KT Working Group B. McMillion Internet-Draft 6 March 2023 Intended status: Informational Expires: 7 September 2023 Key Transparency draft-mcmillion-key-transparency-00 Abstract While there are several established protocols for end-to-end encryption, relatively little attention has been given to securely distributing the end-user public keys for such encryption. As a result, these protocols are often still vulnerable to eavesdropping by active attackers. Key Transparency is a protocol for distributing sensitive cryptographic information, such as public keys, in a way that reliably either prevents interference or detects that it occurred in a timely manner. In addition to distributing public keys, it can also be applied to ensure that a group of users agree on a shared value or to keep tamper-evident logs of security-critical events. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/Bren2010/draft-key-transparency. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 September 2023. McMillion Expires 7 September 2023 [Page 1] Internet-Draft Key Transparency March 2023 Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Basic Operations . . . . . . . . . . . . . . . . . . . . 5 3.2. Deployment Modes . . . . . . . . . . . . . . . . . . . . 5 3.3. Security Guarantees . . . . . . . . . . . . . . . . . . . 6 4. Tree Construction . . . . . . . . . . . . . . . . . . . . . . 7 4.1. Log Tree . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2. Prefix Tree . . . . . . . . . . . . . . . . . . . . . . . 8 4.3. Combined Tree . . . . . . . . . . . . . . . . . . . . . . 9 5. Preserving Privacy . . . . . . . . . . . . . . . . . . . . . 11 6. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . 12 7. Cryptographic Computations . . . . . . . . . . . . . . . . . 12 7.1. Commitment . . . . . . . . . . . . . . . . . . . . . . . 12 7.2. Prefix Tree . . . . . . . . . . . . . . . . . . . . . . . 13 7.3. Log Tree . . . . . . . . . . . . . . . . . . . . . . . . 14 7.4. Tree Head Signature . . . . . . . . . . . . . . . . . . . 14 8. Tree Proofs . . . . . . . . . . . . . . . . . . . . . . . . . 15 8.1. Log Tree . . . . . . . . . . . . . . . . . . . . . . . . 15 8.2. Prefix Tree . . . . . . . . . . . . . . . . . . . . . . . 16 8.3. Combined Tree . . . . . . . . . . . . . . . . . . . . . . 17 9. Update Format . . . . . . . . . . . . . . . . . . . . . . . . 18 10. User Operations . . . . . . . . . . . . . . . . . . . . . . . 19 10.1. Search . . . . . . . . . . . . . . . . . . . . . . . . . 19 10.2. Update . . . . . . . . . . . . . . . . . . . . . . . . . 21 10.3. Monitor . . . . . . . . . . . . . . . . . . . . . . . . 21 11. Third Parties . . . . . . . . . . . . . . . . . . . . . . . . 24 11.1. Management . . . . . . . . . . . . . . . . . . . . . . . 25 11.2. Auditing . . . . . . . . . . . . . . . . . . . . . . . . 25 12. Security Considerations . . . . . . . . . . . . . . . . . . . 27 12.1. Contact Monitoring . . . . . . . . . . . . . . . . . . . 27 12.2. Third-party Management . . . . . . . . . . . . . . . . . 28 McMillion Expires 7 September 2023 [Page 2] Internet-Draft Key Transparency March 2023 12.3. Third-party Auditing . . . . . . . . . . . . . . . . . . 28 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 13.1. KT Ciphersuites . . . . . . . . . . . . . . . . . . . . 29 13.2. KT Designated Expert Pool . . . . . . . . . . . . . . . 29 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 14.1. Normative References . . . . . . . . . . . . . . . . . . 29 14.2. Informative References . . . . . . . . . . . . . . . . . 30 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 30 1. Introduction Before any information can be exchanged in an end-to-end encrypted system, two things must happen. First, participants in the system must provide to the service operator any public keys they wish to use to receive messages. Second, the service operator must distribute these public keys to any participants that wish to send messages to those users. Typically this is done by having users upload their public keys to a simple directory where other users can download them as necessary. With this approach, the service operator is trusted to not manipulate the directory by inserting malicious public keys, which means that the underlying encryption protocol can only protect users against passive eavesdropping on their messages. However most messaging systems are designed such that all messages exchanged between users flow through the service operator's servers, so it's extremely easy for an operator to launch an active attack. That is, the service operator can insert public keys into the directory that they know the private key for, attach those public keys to a user's account without the user's knowledge, and then inject these keys into active conversations with that user to receive plaintext data. Key Transparency (KT) solves this problem by requiring the service operator to store user public keys in a cryptographically-protected append-only log. Any malicious entries added to such a log will generally be visible to all users, in which case a user can detect that they're being impersonated by viewing the public keys attached to their account. However, if the service operator attempts to conceal some entries of the log from some users but not others, this creates a "forked view" which is permanent and easily detectable with out-of-band communication. The critical improvement of KT over related protocols like Certificate Transparency [RFC6962] is that KT includes an efficient protocol to search the log for entries related to a specific McMillion Expires 7 September 2023 [Page 3] Internet-Draft Key Transparency March 2023 participant. This means users don't need to download the entire log, which may be substantial, to find all entries that are relevant to them. It also means that KT can better preserve user privacy by only showing entries of the log to participants that genuinely need to see them. