in practice.

F

The the best solution right now would be to trust a server for that and regarding the starvation, this really comes down to the scope and and the amount of messages you have at the end of the day. So this, if the scope is really only the handshake messages, personally I, don't think we could ever run into starvation frequently, because if we have so many handshake messages that many participants and devices send them out at the same time constantly, then we have a general problem. I think.

B

uh

L

Jonathan I was just think, I mean I. Think the question with starvation. Is you want to make sure that clients can distinguish genuine starvation from you know some malicious server or potentially even malicious? Other group members fault, you know falsely making you think you're being starved and locking you out of the column, and you know I, guess it's it's kind of the same DDoS attack you just you know denial of service attack just by dropping the that's malicious server, but I want to make sure that you can tell a malicious server from genuine starvation.

N

Bob Moskowitz, perhaps I'm showing my age but where's the state machine. They were talking about reordering the rest being important. There must be a state machine here, someplace and the state machine should handle all cases. My professor way back when forty years ago, whatever wouldn't know more than that, would not let me do anything like this without including the state machine.

N

So, if we're concerned about it, we should be able to talk about that and again maybe I'm, just showing my age on that and and so the state machine would then tell us whether we can trust the ordering the rest of it. So that's why I say about that: starvation. That's Doss attacks, so he has a real problem and it will occur so again. It's how do you recognize and understand that and again the state machines just show that again showing my age. Sorry, thank you.

J

John Milliken again so I think I think my my take on questions two and three is one of it would be. It would be lovely and I, don't know if it's possible every lovely it could you get to a state where the server can do nothing to the security properties without actively blocking blocking people's messages.

J

So obviously, if one person can never send a message on then put pcs with respect to that user is is going to be compromised, but if we can get to a situation where so long as everyone in intermittently get messages through global pcs can advance, then that would be that strikes me as the property that we should probably be aiming for with respect to them. Okay,.

C

Yeah just to emphasize on this reordering semantics, the the the order that is important to preserve here is not the order of origination of messages which echo as I could accurately points has interfered with my relativity.

C

The the important thing to preserve is the order at which messages are received by the participants and that you can easily enforce that with things like two-phase commit so that it's, you know, there's a variety of mechanisms where you're well known. We can use to preserve that property. So we regard to starvation.

C

I think something that might be useful to do here is to have kind of a starvation consideration section here, because another thing, I might trust, did the server did you uh Jonathan mentioned malicious other clients trying to omit a lot of update messages so that no one else can advance pcs, and that is something where you could have. The server do some some stuff to help like it could it could recognize especially active clients, or it could recognize that you know this client hasn't had a chance to update in a while.

C

So let's get and let him in and so the you it seems like. You could put some considerations like that in the architecture and as in terms of recommendations for things, servers should should consider implementing.

C

Finally, I wanted to end with a question the thing that I'm actually surprised hasn't come up yet is Federation, because these this consistent ordering are super easy to implement in a single server system. You just have a lock, and you know you wait to get the lock a free transmit, but it's harder to implement in federated systems where you might need collaboration among domains to synchronize when messages can be transmitted. So I'd be interested to hear from folks who are interested in that use case.

C

As we've said in the Charter, it's not a primary use case here, but we won't want to have real hard barriers here so I'm interested in whether people think this would be a real hard barrier in Federation.

R

Daniel Franco, so ekor is of course correct that that you can't totally order messages and asynchronous setting, but that doesn't mean that we necessarily have to settle for just total just just ordering messages from from each individual participant.

R

There are very, very nice middle grounds here, like vector, clocks, okay,.

S

No I can't ask you mara, 4:17 G for them. Speaker I may have misunderstood the problem, so apologies ahead, but with respect to messages and ordering when we're talking about end to end and I, guess that's what we're trying to achieve here. Server here is strictly to facilitate certain things. So when we talk about security and it's the service roles in all, this is to harden the model not necessarily to make it secure.

S

And therefore, when we talk about the order of messages, I see two types of messages: messages that are specific to a state, in which case like the gentleman mentioned, a state machine or crypto. A cryptographic binding to that state is important and that solves the problems of server trying to mess around over the order with messages that don't really affect the ordering just need to get there.

S

That's a different problem, so I think it's important to separate the space of the type of messages go through, because some messages need to tie to our specific to state. Some are not, and those are are tied to speak to a state need to be somehow bound to that site. Either cryptographically on earth rather means so you're. Sort of this is to the point where the server is just facility and transfer instead of an insurance and security properties.

T

All right, if you want so I, was thinking about your question about federated the case and I'm wondering whether, since this is human communication, whether it might be enough to to be able to inform the user that there is sort of that the various end points who don't agree on the on a particular message order. And so, if you can, if you can, even if you can show that right, we're and that might be enough in the Federated case right I'm, not entirely sure you have to force ordering in for every case.

T

But as long as the user knows that there is contention contention in a perfect particular case about a pair of messages. Right this, your your the whoever used your chatting. We believe that they are actually in the different order. You may have to work that out, but since this is human to human, maybe your config, maybe that's enough.

S

So my talks in one more comment: respect servation is I may be wrong, but there's not much. You can do them in, depending on the capabilities of your attacker and adversary right. If they can control the network, they can potentially compromise the server because the server is sort of less trusted. I was just mentioned that probably one includes a mechanisms where a client understands that he was not able to participate in their ecosystem for a period of time, at which point he refuses to participate at all.

S

To say that you know what I wasn't able to persuade. Therefore, I have no trust in the system anymore and I'm gonna back out until some recovery mechanism is in place. So this is to say that you can't control the world, but the client can say you know what I'm gonna be defensive. I'm not gonna, participate if it doesn't play by the rules.

U

Brian, why is cisco, so traditional group security systems do tend to trust servers and have a lot less trust in the clients, and I sense from this effort that it's all the way just flipped around they're the direction, we're trying to trust clients and not the servers and I think that's not clear at all in the architecture and even not in, for example, the second question here: I'm, sorry, don't trust anybody, so so I think that's. That is even more important that the architecture itself needs to take that statement and make bounced around around.

U

What do you who is trapped you to do what and who really is trusted, generate keys? Who really is trusted to decide when there's a key change? Those are those. Are it's really hard when you don't trust anybody, so you've got to assign some amount of trust to somebody and then in the architecture.

J

Is linked? Okay,.

J

John Milliken again just in response to Michael's point about clients deciding that they have been locked out for long enough and they're gonna stop responding I think some of the offline discussions I've had with people about this in discussing. Maybe if the protocol can automatically expire, clients which have been silent for long enough can so rather than the client deciding that it's going to kick itself out. Everyone else decides that they're going to keep the client tabs for the purpose. I.

B

Mean that's why this cool okay, so that we understand the answers are its yes. For the first question for the second question: the server is trusted to do the functional delivery or the function Orion, but to the security semantics so and if there is any compromised from the server should be taken by the client it was ever did anything with this. The client should be able to detect it somehow to understand correct.

B

Starvation, when I, when I mentioned summation here, I meant innocent distillation, like functionary, should not attack voiceover attack by the by other means, because both of them are at the addressed in succession. Dr. Beane's cannot deal with other peers and was the idea we have with minimum and Max and the update. This should solve this problem. You can't really actually issue up this all the time.

B

Yeah.

C

I was just gonna say as author of the protocol document, which is not yet adopted, but maybe in the future the less is the takeaway I'm. Getting here is that you, the architecture, is going to document this requirement that the delivery service provide a consistent delivery order for handshake messages to clients and I'm going to rely on that in the protocol document. Yeah.

B

By the way, should it be : ten shake messages? That's.

C

Just what that's the terminology we.

B

Have and I agree now.

C

We can change it later and I. Think the what I'd like to see for the third one is is that we have some considerations around how to address starvation, and then we we keep an eye on that problem as we move forward and see if we need mechanism to improve the situation. Okay,.

B

In the way, a thief provision is, if it's it intended starvation, but also for other being just a way of us like to card in the same direction or not I.

C

Think clearly, we need to document that it's a condition that can arise. Okay,.

S

I.

C

Think we should also document some things that the server can do to help if it arises due to malicious clients. It's.

B

Not good any other question: okay, okay, thanks John, let's run your ass.

J

Cool so I'm just gonna talk about that. The big open question of what should lay at the heart of the protocol we've got two proposals at the moment are tan and tree kam, and this whole thing is an open question, rather than the specific specified open questions at the end of em had slides, please pop up and ask questions at any point, so, first to just kind of refresh us on what the various operations be able to support at so we've got group states stored in somewhere.