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Protocol Overview From a networking perspective, KT follows a client-server architecture with a central _Transparency Log_, acting as a server, which holds the authoritative copy of all information and exposes endpoints that allow clients to query or modify stored data. Clients coordinate with each other through the server by uploading their own public keys and downloading the public keys of other clients. Clients are expected to maintain relatively little state, limited only to what is required to interact with the log and ensure that it is behaving honestly. From an application perspective, KT works as a versioned key-value database. Clients insert key-value pairs into the database where, for example, the key is their username and the value is their public key. Clients can update a key by inserting a new version with new data. They can also look up the most recent version of a key or any past version. From this point forward, "key" will refer to a lookup key in a key-value database and "public key" or "private key" will be specified if otherwise. While this document uses the TLS presentation language [RFC8446] to describe the structure of protocol messages, it does not require the use of a specific transport protocol. This is intended to allow applications to layer KT on top of whatever transport protocol their application already uses. In particular, this allows applications to continue relying on their existing access control system. McMillion Expires 7 September 2023 [Page 4] Internet-Draft Key Transparency March 2023 Applications may enforce arbitrary access control rules on top of KT such as requiring a user to be logged in to make KT requests, only allowing a user to lookup the keys of another user if they're "friends", or simply applying a rate limit. Applications SHOULD prevent users from modifying keys that they don't own. The exact mechanism for rejecting requests, and possibly explaining the reason for rejection, is left to the application. Finally, this document does not assume that clients can reliably communicate with each other out-of-band (that is, away from any interference by the Transparency Log operator), or communicate with the Transparency Log anonymously. However, later sections will give guidance on how these channels can be utilized effectively when or if they're available. 3.1. Basic Operations The operations that can be executed by a client are as follows: 1. *Search:* Performs a lookup on a specific key in the most recent version of the log. Clients may request either a specific version of the key, or the most recent version available. If the key-version pair exists, the server returns the corresponding value and a proof of inclusion. If the key-version pair does not exist, the server returns a proof of non-inclusion instead. 2. *Update:* Adds a new key-value pair to the log, for which the server returns a proof of inclusion. Note that this means that new values are added to the log immediately in response to an Update operation, and are not queued for later insertion with a batch of other values. 3. *Monitor:* While Search and Update are run by the client as necessary, monitoring is done in the background on a recurring basis. It both checks that the log is continuing to behave honestly (all previously returned keys remain in the tree) and that no changes have been made to keys owned by the client without the client's knowledge. 3.2. Deployment Modes In the interest of satisfying the widest range of use-cases possible, three different modes for deploying a Transparency Log are described in this document. Each mode has slightly different requirements and efficiency considerations for both the service operator and the end- user. McMillion Expires 7 September 2023 [Page 5] Internet-Draft Key Transparency March 2023 *Third-party Management* and *Third-party Auditing* are two deployment modes that require the service operator to delegate part of the operation of the Transparency Log to a third party. Users are able to run more efficiently as long as they can assume that the service operator and the third party won't collude to trick them into accepting malicious results. With both third-party modes, all requests from end-users are initially routed to the service operator and the service operator coordinates with the third party themself. End-users never contact the third party directly, however they will need a signature public key from the third party to verify its assertions. With Third-party Management, the third party performs the majority of the work of actually storing and operating the log, and the service operator only needs to sign new entries as they're added. With Third-party Auditing, the service operator performs the majority of the work of storing and operating the log, and obtains signatures from a lightweight third-party auditor at regular intervals asserting that the service operator has been constructing the tree correctly. *Contact Monitoring*, on the other hand, supports a single-party deployment with no third party. The tradeoff is that the background monitoring protocol requires a number of requests that's proportional to the number of keys a user has looked up in the past. As such, it's less suited to use-cases where users look up a large number of ephemeral keys, but would work ideally in a use-case where users look up a small number of keys repeatedly (for example, the keys of regular contacts). The deployment mode of a Transparency Log is chosen when the log is first created and isn't able to be changed over the log's lifetime. This makes it important for operators to carefully consider the best long-term approach based on the specifics of their application. 