J

Both the proposals at the moment, own key trees of various forms and every participant cache is some view of the tree and then the operations that we have to have are being able to create a group at users. Users add themselves to the group: users update their own keys in the group and being able to remove users from the group. So this is just the key exchange protocol. It's somewhat divorced from the messaging itself, so the first protocol, but to borrow my slides from the buff, is called asynchronous.

J

Ratcheting tree came up with this last year and it's based on a different binary tree. So any leaf can be updated in logarithmic time by updating the Leafs tree and sorry, the Leafs key pair and just recursively recalculating the entire setup to the root.

J

This can operate. Asynchronously.

J

We have proofs in the paper linked of the confidentiality of the group keys in this setting only for static groups this, but this paper does not fully prove art, as used within the MLS protocol doc, but it's partway there and within MLS we've actually defined some things that were left out of scope in the original paper. So we have additional constraints and the tree structure.

J

As I said, we allow membership changes and we talked a bit about race conditions which we have the luxury of assuming did not exist in the paper.

J

So to that, the fundamental building block of this is diffie-hellman and a way to derive a different key from a dippy Hulman output.

J

So if a mb perform a key exchange between them, they get the output a B which they can then use to derive a key pair and then a B and C D can then perform this etcetera, etcetera, recursively up the tree, and so, for example, you code to do Expo, 5, 5, 1, 9, so X, 2, 4, 5, 1, 9, just of the hash of the diffie-hellman output that we found at the hackathon or the other day that if you just use a washout, 2 5 6, there are a bunch of potential tricky potential conflicts that happen but yeah.

J

This is just an example. We do not recommend this in practice to know terminology here. So with respect to see, we've got a bunch of terms, so we have obviously the roots of the tree. We've got the direct path which is in bold, so that's C and all of its ancestors. We have the KO path, which is the sibling of all of Steve's ancestors and then the frontier, which would be the siblings of all of the ancestors of a hypothetical Mew key to be added to the tree.

J

So the direct path and the co path are all with respect to have given nodes. The frontier and route are with respect to the tree as a whole and from a leaf and a co path. You can compute the entire path of that leaf.

J

So the way we anticipate the group evolving is that this is just used as a mechanism for inputting into a more general group key ratchet.

J

So the tree root is KDF t' in to the existing group, ratchet etcetera, etcetera. So we don't just require the correct tree, but we require the correct order of trees as well, so the first operation create group is very little to talk about this. A has a different key and that's pretty much it in the art paper. We defined this as starting with a pre-existing group in MLS. We don't do that, yet we just assume it's the one member groups, that's very difficult to talk about this.

J

It is a combination of few of later operations, such as the group initiated out. So this is a situation in which a member of the group wants to add someone to the tree.

J

At this point, they take an init key. These are also known as pre keys and of the protocols which has been pre published by the user. That's going to be added, they generate a difficult and key which they then publish alongside the init key and from this the user can generate the the rest of the tree, so they also have to publish the path.

J

Sorry, no they've in in this. Yes in this diagram, the add key is sent to the other members of the group, and so everyone has either the add key or the init keys private key and can recalculate the rest of the tree. Based on the frontier of the group.

J

The next option is the user initiated add. So this is d adding themselves to the group, as the the frontier has already been published, all D has to do is perform the the diffie-hellman with its own key, it's fairly straightforward for PCs. This is when someone wants to rotate their key pcs being post compromised security.

J

That is our future secrecy, as it's also known so be simply update, updates its key recalculates, its path and publisher, all of the public keys up the path, and then everyone in the group you should be able to calculate with respect to one of those public keys, what the rate is and then removing is essentially an update where someone performs an update to someone else's key by replacing it with an eviction key.

J

This has some intricacies that have admitted from this slide, but we essentially, we have a double join problem where you now have whoever's evicted. The other member now knows some of it, some other node in the tree. So if they were to be removed, they would still have access to some state of the tree. In the protocol dock, we talked a bit about how we can address this, so as an alternative to this bonds occur and Karthik came up with this alternative approach. Tree can so.

J

This is a new primitive, as opposed to the diffie-hellman key tree which we were used in art, whereas art used diffie-hellman x', which are contributed. They require both of the children to contribute something to the key. This is non contribute 'iv, so every node or every parent node is derived from just one of its children.

J

When you send out updates you send out the parent nodes secret key to whichever child should know, that secret key and simply send it as an encryption operation rather than through any derivation and then for the most part the properties are pretty analogous to us.

J

This tree structure is the same, but we have a couple of potential big improvements, one of them and which I think was the main motivation behind this design is that multiple updates can now be potentially merged without conflicts, because the non contributor bertie means that no one needs to know one of the two children's private keys to update any given parent and also because, as I will cover in a sec, the keys are derive by hashing one of the children keys. Once you know one of the private keys, it's pretty much an o1 operation.

J

It is a lot logarithmic sequence of hashes, but because they're orders of magnitude cheaper than asynchronous operations, we treat them as essentially free.

J

So the way this works, we have a new derived key pair operation, which mats a random bit string to a public key pair. But this is a public key to use for encryption, rather than key exchange could still be difficult, and that doesn't have to be. We have a strapped away. The specific algorithm and so you'll see here that you've got this. The parents is hash of a B. P doesn't come into a digital.

J

So this is what the tree looks like. The various definitions are exactly the same, but you'll see that you've just got different values here so see in this instance, was the most recent person to update so C's key is represented at the top was at each stage of the tree you have. The node was derived from one of its children, I think I just always went for leftmost apart from see. Example.

J

This is exactly the same. The slide was just copied, so you just to demonstrate that you can use it exactly equivalently.

J

So in this instance to have a group initiated add you generate an add key. This is just a random sequence of bits. You encrypt that add key to the new user using that init key. So that's this ciphertext add key in the structure. You calculate the sequence of private keys and public keys up up its path, and then you publish all of the public keys in the path keys.

J

Sorry, you publish all of the private keys in the path keys, having encrypted them to their sibling. So in this example, Javad key is encrypted to cv and hash. Squared of ad key is encrypted to the hash of a is public key, and this allows everyone to calculate that calculate the route with just one single decryption.

J

So the next operation, the user initiated out this- is again pretty similar to art. So it's just deers adding themselves, so they take their own randomness hash it up the tree, encrypts the relevant hashes to the private so to the public keys of the other children and DS key is now at the root of the tree for an update.

J

So if we imagine in this situation that a had had been the most recent person to update at the point that B now sends their update again, the root to the path is just completely rewritten completely unrelated to what it was then. Finally remove we're looking at exactly the same processes in art just send out an update for someone else's key.

J

So the key comparisons here are so first in the update complexity. So where, as art, every update is essentially a log in operation. Pretty much everything in art is log n tree cam updates a log n for the updater, but they are just there. Oh one in terms of expensive operations for everyone else in terms of concurrent updates because of the non contribute ility, it's much easier to. Imagine multiple updates being handled at the same time and having some decision to which wins without having to discard any in its entirety.

J

Art has a few situations and when it might be able to handle concurrent updates, but it's much more restricted, and one note here from the academics is that we have not fully studied tree cams PCs properties.

J

We've got a bit a best, slightly better idea of arts properties, but that is incoming for Trika I believe open issues with both this is the same as it was with art, so we've got to prove the various operations security within the model that we want figure out. The logistical details around removing massive sequencing mess, various other topics which have been covered earlier or will be covered later today, also attachments.

J

This slide was copied from last time. This is not so relevant to tree kemon, art, specifically cool. Any questions, / comments.

C

Yes, I think the salient question for the for the moment. You know what we need right now in order to keep the protocol moving forward. Just a kind of tea at the discussion for everyone is, we need to decide, you know which of these or both we want to move forward with so in the the rev of the drought.

C

With the protocol draft, we we produced for this meeting I just put in a switch and said you can do either of these as the inner loop of your MLS, you know either you can have an MLS route based on here. It's here you can have one based on on Sri, Kim and I'm. Guessing that's, probably not the optimal outcome, so I realize we might need to do some more verification about the the properties of some of these algorithms, but I'd like to know like it seems like these are pretty easily swappable.

C

So maybe we can proceed with one while we do that verification, so I'd be interested to hear you know whether people think we should pick one or keep both and if we should pick one which one we should operate with for the moment. So personally, a back on your you're sailing a comparison points slide. I am less concerned about the concurrent update benefits. Now, given the last discussion we had.

C

So if we have a strong assumption about consistency in the received transcripts, then in principle you never run into a situation where you're, where you need the merge concurrent update and the only way that might be useful is if we really have a bed starvation problem and we need to do some merging I'm, also worried, because from a protocol point of view, even if you can cryptograph of the emergency updates, you need a way to communicate that, and so you need some.

C

You know language to say: here's the set of updates, I have merged and I'm using that for this epic, so I think it introduces a lot of complexity. So I think the the primary advantage to me here is in the the performance difference and that that even that I think comes with a cost, because tree cam requires several more primitives having your code you're, not just doing d-h. You also need a public key encryption primitives, so it seems like there's some drop back there too.

C

Honestly I'm, not really I, don't feel like there's a strong winner here and so I'm looking forward to hearing from other people yeah. If.

J

You don't also mention actually tree can message. Update messages are about double the size of art once but not order of magnitude. Difference I.

Q

Reeling from catriel cone, Gordon she'd like to hear on lists from some Federation positive people about the concurrency assumptions she expects they have situations where it is not satisfied.

H

Laughs laughs. Thank you. I really think that both constructions- worse considering I'll just want to at one point that tree came if we could be sure that it's really secure regarding assess properties has one more advantage. It's much easier to build implementations as it is resistant to side-channel attacks, because we really have much less public equations in some points that can be quite frequent, so I think we really need to try to evaluate and assess tree campuses. I think that may be safer.

H

Gee I can help asserted that can be pushed to safer, G and personally I'll be happy to try to calculus and, as it was mentioned, both constructions seem to be more or less equivalent it in the set of interfaces. So we can proceed with without choosing one or another one right now, but if we could prove all properties of chicken really personally I prefer it as construction, Thank, You pecker, let's go to Benjamin Karthik and what are.

A

You.

D

Everyone I guess it's I, don't know. Can you hear me this time? Yes, okay, so I actually I, don't think I agree with with Richard on this I think we we should actually keep both constructions in the spec right now, because it's we still need a lot of analysis right, busan, art, because it's been studied only for static groups and for trick em and I don't see an actual drawback in keeping both in the spec at the same at the moment, that's it Thanks.

O

Hi, this is Karthik thanks, so much for the discussion and the slides at John I think it made it very clear, I think, what's very clear from the slides as well. I.

O

Think for a lot of you is that there are lots of gamma commonalities between on purpose between structure of Arts and shake em, which means that many of the issues that we we will see about authentication about message, authentication and so on a completely orthogonal and will apply to both, and there are many open questions which aren't both as well, especially to do with authentication as well as we all see so and on the analysis.

O

Indeed, ChiCom is newer and has received less analysis and CRT, but we hope to address that in the in the coming months and I have a have a foolproof. That's what I'm saying thank you.

I

Yep no score so I think I differently, Richard up in a different.

D

Way.

I

I, despite the fact they the system requires consistency, um it doesn't require, doesn't require complete, lockstep, behavior and so the impact of having um the one at a time updates of art is going to be an enormous number for any large grouping. An enormous number of rejected, updates, they're predicated on the previous crypto state that they give bounce back and figure any significant message: latency um and a significant rate of rate of key Church.

I

Now, if your change changing once a day, this almost never happened, but if you're changing people are, if you have a significant size grouping before attempting to change like essentially every message, the way like some systems do, then you're gonna constantly have collisions, and it's gonna be a lot of back and forth.

I

So um I do that's a significant issue in terms of handling the pairi, the problem of figuring out, which set supply to which a POC is a real issue, though it's not it's important to recognize is that it's straightforward to label the a box essentially by which set of up case has been applied, and so you can always figure out which keys apply to which messages apply, which at buck what's difficult, is effectively knowing when you can, um because they're positively, um because of multiple updates can be applied to say my buck.

I

What's difficult, there's knowing um when you can discard the keys that are that required to basically it against the next a buck. So you know I'm at box zero, and you know that includes and then includes, basically updates, ABC and D. Then at some point, I say well I'm in order to process a you'll get a and you have to keep that you're like epic, zero plus a and you know, and then in order to process B, you have to have the zero.

I

This is your a POC and you can all and some point you'd have to discard zero or devalue, and it's the different questions, my dad answer, um but um we talked about a little bit so I think there are some ways to do that: I'm, basically a effectively.

I

You need you, you cute for some period of time afterwards, and then you could and because you haven't, because they're tres persistency guarantees everybody agrees when they can describe the keys and that so you will occasionally get people who get bounced, but don't be very common um so on this isn't to say that I think that uh that we oughta destroyed have tree can um I think what I would say is going back to let Stella said a few minutes ago.

I

It seems to me that, in terms of properties, there's a reservable properties tree has larger superiors, rural poverty start. However, it's less clear that it's like that, it's safe um I, don't have a safe, but like treat it's like less less clear we reach weekend, dinars um so I think well. I.

I

On the other hand, we're also not frozen ship to protocol today, so ho-hum I think we ought to do is operating the assumption that both of these are secure, which may be false but operated as a moment on and attempt to attempt to sort of work out as soon as possible. What this our operational details of each one of them is, and if we convince ourselves that which one ever only thing's operational superior, we should like cross the other one on the draft and put it in some.

I

Like you know it's get, so we can like just put it in some stash and get back to it later, um and you know tape but hit that one either graft temporarily and perceive with the other one and I lost it today, but like perhaps that you normally do that and but relatively soon and then pushing the other one.

I

And if it turns out that, like there's a serious problem, then we have the other one sitting in the back burner for us to pull back out, but having to drop I mean given that we're not proven your ship tomorrow, having to alternative mechanisms to sort of reason about it, I think makes life harder.

J

Just add to your point of about tree can can definitely merge updates in a way the tops art cons. Catriel did have some questions about whether pcs is actually preserved. When that happens, so it could be the emerging updates to no effect or to no security. That.

V

Binky doc, as responsible ad just I, want to point out: please do not send the document to Dyess today is GE that has both options in it. Unless you have some like compelling difference between them, that would cause even want to pick, and you know if that means keeping both in the document and it's low per coin after work last call I'm totally fine with that.

F

Raha Robert again so just want to emphasize the update complexity and the last slide here so particularly for passive participants, which is all of them except the sender. There is a huge performance difference between art and tree cam, and we were saying earlier that we might want to have some recommendation on how frequently keys should be updated so in large groups, and we've been talking about up to 50,000 so far. That will lead to a lot of handshake messages, a lot of updates that all need to be processed by all participants.

F

All the time before you can actually even decrypt the next message. So that's a very high load during an idle time. Basically, even if nobody is really writing anything so trinka, Muses hashes, which are incredibly fast compared to public key operations or diffie-hellman operations like in art, so I think this is something we should absolutely keep in mind. And right now, a tree can on the performance side seems to stand out quite a bit. Absolutely.

C

So, just to compound the issue: Zekrom ention, this is Richard Barnes. In addition to the when do I, throw away state question, if you allow concurrent updates, you also have a question of what, when I want to update myself, what state do I build on top of I mean in in the worst case here you can imagine this branching tree of states that everyone has to has to maintain.

C

In Trika, so it seems, like you, start at zero, a updates, a a B and C update some and then someone updates on top of a be someone up, that's on top of B C, and you have at least this kind of woven texture of updates.

I

I mean so I, don't think. Maybe take this offline. I mean there's a there's, a temporary variable, because you I mean it's absolutely true that um so so I guess I mean when you say, updates I mean I mean any.

C

Any.

I

Any.

C

Given set um I mean so that may be records going. I think is that within any given set you you know, updates we're kind of flat and parallel, but when you do something like an add or remove that does bump-bump to the next.

C

Yes, and so you know, you do have to have kind of a convergence algorithm to decide on which of those states, because you need for them to choose consistently, or else you get ramification so that that's one observation I had another one, but I've forgotten it. The way forward I was going to propose. Is that I think we're going to propose at the end of meeting we get together in September and talk about things?

C

I think one thing it might be useful to do is kind of keep this ambiguous until then and like try and do some initial code see how big the performance difference is see. How big the message size differences are, and so we can kind of take some quantitative measurements to see how the different, how bad the differences look and I've just remembered. The other point I was going to make, which is I.