3.3. Security Guarantees A client that executes a Search or Update operation correctly (and does any required monitoring afterwards) receives a guarantee that the Transparency Log operator also executed the operation correctly and in a way that's globally consistent with what it has shown all other clients. That is, when a client searches for a key, they're guaranteed that the result they receive represents the same result that any other client searching for the same key would've seen. When a client updates a key, they're guaranteed that other clients will see the update the next time they search for the key. McMillion Expires 7 September 2023 [Page 6] Internet-Draft Key Transparency March 2023 If the Transparency Log operator does not execute an operation correctly, then either: 1. The client will detect the error immediately and reject the result of an operation, or 2. The client will permanently enter an invalid state. Depending on the exact reason that the client enters an invalid state, it will either be detected by background monitoring or the next time that out-of-band communication is available. Importantly, this means that clients must stay online for some fixed amount of time after entering an invalid state for it to be successfully detected. The exact caveats of the above guarantee depend naturally on the security of underlying cryptographic primitives, but also the deployment mode that the Transparency Log relies on: * Third-Party Management and Third-Party Auditing require an assumption that the Transparency Log operator and the third-party manager/auditor do not collude to trick clients into accepting malicious results. * Contact Monitoring requires an assumption that the client that owns a key and all clients that look up the key do the necessary monitoring afterwards. 4. Tree Construction KT relies on two combined hash tree structures: log trees and prefix trees. This section describes the operation of both at a high-level and the way that they're combined. More precise algorithms for computing the intermediate and root values of the trees will be given in a later section. Both types of trees consist of _nodes_ which have a byte string as their _value_. A node is either a _leaf_ if it has no children, or a _parent_ if it has either a _left child_ or a _right child_. A node is the _root_ of a tree if it has no parents, and an _intermediate_ if it has both children and parents. Nodes are _siblings_ if they share the same parent. The _descendants_ of a node are that node, its children, and the descendants of its children. A _subtree_ of a tree is the tree given by the descendants of a node, called the _head_ of the subtree. McMillion Expires 7 September 2023 [Page 7] Internet-Draft Key Transparency March 2023 The _direct path_ of a root node is the empty list, and of any other node is the concatenation of that node's parent along with the parent's direct path. The _copath_ of a node is the node's sibling concatenated with the list of siblings of all the nodes in its direct path, excluding the root. 4.1. Log Tree Log trees are used for storing information in the chronological order that it was added and are constructed as _left-balanced_ binary trees. A binary tree is _balanced_ if its size is a power of two and for any parent node in the tree, its left and right subtrees have the same size. A binary tree is _left-balanced_ if for every parent, either the parent is balanced, or the left subtree of that parent is the largest balanced subtree that could be constructed from the leaves present in the parent's own subtree. Given a list of n items, there is a unique left-balanced binary tree structure with these elements as leaves. Note also that every parent always has both a left and right child. Log trees initially consist of a single leaf node. New leaves are added to the right-most edge of the tree along with a single parent node, to construct the left-balanced binary tree with n+1 leaves. While leaves contain arbitrary data, the value of a parent node is always the hash of the combined values of its left and right children. Log trees are special in that they can provide both _inclusion proofs_, which demonstrate that a leaf is included in a log, and _consistency proofs_, which demonstrate that a new version of a log is an extension of a past version of the log. An inclusion proof is given by providing the copath values of a leaf. The proof is verified by hashing together the leaf with the copath values and checking that the result equals the root value of the log. Consistency proofs are a more general version of the same idea. With a consistency proof, the prover provides the minimum set of intermediate node values from the current tree that allows the verifier to compute both the old root value and the current root value. An algorithm for this is given in section 2.1.2 of [RFC6962]. 