C

Think one I'm not sure if you mentioned this or you mentioned they have the same underlying tree structure, which seems to indicate that they can be hybridized, which is probably pissing off catriel and Karthik even more than they already are. But you know, if we see that say you know, updates are going to be super frequent, and so we want them to be performance and we're willing to take message overhead, for that. Maybe we use tree CEM for update messages, but for adds and deletes.

C

We use a rt4 because we want them to be small, I mean I. Don't have a preferred solution here, but I'm just wanted to point out that that those solutions, I believe, are possible. If we can, you know dot the I's and cross the t's and you know convince the a week we get assurance from the academics that it's okay to do that. So.

J

That would require multiple traits right same structure but different trees, because they keep the internal keys, are totally different.

C

The internal keys are derived in different ways, but ultimately they're still just the H keys. Oh well, so so assuming assuming we're using something like ec IES for the public key encryption. So assuming we have algorithmic consistency between the two.

Q

Comments from the jabber facepalm and it's from katrell and benjamin both Cheban.

W

Say if you decide to go for it with both options for now, I think maybe useful if we at least mentioned in more detail what the advantages and the disadvantages are, maybe in a separate draft or maybe in the same in the same draft I think that we will use from an implementation point of view, sure.

B

In Metamora- and we also know, respond to rafael comment towards the performance of the hashing, complete Richard and John. Correct me. If I'm wrong, there is still log n public encryption right. It's not only ashes.

R

Sure yeah.

B

Great.

J

How.

B

We move forward.

A

All right so we're going to move forward with NASA's protection Ben. Can you step up to the remote stage.

A

A German British.

D

Good, okay, sorry, okay, so right now, so I'm gonna discuss a bit of message: protection which is currently not in the draft next slide. Please again, please thank you. So, right now in the in the the protocol document are basically nothing about message, protection, which is obviously a big part of what we want to achieve here.

D

So there are multiple possibilities about that. We could actually to include the message protection part inside the protocol spec or we could do it with side. My personal opinion is that we could. We could put that in the photo calls back because it sort of makes sense, but we need to define anything so the the main point of message protection right is to go from the unshaken schedule.

D

That's been shown by many people before to go to the let's say: let's call it: the applications be scheduled so basically going from the epic secret, the group epoch secret to the encryption of application messages, and to do that. We did this schedule, this application key schedule and we need a set of algorithms and to define the objects with that. We really want to encrypt right.

D

Next site, so that's the current. That's what he's currently in the protocol spec right on shaky schedule. So basically it's does work for both after and 3 km. It's completely sort of separated, because the update secret, as you see on the left, is generated from the hood secret of the trick, M or arteries.

D

Then you derive a goopy goopy pop secret, which is basically the most important, the most important part of the protocol of the of the secret, because everything in the Hoopoe Park is going to be based on that thing. So, depending on the security properties that wants we'll need to keep that around or not for a certain time. It's it on right. Now the message master secret, which is which I called the application secret, because it's it's at the moment, used to to compute, keys, etc, is the most important parts.

D

What what what can happen is actually which derive the keys from that secret from the application secret so like basically completely splitting the the the uncheck part from the messaging part, while of course everything every keep a graphic, a keys that.

G

Is going to be used to encrypt.

D

Most application messages is obviously dependent of the of debug secrets in terms of security. Next slide, please so um from this application secret we could. There are too many ways of deriving keys right. We could do many things. We could directly hatch this application secret or we could expand, extract and explain this this secret to get a Adi GG's.

D

You could even directly imagine instead of having this application, this application secret hack tatted. You could imagine instead having directly expanding all the entries for the end participants at that point and I'll explain why it's actually a different approach, which has different security properties. So if you consider that you have this application secret, there are multiple ways of going right. You can directly who hatch at this group secret this application secret in two ways, either in interleaving, thus under contribution or in parallel, meaning that you can either for this application.

D

If you had one forged client and an hard set independently these this, these secret chains- or you can ask for each a participant to each sender, to Hajj, set its next message. Key from that, from the same, who touch it and those are very different, very different properties in terms of the security properties as some sort of the same, but the forward secrecy is not exactly the same because you need to keep around more more things in the case where you, your watch, set per participant.

D

So let me show you, let me show you the some examples next slide. Please.

D

So here is, for example, it's a completely example. Nobody thing is in the, but nothing is set yet and we discussed there are many. There are basically as much as as much as many different key schedule as you want, but there are basically these two categories of person who had set of box on the hatchet, so it is an example of who pockets.

D

You have like the initial application secrets from which you derive the sender, authorize an AGP and unknowns, and this application secrets is going to be hot shattered in a way that each sander is going to contribute to that hatchet. So this is this: is nice because it so loose to group each participant to keep one who project, but it's actually bad, because it it forces sequentiality of the of the updates right. So in some sense it's a it's not good for for parallelism, and it's actually it's very wrong for for out of order.

D

You can't really do it about messaging out of this thing next slide, please, and then you have the the per participant case, so you can next slide, please, where you could actually from the initial group application secrets, derive many applications, initial application secrets, one top participant and Hutch said this participant application see catch instead, meaning that is no completely independent. It sits under as it one hot shot. Basically, what's mostly what is done in current protocols right you, you had set independently.

D

Of course, we don't have the experience of multi-party but large experience of beauty, a large number of participants in in groups, but the for that scenario. The drawback, the benefit is that you can actually encrypt in in parallel and send messages in parallel out of order, even if you skip, if even if you here, there are two messages from the same sender as long as you keep the key n minus 1, you can recompute n, n, plus 1 and plus 2.

D

The the obvious thing is that this is for what you could, but this is not. This does not have pcs right because you are sitting forward, doesn't give you pcs only changing, and in that way, if you want pcs for messages, you only can hatch at the you need to update the group secret deepak secret, so that's very different. So there are three, basically the very different approaches.

D

Well one is you directly driving n keys or one group, an application secret or one application secret for each update to the group, and you only have one set of keys per participant for each epoch. Good or you can.

D

You can basically have forward secrecy for the keys of the the keys for messages, but you don't have pcs until you refresh to group secret. That's that's my understanding. Next next slide, please so that so the study I showed before was basically TLS, based, meaning that there is. Can you go back sorry and there is a from the application secret. You actually F expand level, an AGG and an HIV. So that's really useful because it's a it's. It's good for misuse!

D

Nonsense! It's good for fighting against using the notes, because for each message you can imagine you catching the participant application secret and you get a new idea and in you key, so you don't risk using the the notes.

D

So that's very TLS based because it's a it has like the right key and the right AV that are mixed in back into the application secret ratcheting chain, and there is the the next slide and there is a proposal. That's been done that boost proposals are actually input, requests right now on the on the repo. This is a proposal from alexei that basically is very similar. It's a powerful participant hatchet, where small, like signal in some sense why you expand both the change secret message, key nonce and you change the chain secret.

D

But you don't include the message key in the in the chain and bush. Both are reasonable approaches. We still I mean we can do any things.

D

As I said, all of those things should first come from defining exactly precisely the the security properties we want for messages for keys and for the group epoch secret, because those properties are very different depending on if you want and the the method will show that we have to adapt depending on which properties we want will be very different, typically rejecting rejecting the application secrets inside the same epoch, or only generating keys for for every participant once epoch secret.

D

Next, please so, as I said, basically to balance and I, don't see any good way of solving that problem now. So it's it needs a lot of description. I, don't think it's ready, but I'm pretty sure we can do something that works and I think everybody is convinced. After the discussions we had with each other informally that we can make it using any of those ways, but it's unclear what the exact security properties are at the moment.

D

So we need to define them more. So goes group hatching you reduce complexity, you improve so for what secrecy, in the sense that you don't keep around application secrets per participants. If you don't use them because you watch it everything, so you only one such application secrets- that's that's updated frequently, but it doesn't handle out of order and it's the opposite for the perversion or the profit thing.

D

Okay, next piece!

D

So in that setting in that setting one Becker, okay, yeah I, don't.

C

Understand this last point, which.

D

One we can forward secrecy, okay, so that's a sort of abusive term saying that you, you are for what secret, but the the the the duration in time where you keep the keys is different. If you keep the keys for like two weeks without updating the group secret or like two years or whatever you, you still have for you as long as you are for what you cut, it's fine, but the way you have to store the keys, you have to keep them for a long time.

D

It's not the same thing as if you touch it the key for every second or something so.

I

There's no message encrypted of them, so it doesn't matter yeah.

D

Yeah, but if you want hit one message and then you keep out the next key for the next for the next message encryption and you wait for long time, then you you can lose that key, and this key is gonna, be useful at some point, III.

I

Don't understand this, this doesn't seem like this is a policy right. I mean.

D

First of that,.

I

If the group with the group is ratcheting, then the and every time if the group ratchets, then then you afford secrecy because the key to the whole Keys pulling away and forward to Chris's back you already.

V

Beat the.

I

Future kids we've already been used. So if the keys just sitting there like this, it has never been used at understand what the problem is.

D

All the group it's.

I

Fine.

D

But the point here is not necessarily to like the point of the weekend for what secrecy is like it as I said so in abusive term to say that we should also consider in this in doubt and the security measurements we do like in the security proofs.

D

Keeping your own keys is always bad right, so my point was just to say: we should be careful all along. We keep the keys when we do that. That's fine, that's all I mean I, assume.

I

Keys which don't used to encrypt anything so I think keep them around is probably ok, I, guess that maybe was some formal property referring to but I'm, not following with actual security property. You're trying to talk about it so maybe be able to I mean III. Guess it's probably not practical to do at this particular point. Ok,.

D

Might be nuts but.

I

Because I don't think it's a high point in determining which of these is a more attractive protector system but uh but but I also I.

D

Mean anyway, I do agree that the participant 1 is the abuse, is a preferable choice. I mean in my opinion, but I didn't say that ok can I go on a you, have one more slide and then ok can you go to slide 11 next, one again the getting the next one again, please, oh yeah, this one. Okay, so there are, as I said, there are two to pass. We need to handle the application fee schedule and the message protection itself yeah the encryption I think for for for the message inscription.

D

We can use very straightforward things like AIG encrypted voicing as discussed before in emerge. Talk I. Think there is the padding issue, so I wrote some initial text in a pull request and I'm in favor of as I said before, I'm in favor of patting I mean I'm in favor of MLS, providing a mechanism and leave it to the application to decide all to use it. But my point is that we should not like lick the length of the application they suggest to everyone for which for 4h encryption and then they are depending on.

D

Oh, you want auntie Kate. Currently the the authentication is done by using signatures, depending on oh you, authenticates. There are things that you should, but inside the ciphertext, or not typically right now having the signature for authenticating the participant strongly meaning knowing which educating the specific parties a specific center to other parties. Members of the group is done using signatures in the current setting.

D

We can actually encrypt that signatures in patches inside the ciphertext and it could be safe because we have an implicit or education for party on the fact that if you can decrypt the ciphertext, it means you have the idea, the IAD keys to decrypt the ciphertext meaning you are a member of the group and that's all next next slide. I think so in a way to move forward is I. Think since now we have nothing in the in the text.

D

Safe approach would be to defeat to define an initial message: protocol protection text, where we use something very straightforward, that I think people can reasonably agree on typically having like per participant purchasing scheme using ahd, ciphers, optional, padding and optional signature of the of the plaintext. In the ciphertext- and there are basically two pull requests on the on the on the specs. That Poe is that and I see cam done.

C

So yeah I agree. We should go ahead and get some stuff in the document here, I'm put a stake in the ground and start actually. Writing is protocol in terms of the key schedule.

C

Could we skip back to that slide as I figure, it's probably going to be nope forward the comparison one that one for me, the kind of killer app for the group ratcheting is the reduced storage. If I'm in a 10,000 person group in order to get any forward secrecy, I have to generate and store 10,000 keys.

C

Constrained devices and wave and wave I mean, but also these divine Yahoo I've got a an account. Then you know an app that has you know it's in 2,000 groups, maybe so I think that that complexity advantage seems to me worthwhile to do the group ratcheting the thing at least to try it I, don't think the out of order thing is going to be a big deal, but I think that's something where experience will be helpful in determining whether it is actually empirically a big deal.

C

I think much like the the a RT versus tree came here. I think what we should probably do technically is pick one of these go with it, but keep the other one in the back pocket if we need to switch it out. I think this is a component that can be fairly modular lease with the swamp and swapped out in the future. One other thing I would push back on. The last slide is the this idea of optional signatures.

C

I think we, my assertion here, is that we always want to know where who a message is coming from I. Don't have any use cases for generally getting message that came from someone in this group and I. Don't so I would propose that we make the signature field mandatory built in always they're part of the message protections. My.

D

Take on that would be that maybe we can do it for unchecked messages and leave it to the application to design for the for the application messages. I.

C

Mean to a degree any work on a message. Protection format here is kind of optional for applications.

C

Els, like the G TLS SRTP, uses the TLS handshake with SRTP encapsulation, so I mean in principle. You could do the same thing here, but I think for the default case. We have here. We should go ahead and and have that level of direct authentication.

K

This is dkg I've, just gonna plus one would echo said earlier about not seeing the forward secrecy. Advantages that were claimed for for group ratcheting and that yeah precipitous, been spender. Sender seems like the clear wing to me.

I

Yeah I said that Richard and I have a philosophical disagreement about the level of locks deafness of this protocol.

I

So um my concern actually is less about then necessarily out of ordering that about the receivers implementation of how much we know he needs to keep of all keys and, like we've spent an inordinate of time in quick and NLCS, trying to reason about like what happens when things get really when you can cut over from state a to state B and then get like these messages from, like you know, random people, the mailing list or not random people, saying like I, have found in this case, where, if you do the following 19 things like things go to yet and like so that, and what those things trying to is like incredibly ornate receiver side, algorithms for freaking out where you can timeout keying betrayal and given that, as far as I can tell the only effectively only cost here that anybody that is actually bearing is 16 not 16 to 32 octet submissive state for like basically for peer and that, like every messaging app, which I'm familiar like a keeps like the transcript for the messages and be like keeps a list of everybody in every group and and all those things like much larger than like the Nike material I, just like that, seems like a ripped making like a lot of program like City, for like like the first economy, is saving like a really really small amounts of data.

I

Just does not seem like a reasonable structure.

F

Yeah refer over it again. Can we go back to the comparison slide so initially at the same reaction, then Richard when I sort of all the state, but then and more. We take her when you really think about that. What that means? It's, we we talk about kilowatt and it's also not clear if we have to keep all of it. Potentially, this is only between two group stages and where we have to keep stuff, we don't have to keep things for passive participants in very large groups. It's potentially still not a lot of state.

F

We have to keep so my opinion. This strongly strongly favor the second one for the participant ratcheting, because the other one means that we might again run into the servation problem if we conflate that with handshake messages, so we typically would expect text message to be relatively high frequency compared to a handshake messages, which means that there is a real risk of starvation there, which we don't really have. If we have a per participant ratchet.

K

This is a decay cheap rock scene for Karthik Karthik asks it is unclear what the security guarantees of application key ratcheting are. It only provides forward secrecy against a very weak attacker and only if all receivers, including passive receivers, regularly delete all the application keys. So a question is: do we even need application key ratcheting as long as the group, epic secret, is frequently enough, updated.

D

Exactly so, that's the that's. The thing I mentioned at the beginning, at the very beginning of a PCS, about directly extracting one set of n keys for son, dr epoch secrets directly at the beginning and depending on the exact Prakash's we want that might actually do a new one of the only way to get the PCs for the check message for the application is interesting, and maybe so maybe, while you are a child here, you can talk about. I didn't mention the the new three bays.

D

The application key schedule thing that we were thinking about when we can give a word on that too, because and I think I've forgotten what it was. We talked.

C

About so basically,.

D

We discussed the fact that we might be able to improve on the storage for the participants, a cheating thing by having a tree structures to store the the yes.

C

Now so you could build a structure where you had started with an application secret and you know hashed it in two directions to cover halves of the group and then so on out. So you have to the leaves to seed out those roots, and that way you could only store intermediate nodes in the tree and an opportunistic the generate things as people transmit. It's a mild optimization over the person. They're ratcheting I wanted to come up and respond to eckers notes about reordering I expect on this topic.

C

We actually don't disagree about lockstep, penis, I'm, fully um I, don't think, there's any need to assume lockstep for messages. I think there's a sort of reorder in here we're gonna have a reordering window in the receiver and I I. Think that actually argues for the grouped ratcheting, though, because if I've got a buff, you know a fixed-size buffer for real for maintaining keys for reordering in the person they're ratcheting I've got.