4.2. Prefix Tree Prefix trees are used for storing key-value pairs while preserving the ability to efficiently look up a value by its corresponding key. McMillion Expires 7 September 2023 [Page 8] Internet-Draft Key Transparency March 2023 Each leaf node in a prefix tree represents a specific key-value pair, while each parent node represents some prefix which all keys in the subtree headed by that node have in common. The subtree headed by a parent's left child contains all keys that share its prefix followed by an additional 0 bit, while the subtree headed by a parent's right child contains all keys that share its prefix followed by an additional 1 bit. The root node, in particular, represents the empty string as a prefix. The root's left child contains all keys that begin with a 0 bit, while the right child contains all keys that begin with a 1 bit. A prefix tree can be searched by starting at the root node, and moving to the left child if the first bit of a search key is 0, or the right child if the first bit is 1. This is then repeated for the second bit, third bit, and so on until the search either terminates at a leaf node (which may or may not be for the desired key), or a parent node that lacks the desired child. New key-value pairs are added to the tree by searching it according to this process. If the search terminates at a parent without a left or right child, a new leaf is simply added as the parent's missing child. If the search terminates at a leaf for the wrong key, one or more intermediate nodes are added until the new leaf and the old leaf would no longer reside in the same place. That is, until we reach the first bit that differs between the new key and the old key. The value of a leaf node is the encoded key-value pair, while the value of a parent node is the hash of the combined values of its left and right children (or a stand-in value when one of the children doesn't exist). 4.3. Combined Tree Log trees are desirable because they can provide efficient consistency proofs to assure verifiers that nothing has been removed from a log that was present in a previous version. However, log trees can't be efficiently searched without downloading the entire log. Prefix trees are efficient to search and can provide inclusion proofs to convince verifiers that the returned search results are correct. However, it's not possible to efficiently prove that a new version of a prefix tree contains the same data as a previous version with only new keys added. In the combined tree structure, which is based on [Merkle2], a log tree maintains a record of updates to key-value pairs while a prefix tree maintains a map from each key to a counter with the number of times it's been updated. Importantly, the root value of the prefix McMillion Expires 7 September 2023 [Page 9] Internet-Draft Key Transparency March 2023 tree after adding the new key or increasing the counter of an existing key, is stored in the log tree alongside the record of the update. With some caveats, this combined structure supports both efficient consistency proofs and can be efficiently searched. To search the combined structure, users do a binary search for the first log entry where looking up the search key in the prefix tree at that entry yields the desired counter. As such, the entry that a user arrives at through binary search contains the update with the key-value pair that they're looking for, even though the log itself is not sorted. Binary search also ensures that all users will check the same or similar entries when searching for the same key, which is necessary for the efficient auditing of a Transparency Log. To maximize this effect, users start their binary search at the entry whose index is the largest power of two less than the size of the log, and move left or right by consecutively smaller powers of two. So for example in a log with 70 entries, instead of starting a search at the "middle" with entry 35, users would start at entry 64. If the next step in the search is to move right, instead of moving to the middle of entries 64 and 70, which would be entry 67, users would move 4 steps (the largest power of two possible) to the right to entry 68. As more entries are added to the log, users will consistently revisit entries 64 and 68, while they may never revisit entries 35 or 67 after even a single new entry is added to the log. While users searching for a specific version of a key jump right into a binary search for the entry with that counter, other users may instead wish to search for the "most recent" version of a key. That is, the key with the highest counter possible. Users looking up the most recent version of a key start by fetching the *frontier* of the log, which they use to determine what the highest counter for a key is. The frontier of a log consists of the entry whose index is the largest power of two less than the size of the log, followed by the entry the largest power of two possible to the right, repeated until the last entry of the log is reached. So for example in a log with 70 entries, the frontier consists of entries 64, 68, and 69 (with 69 being the last entry). McMillion Expires 7 September 2023 [Page 10] Internet-Draft Key Transparency March 2023 5. Preserving Privacy In addition to being more convenient for many use-cases than similar transparency protocols, KT is also better at preserving the privacy of a Transparency