C

You know I've got to maintain a number of participants times reorder steps keys in order to have reorder steps keys for each participant versus in the application. In the group ratcheting context, I only have to maintain reorder steps keys. Now you disagree.

I

The issue is that into a participant, reordering is much more extreme than interpretive reordering.

I

So, if like, if I I mean that like what wrong way which participant gets reordered right in one way, one which worrying happens is I is I, send a message we might end current key, but I'm not online, and so now I come back online in ten minutes and now that message is like way to hell, reorders, but everything else, and so, um and so, but that's like different, but but if I reorder like if message you get reordered between the things that transmitted, it's generally common, that that you know that what's happens, you had a message loss so that we were transmitted like almost immediately, but so that really mean if you're also be narrow.

I

But if you want to be able like, if you, if you mean look to the math, if you have a group that has you know your group, that has you know the ten messages, a minute which is an uncommon um and you're offline for ten minutes, you're, not looking you're. Now looking at like a hundred messages wearing window. My ten minutes like easy right am it's like is a different. You know your cargos in the tunnel or you know you're you go in the elevator, and so um so II was just uncomfortable, but.

C

Even in your example, I have to maintain you know a hundred messy back log of application secrets in order to be able to do that reordering and which is a lot less than you. Ten thousand. That was the size of the group. Well, I.

I

Depending on like how much were in really tolerate I mean, like I, seen slack messages ruler for hours, two days, um someone you know, so he was an airplane right on, but um more generally, you also don't need to retain. Like you also don't. The only reason is that the only reason that you think you need to retain on like a long ass, a long wind like that is it's like the research is a strike right, mister right!

I

um So basically um you know you don't need it like, because the keys are generally argent are generally a forward chain right. What you, basically, what? Basically, that the dynastar she maintained is effectively the next hop and is basically all is basically like.

C

Okay depends on how you bought that does number waste a bullet, I think in Benjamin's proposal. It's not a strike register because the the application keys aren't single-use.

C

So so you could do it by maintaining a single end key like they're, the first thing from which you can drive for you in any.

I

Case like I'm, not sure how to resolve this, but like yeah, like you, you see I using it under some under some impression that, like the amount of storage of L to the client, is incredibly small, whereas these clients are like an enormous amount of storage um and they're, very powerful and like and and and by and large I say they they store, that they store the transcript all the messages which they can amass.

R

A larger and like any possible.

I

Suffolk a material so like, unless you can demonstrate that light. You know it's like, like is like I, want to see an argument that, like use the store like mounds of data that are comparable to like you, know the size of like the photos of your iPhone before I'd, actually can throw this being an issue.

X

uh Matthew Miller I think at the end here, I'm, basically just agreeing with that career and I think it is important to remember like when we're talking about high transmission. You know high frequency of transmission, sometimes groups get super super SuperDuper active and trying to deal with that kind of problem. I mean I've seen this in the past with other clients, where per per message ratcheted keys are in use and there's been. Essentially, the group becomes unusable for a people for a period of time until everybody finally sinks back up.

X

So if anything I'd either be arguing for you know the per participant, Center or just not worry about it for right now, it's.

A

Our clothesline after John, so we have time for the.

B

Next presentation tomorrow, I agree with a correct story: local authorities, at least concerning this protocol, like whatever lies, how to design this so III disagree with supporting their it points at how come this historic is an issue for person directing I also think the other one as the course it is wrong. So I guess there is no red, actually things with person directly I think it's it for me. It's intuitive. It makes more sense.

J

John Milliken, so I I just wanted to respond to a kiss point, but I I do broadly agree with. Actually that I don't think. We need to worry too much about storage space, but I like to be careful that we don't build for modern iPhones and we build for low-end, circa 2012 devices or something because we still support them in.

L

Cosmetics have just we were briefly chatting on the jabber, came to the conclusion that if you want per per participant signatures, which Barnes said he wants, that means you need the each person's public key, which is gonna, be a lot bigger than this key anyway. Also.

C

So Benjamin it sounds like you and I should chat, and you know game out some models and provide some quantitative estimate on what we.

C

Thanks Ben thank.

O

You yeah.

C

Authentication and Oh gets quicker.

C

All right, so those of you who have read the protocol draft recently have seen there's a fairly basic, fairly naive authentication framework in there assumes that each participant has a long-term identity key and that user, in it keys and group in it keys, are signed with those identity keys and in the group in a key case.

C

We also include a proof of that proof that the add that identity key is a member of the group by committing to a Merkel tree over the identities in the group and have providing a proof of inclusion in the group feedback here.

C

Okay, that's what I was hearing a little bit. Likewise, when we have when we send handshake messages, we include a signature by the identity key and a proof of inclusion. One thing we'll need to keep an eye on as we go forward, is that you know the authentication we're running it and long run is going to be about identities.

C

You know email addresses or usernames or something like that, not public keys and so we'll need to add credentials at some point which we don't have in the current draft so want to step back briefly and think about requirements for authentication. What do we want to verify at one now? This is again to the academics. This is not the precise definitions, it's kind of taking a functional view of what does you know a participant in a group want to verify at different points in the life cycle. If it's it's interaction with the group.

C

So when a client connects to the group, it's going to want to verify who the other members are in the group, so it knows who its encrypting to when it encrypts to the group. So this is something in which I think Karthik and Benjamin might disagree on, because there's some ideas that you might just want to know that when you receive something it's from the group, and so you might not care about who the other members are in the group.

C

Likewise, when you receive a message, you want to verify something about who it's coming from I'm, going to assert that we should verify the precise identity of the sender either. At you know, a user level or at a device level.

C

You could also argue, as I think Karthik and Benjamin have that you might want only want to verify that at the group membership level, we can have some discussion about that if I'm in a group already and someone joins, will need to have a way to verify the identity of that new member.

C

It's kind of update the roster we have the raw, so the client has the idea the client has of who's in the group and when we remove the interesting case here, one that's different from the others is that removal requires knowing a co path for another node. So this is different, because it's not about identity verification. It's about verifying that you have the same crypto state as the rest of the group. So just to graph that out.

C

If we imagine the case where a node F in this industry wants to evict node J as John was detailing earlier, F needs to generate an update for J, which means it needs to generate those or solid orange nodes on the paths from J to the root and in order to generate those nodes with a new leaf value for J. That J doesn't know it needs to have those orange outlined boxes on one of those labeled I and there's other an arrow pointing to the other but F under normal.

C

Otherwise, operation of the protocol, ignoring removal, is only going to have its own direct path and public keys for the co path, and so it needs to have a way to authentication distribution, to distribute the notes.

C

But but more importantly, eff needs to be able to verify that when it gets these Co path, nodes from some source that they're the right, Co path notes- and if you, if you want, have to be able to evict anyone else in the tree, then it needs to have the whole state of the tree needs to have the co path. For every note, which means it needs to have the public keys for every node in the tree, and so we need some channel for authenticated effectively authenticated distribution of the tree.

C

So we have kind of two classes of authentication problem, authenticating identities, authenticating the tree. We also kind of I'll say functional kind of points in the lifecycle of the group, where you need to verify things.

C

You have points where you are already a member of the group and you're trying to authenticate something about the group, so I'm an incremental change about the group, and you have the initialization step where you're joining the group and you need to initialize your state with the authenticated roster, so I kind of treat that on connect, initialization question as separate from the once you're connected to the group cases, so I think these post Connect cases are a little bit easier in particular message. Okay, authentication is is really just a signature.

C

Vendor might want to make it optional, but I think we should. We should require this in the current draft. We include a signature together with a membership proof. You know that proof that the identity key that signed the message is recognized or part of the Markel tree of identity keys. That was committed in the group init key. That kind of defines the group, that's handy.

C

If you only want to cache on the endpoints that commitment, the head of the Merkel tree and not worry about storing the entire list of identity keys, but you know maybe we're not worried about storing a ton of stuff and we're willing to cash all the identity keys. In that case, you don't need the membership person we can leave them out of the protocol and as Benjamin just presented there was, you know, he's got some stuff in his pea about how exactly to encode the signature.

C

It's not you know, there's no magic, it's just a signature ever the message to authenticate that it came from this public key for authenticating, new joiners I. Think it's! Similarly pretty simple. It's going to be about signing this. The user init key, that's presented as part of a group initiated ad or the user. Add message: that's presented as part of a user initiated ad signing that those the content of those messages with the identity key and presenting a credential at that stage.

C

I think the the concretely and I forgive I apologize for presenting this a slider and not a draft, but I. Think the right answer here, which will probably get it in draft soon, is something that kind of looks Sigma like.

C

So, if you're familiar with TLS the way the thin ocation is done in TLS, is the authenticating party sends a certificate message that sends a certificate verify message with a signature over the handshake, transcript and the certificate, and then it sends a finished message which has a Mac over the handshake transcript the certificate message in the certificate verify message, so you have effectively a a consent of the private key holder to join the group and then with the Mac under the new group, key a kind of consent of the group member to have that identity.

C

So I think we can kind of map that into this group space by doing by maintaining some transcript hash, which I'll talk about on the subsequent slide, maintaining some transcript hash, assuming this lockstep handshake process, assuming consistency and then at incorporating that into the message authentication with the signature and the corresponding Mac.

C

So so that's kind of the cases where the authenticating party is already a member of the group or where the part they're relying party verifying the authentication, is already a member of the group.

C

Initialization is a little more challenging because it's linear size and Linear's not a word. We really like around this group. You really prefer log or constant things, but you know when you're talking about the list of members in a group, that's kind of irreducibly linear size. You have to talk about and things and when we're talking about also authenticating the tree, you have to n intermediate tree nodes roughly give or take you know, plus or minus one or two notes.

C

So it's roughly twice the number of participants in the group, so we have kind of identities and identity keys to talk about the members of the group and then roughly two entry nodes I mean, of course we need the authentication information to prove. This is all correct.

C

One observation, I think is useful. Here is that handshake messages that are exchanged in the course of the protocol carry a lot of the information we're interested in here. So whenever a node sends out say an update or a user add they are sending out the public keys along their direct path to the root. And so, if you watch the activity of a group over time, you can build up the state of the tree.

C

In particular, if you observe the last message sent by each participant in the group, you can kind of stack those on top of one another, and then you have the you know the the state of the tree. At the end, this is kind of nice and if you have the authentication and then the information you need to authenticate that those are from real members of the group. You have an authenticated copy of the tree and you know the identities of the participants. So this kind of suggests that we could use messages themselves.

C

The handshake messages that have been sent within the group as a way to distribute the tree and to distribute the roster so like I, said, if you see the tree or if you download it from somewhere or if you see these handshake messages or if you download it from somewhere, you can reconstruct the true the public state of the tree as it is agreed by the participants. Now it's you know, I said we hated linear stuff is even worse than linear.

C

Now we have n log n things to download, but again I think that's it's not unavoidable, but it's better than some alternatives. You can imagine one challenge here is that if we, if you're going to take this approach of using the messages, you need to verify that, so you want to make sure you've got the latest message from each participant and that the server has it's kind of injected a message in sequence or omitted, one injection being a bigger risk.

C

So you need to have some idea of the whole sequence over the set of messages you need.

C

So, in this case you know, see, updates and then APA and then B and a update at the very end, and so you need in order to get the tree. You need those messages from a B and C, but in order to trust that those are the correct messages for you to build your tree off of you need some information about all of those messages in the middle and so now we've gone from linear to law and law. Again now we're at you know, lower bounded by n log n.

C

We may need more I think we can do a little bit better than n log n, though we've already said that we need some degree of hash of transcripts, recording we'll need. You know transcript hashes to do this signal like stuff and so we're already kind of it's kind of hints at building a hash chain out of handshake messages. So at the bottom here I've got kind of a cartoon. You know you, you initialize off some hash and then, whenever you send, they have a handshake.

C

You hash it together with the previous handshake, hash and and has shane along in that way. So you can imagine you know distributing these. The the handshake messages that you need in toto to build the tree along with basically the sequence of hashes that demonstrate that there is a sequence. There is a sequence of handshake messages in the middle of the connects these, so you at least know that you've got a subset of subsequence of the the actual sequence of handshake messages.

C

Likewise, one thing Rafael and I- discussed that at the hackathon last time, when we first realized we had this tree. Authentication problem is that you could encode in the in the group in a key, a commitment to the current state of the tree, and you know we like to use Merkel trees for commitments because they compress you down to one hash value, and so the figure on the right here is a tree on a tree.

C

Nice thing about the tree, stroker we're using is that it can very easily be mapped to a flat list of nodes, and so you could take the actual ratchet tree at the bottom. Not those nodes up into a list and then build a Merkel tree on top of that. That would give you a commitment to the tree, and so now you've got assurance that the message of the handshake messages you're getting are correctly from the sequence of handshake messages.

C

You know the handshake history of the group and using this commitment to the tree, you can verify that the tree you've built out of those messages, has the correct uh.could the correct collection of nodes for the whole tree.

C

So this is very much kind of how should we do things forward? This should really have been in the draft if I were doing this that properly. But this is basically my rough proposal for what I think we should be doing to build out an authentication infrastructure in the next groove of the draft. It's obviously needs a lot more detail in order to be implementable in the room, be really protocol, but I thought I'd presented here too to see if it was looking plausible to folks.

C

So the rough outline is that, for these post connection, cases where I'm, verifying individual messages or her own joins to the group will have just you know: signatures as you would expect, and for joiners, where we authenticate identities will have some signal like thing we're rehashing where we bring in transcript the hash of the prior transcript, and we do the signature and Mac dance to cover credentials and have the counter signing account or Mac I guess from the group membership, but then for initialization of new joiners.

C

The will take the approach of using the the messages themselves as the distribution channel there. As the things we expect to be passed around by the distribution by the was a delivery service. You know somehow that the delivery service will range from this much stuff to get passed around so that endpoints can members of the group can you know verify that they've got the right sequence. They can build up the tree. They can verify the identities that have sent these messages. So at this point, I'll just open up for discussion. Does this look good?

C

What looks good? What looks bad? What looks challenging? What did I screw up? Consider? Let's.

A

Start with Karthik from online.

A

And he disappeared: okay, get back in the queue Karthik and will add you John, okay,.

J

John Milliken, so a couple of points. One is that in in the situations where, where clients do have a full list of the people involved in the conversation, why so for the remove case? Why not just store the entire tree on the client? Because that's it's still, it's only double the size right. It's there's! No order of magnitude. Difference, yeah,.

C

Yeah I mean, if I think, that it's totally plausible that you could have clients store the entire tree locally. You still need to initialize I. Think the hard part is initializing. Your new clients with with the tree not.

J

When.

C

When they start out when they join, the group show so.

J

But a couple of concerns with your proposal: one is the ship. It's seems to require the delivery service to store a lot more metadata longer term about the conversation and I think. Potentially, a lot of us would like to avoid that, if possible,.

J

So this wondering why not have just a have the service store, the entire tree and the commitment from one of the members to the tree in a Merkle tree yeah.

C

So Rafael and I were talking about this yesterday and one of the things he observed was: if you have this commitment to the the tree over the tree, then the server could you know, cache the tree and deliver that to people safely and the server could strip out the identity information of messages. It only needs to keep the tree bits of the messages show and not the identity. But so you could reduce the amount of metadata that way.

C

You'd still ultimately need to get the identity of information somewhere sure so that you know who you're talking to, but you could get that in a peer-to-peer fashion, but.

J

This then may reduce the requirements to Oh n storage of the of the tree states. Various three states now that's true, yeah, yeah, okay,.

A

Will do Karthik now I.

O

Guess.

O

First is that we seem to be responding check transcript for for the Sigma and I would like that. The group secret box is already mixed again pretty much attention, so we might be drive some the box secret. You know, that's a slightly more concern is that, although we are thinking that well.

O

Read I suspect if we end up update, because yes and if this is all compromised, then we can't just say that we got your key indicating voltage we want to roll to, which means we need student, fresh signature and somehow he and so on. So I think it's a bit more. You want come from security code, signature and then.

C

That was a little bit garbled here. The thing I was nodding about at the end was that a and I thought I heard Karthik saying that it's difficult to get post compromised security with regard to signature keys, as well as the the contributory leaf leaf secrets, we're talking about here of the confidentiality keys yeah. So that is a property of the proposal. I'm making here is the identity. Keys are long lived, and so this doesn't this. This game overall doesn't provide pcs with regard to the signature, keys, I, think I.

C

Think Benjamin has thoughts um about how you might do that by say, initializing with proof, by with a long term key and then doing future signatures with a different key authorizing a different key that could do future signatures that personally I'm less worried about these authentication keys than the confidentiality keys. Although I'm not sure why I say that would be interested in people's thoughts about whether it's worthwhile the to aspire to piece some sort of pcs with regard to signature, keys, I.