Log's contents. This is important because in many practical applications of KT, service operators expect to be able to control when sensitive information is revealed. In particular, an operator can often only reveal that a user is a member of their service to that user's friends or contacts. Operators may also wish to conceal when individual users perform a given task like rotate their public key or add a new device to their account, or even conceal the exact number of users their application has overall. Applications are primarily able to manage the privacy of their data in KT by enforcing access control policies on the basic operations performed by clients, as discussed in Section 3. However, the proofs of inclusion and non-inclusion given by a Transparency Log can indirectly leak information about other entries and lookup keys. When users search for a key with the binary search algorithm described in Section 4.3, they necessarily see the values of several leaves while conducting their search that they may not be authorized to view the contents of. However, log entries generally don't need to be inspected except as specifically allowed by the service. The privacy of log entries is maintained by storing only a cryptographic commitment to the serialized, updated key-value pair in the leaf of the log tree instead of the update itself. At the end of a successful search, the service operator provides the committed update along with the commitment opening, which allows the user to verify that the commitment in the log tree really does correspond to the provided update. By logging commitments instead of plaintext updates, users learn no information about an entry's contents unless the service operator explicitly provides the commitment opening. Beyond the log tree, the second potential source of privacy leaks is the prefix tree. When receiving proofs of inclusion and non- inclusion from the prefix tree, users also receive indirect information about what other valid lookup keys exist. To prevent this, all lookup keys are processed through a Verifiable Random Function, or VRF [I-D.irtf-cfrg-vrf]. A VRF deterministically maps each key to a fixed-length pseudorandom value. The VRF can only be executed by the service operator, who holds a private key. But critically, VRFs can still provide a proof that an input-output pair is valid, which users verify with a public key. When a user requests to search for or update a key, the service operator first executes its VRF on the input key to obtain the output McMillion Expires 7 September 2023 [Page 11] Internet-Draft Key Transparency March 2023 key that will actually be looked up or stored in the prefix tree. The service operator then provides the output key, along with a proof that the output key is correct, in its response to the user. The pseudorandom output of VRFs means that even if a user indirectly observes that a search key exists in the prefix tree, they can't immediately learn which user the search key identifies. The inability of users to execute the VRF themselves also prevents offline "password cracking" approaches, where an attacker tries all possibilities in a low entropy space (like the set of phone numbers) to find the input that produces a given search key. 6. Ciphersuites Each Transparency Log uses a single fixed ciphersuite, chosen when the log is initially created, that specifies the following primitives to be used for cryptographic computations: * A hash algorithm * A signature algorithm * A Verifiable Random Function (VRF) algorithm The hash algorithm is used for computing the intermediate and root values of hash trees. The signature algorithm is used for signatures from both the service operator and the third party, if one is present. The VRF is used for preserving the privacy of lookup keys. One of the VRF algorithms from [I-D.irtf-cfrg-vrf] must be used. Ciphersuites are represented with the CipherSuite type. The ciphersuites are defined in Section 13.1. 7. Cryptographic Computations 7.1. Commitment Commitments are computed with HMAC [RFC2104], using the hash function specified by the ciphersuite. To produce a new commitment to a value called message, the application generates a random 16 byte value called opening and then computes: commitment = HMAC(fixedKey, opening || message) where fixedKey is the 16 byte hex-decoded value: d821f8790d97709796b4d7903357c3f5 McMillion Expires 7 September 2023 [Page 12] Internet-Draft Key Transparency March 2023 This fixed key allows the HMAC function, and thereby the commitment scheme, to be modeled as a random oracle. The output value commitment may be published, while opening and message should be kept private until the commitment is meant to be revealed. 