M

Lucia Ballard from Apple again um so I haven't seen this before. So it might be misunderstanding. But what are the authentication properties for receivers of messages like if there's a someone who hasn't sent a message for a long time in.

D

The.

M

Group, how long does it take for me to verify that they are in fact I think they are when I'm sending a message to them.

C

So, just to make sure I understand the question: are you saying there is a sender who hasn't sent for a long time and now they send and the question is: how long does it take for the receiver? What was the effort for the receiver to verify their identity so.

M

It's the other way around. So if.

C

I'm, a sender.

M

And I'm sending to a large group and there's some like silent members of that group, but I want to make sure that their identity is in fact the identity. I think it is. How long does that take time so.

C

You may have had so the situation with a sort of Rises like you kind of senators offline for a long time. He may have missed some folks joining the group and he's.

D

The updated.

C

State it's an interesting question. I had mostly been thinking about this, as in the context where you are seeing joins as they happen. I.

D

Think.

C

The way I would be tempted to think about that the simplistic way it would be in kind of a fast forward context where I, the the the simple long way you might think about building is to have the server cache the handshake transcripts. And then, when someone comes online after a long time, they just Elmo does as the fast-forward version of the handshake transcript, which means you gotta read forward, but you're gonna have to do that anyway, so that you have them the confidentiality keys.

C

You need to transmit, mmm so yeah I think it's it's a little expensive, but at least the messaging overhead you can offload to a server and a server cache.

A

Well have been asked the next question and then because there's a few things after this way.

D

Okay, so, regarding your last point, deniability the original so tired- and that's why I said optional signature in my when I discussed, it is because I I don't like I personally, don't like the idea of signing everything with the long term identity key, but that doesn't mean we can't get better privacy out of it. As you mentioned we could.

D

My thinking is that we could actually use ephemeral, signature of keys for get to at least you get FS for signature keys, I'm, not sure about pcs, but at least you get FS and the general deniability point is: if you you could I'm, not sure we might get in a be able to get deniability if we rapture the link between the initial ethanol signature key from the long-term identity. Key by let's say the user is establishing one-to-one deniable channel to send is own private initial XML signature key.

D

So there are, there are things that we could do to get better things, but we need to think a bit more about it. Well, in general, I mean I'm. Not a magician is that we should not sign everything with the long-term identity. Key.

C

So what I wondered is kind of in terms of order of operations? It seems like these schemes for forward secrecy and signature keys, which maybe adds up to deniability, are sort of additive yeah, in the sense that you could take a scheme that doesn't have that property and add on to it a mechanism for authorizing short-term scientist, ease, so I think I wonder if we should go ahead under the assumption.

C

For now that we have long term identity keys, and then we can consider later how that might be extended to have short term kind of signature, key rotation. Okay, that would be my operating concept. Almost you think that that would be. That would make it too difficult to address. It wasn't clear to me: it.

D

Might be fine I.

H

Think it's awesome. Chef yeah I think that if we have that basic assumption of identities that being more trusted, then this is a good good start to go and we'll refine delicious. If that start with Sigma, like protocols, have some issues and I have maybe some basic equation, which is continuation of one of previous equations?

H

Do we want to give some exact combinations about the users that really want to be anonymous, but that want some mechanisms that may be outer Bank mechanisms so that they are direct receivers of messages or senders to them can verify their identity, but should we provide some out of bed mechanisms for that, or should we just if some recommendations have to do it? So if I am the new user, I, don't know anyone in the group and no one knows me, but I know someone in personal and I want someone to trust me.

H

What is the mechanisms for me to be able to prove that I am program? There are a lot of techniques in existing messengers, for example, in Vicker such that video call is just pronounced in your public key. There can be some techniques based on Peck, for example, if you just transmit as short as four times and uses just indicates a shortened session, those indicator of your public key. So there's a lot of variety of options.

H

Could, if clarify, what's your current positions on this and do we want to clarify this, because we really want this to be to protect an immunity of the users who want this yeah.

C

So I think I've I've as I think in my head mentioned I think for to a large degree, the authentication service itself is fairly separate from this. We need to have an integration point which I've called credential here, but I think we can keep that integration point fairly abstract, so you can think of it as a certain. You know normal x.509 certificate if you want, but you could also insert something it's like.

C

If you want to do a fake thing, you could put something in there that would say commit to a fake output as the identity value there. The important thing is, you need to identify to bind the identity, which is the thing you're going to use in the authentication system to the public key with that you're going to use it in this system. Yes,.

H

And I take point that really it's maybe unrelated to your current presentation. You have a point of integration and it's all, but regarding the group at all, maybe your slides are more related to the things that any other. So should we think of putting some black text to secure considerations about recommendations or techniques for initial authentication, because I think that it's one the crucial point for practical security, for example.

H

If you know a lot of strange stories with telegram in Russia and ways, fight between enemy, anonymity of the users and the mechanisms to protect this I think that it will be really good to add some recommendations about how to protect privacy, but to be able to trust the US we want. Maybe, as a new group that has been developed in IR, AF PRG will be a good place to discuss this issue. Yeah.

C

I think that that's a totally good suggestion it puts you, know kind of an outline and security considerations network with these privacy talks to to elaborate some other options again. Thank.

A

You, let's be very brief, because we have to do a home and we have three minutes left.

F

Rafa Robert again I try to be brief, two things, so one is both compromised security and there it was mentioned that there is a bit of a gap between the signature key and their group secret and so I know privilege setting you can compromise both if an attacker has access to the local storage of a device, but there might be other ways of compromising the group secret where pcs is relevant. For example, when there is flaw in the crypto level in the and check messages.

F

Basically, you can get access to the group secret, but in that case you still don't have access to the signature key. So in that sense, your gut feeling is sort of justified there that the signature keys are actually better protected because they're not being negotiated over any protocol. The other thing is the last point on your last slide and that is deniability. So I've had a number of offline discussions with a number of people and the really the only common denominator. There is that everybody feels about it very strongly.

F

Some of them are in favor of it. Others are absolutely opposed to it and they don't seem to be any meaningful common ground there for some consensus of what could be done so I think personally, the the only way of going forward is to have optional deniability, and the practical proposal here has been that we use this Sigma like mechanism to distribute an ephemeral signing key in a one-to-one way. So this would practically work. Unfortunately, it's quite expensive, so it would be fantastic.

F

Of course, if someone has an idea on how to make that more efficient, but it would be a start. Okay,.

A

D, could you any quick comment? We've got like yeah, so I.

K

Just wanted, can you go back to the the signature thing just wanted to point out, there's a particular potential user experience.

K

Confusion here that we should give guidance on in the draft, which is that you could in this scenario, you could have a validation success for one for blue, say and the validation failure for red and if we think that any validation failure should cause the same failure, that's fine, but if we think that there's something else that happens in some other way, we should just be very clear that we expect both of them or none of them I think they both need to pass or if the message to work right.

K

So then, but then, if the inner one fail, if anyone fails, what we're now saying is that the Mak like you're not treating is that there's a Mac failure to.

D

Think about.

C

What the.

K

Consequences are there and we should put put guidance in the draft about what to do. In that case, absolutely Thanks. So.

P

I think the key point here is that we know that there's a lot of open issues in the protocol draft um and I think that that's perfectly fine, because otherwise we'd be done in one meeting right. That's not really the goal, but I would like to get the working group process started and actually get that document adopted into the into the working group. I see a show of hands who's read the protocol document good, a large number. We are now going to hum for working group abduction.

P

It is not set in stone, it is not done. It's gonna get revised, so this is not like. What's in there now is gonna stay because we know there's stuff, that's missing in the line arts. So please hum now, if you would like to adopt this as a working group item.

P

For Martin, if you would not like to adopt this as a working group item, please home now, okay, so it's pretty clear. We'll definitely take it to the list. Pkg was there stuff in the chopper. Only.

K

A hum of adoption, on whatever to excellent.

P

Thanks so notes up here, some other things that we obviously have to talk about. We are planning an interim since we kind of ran at a time here. We think we could deal with some real head-to-head time for like a day or two we're not quite sure when that's gonna happen, but right now, the Nexus of people that really are working on this or in San, Francisco, Berlin or London, so think about that NDC.

P

So we'll get back to you, you'll start seeing some messages on the list about confirming adoption of the to working group jobs. Thank you very much for your time.