7.2. Prefix Tree The leaf nodes of a prefix tree are serialized as: struct { opaque key; uint32 counter; } PrefixLeaf; where key is the full search key, counter is the counter of times that the key has been updated (starting at 0 for a key that was just created), and VRF.Nh is the output size of the ciphersuite VRF in bytes. The parent nodes of a prefix tree are serialized as: struct { opaque value; } PrefixParent; where Hash.Nh is the output length of the ciphersuite hash function. The value of a parent node is computed by hashing together the values of its left and right children: parent.value = Hash(0x01 || nodeValue(parent.leftChild) || nodeValue(parent.rightChild)) nodeValue(node): if node.type == emptyNode: return make([]byte, Hash.Nh) else if node.type == leafNode: return Hash(0x00 || node.key || node.counter) else if node.type == parentNode: return node.value where Hash denotes the ciphersuite hash function. McMillion Expires 7 September 2023 [Page 13] Internet-Draft Key Transparency March 2023 7.3. Log Tree The leaf and parent nodes of a log tree are serialized as: struct { opaque commitment; opaque prefix_tree; } LogLeaf; struct { opaque value; } LogParent; The value of a parent node is computed by hashing together the values of its left and right children: parent.value = Hash(hashContent(parent.leftChild) || hashContent(parent.rightChild)) hashContent(node): if node.type == leafNode: return 0x00 || nodeValue(node) else if node.type == parentNode: return 0x01 || nodeValue(node) nodeValue(node): if node.type == leafNode: return Hash(node.commitment || node.prefix_tree) else if node.type == parentNode: return parent.value 7.4. Tree Head Signature The head of a Transparency Log, which represents the log's most recent state, is represented as: struct { uint64 tree_size; uint64 timestamp; opaque signature<0..2^16-1>; } TreeHead; where tree_size counts the number of entries in the log tree and timestamp is the time that the structure was generated, in milliseconds since the Unix epoch. If the Transparency Log is deployed with Third-party Management then the public key used to verify the signature belongs to the third-party manager; otherwise the public key used belongs to the service operator. McMillion Expires 7 September 2023 [Page 14] Internet-Draft Key Transparency March 2023 The signature itself is computed over a TreeHeadTBS structure, which incorporates the log's current state as well as long-term log configuration: enum { reserved(0), contactMonitoring(1), thirdPartyManagement(2), thirdPartyAuditing(3), } DeploymentMode; struct { CipherSuite ciphersuite; DeploymentMode mode; opaque signature_public_key<0..2^16-1>; opaque vrf_public_key<0..2^16-1>; select (Configuration.mode) { case contactMonitoring: case thirdPartyManagement: opaque leaf_public_key<0..2^16-1>; case thirdPartyAuditing: opaque auditor_public_key<0..2^16-1>; }; } Configuration; struct { Configuration config; uint64 tree_size; uint64 timestamp; opaque root_value; } TreeHeadTBS; 8. Tree Proofs 8.1. Log Tree An inclusion proof for a single leaf in a log tree is given by providing the copath values of a leaf. Similarly, a bulk inclusion proof for any number of leaves is given by providing the fewest node values that can be hashed together with the specified leaves to produce the root value. Such a proof is encoded as: opaque NodeValue; struct { NodeValue elements<0..2^16-1>; } InclusionProof; McMillion Expires 7 September 2023 [Page 15] Internet-Draft Key Transparency March 2023 Each NodeValue is a uniform size, computed by passing the relevent LogLeaf or LogParent structures through the nodeValue function in Section 7.3. Finally, the contents of the elements array is kept in left-to-right order: if a node is present in the root's left subtree, its value must be listed before any values provided from nodes that are in the root's right subtree, and so on recursively. Consistency proofs are encoded similarly: struct { NodeValue elements<0..2^16-1>; } ConsistencyProof; Again, each NodeValue is computed by passing the relevent LogLeaf or LogParent structure through the nodeValue function. The nodes chosen correspond to those output by the algorithm in section 2.1.2 of [RFC6962]. 8.2. Prefix Tree A proof from a prefix tree authenticates that a search was done correctly for a given search key. Such a proof is encoded as: enum { reserved(0), inclusion(1), nonInclusionLeaf(2), nonInclusionParent(3), } PrefixSearchResult; struct { PrefixSearchResult result; NodeValue elements<0..2^16-1>; select (PrefixProof.result) { case inclusion: uint32 counter; case nonInclusionLeaf: PrefixLeaf leaf; case nonInclusionParent: }; } PrefixProof; The result field indicates what the terminal node of the search was: * inclusion for a leaf node matching the requested key * nonInclusionLeaf for a leaf node not matching the requested key McMillion Expires 7 September 2023 [Page 16] Internet-Draft Key Transparency March 2023 * nonInclusionParent for a parent node that lacks the desired child The elements array consists of the copath of the terminal node, in bottom-to-top order. That is, the terminal node's sibling would be first, followed by the terminal node's parent's sibling, and so on. In the event that a node is not present, an all-zero byte string of length Hash.Nh is listed instead. Depending on the result field, any additional information about the terminal node that's necessary to verify the proof is also provided. In the case of nonInclusionParent, no additional information is needed because the non-terminal child's value is already in elements. The proof is verified by hashing together the provided elements, in the left/right arrangement dictated by the search key, and checking that the result equals the root value of the prefix tree. 8.3. Combined Tree A proof from a combined log and prefix tree follows the execution of a binary search through the leaves of the log tree, as described in Section 4.3. It is serialized as follows: struct { PrefixProof prefix_proof; opaque commitment; } SearchStep; struct { SearchStep steps<0..2^8-1>; InclusionProof inclusion; } SearchProof; Each SearchStep structure in steps is one leaf that was inspected as part of the binary search, starting with the "middle" leaf (i.e., the leaf whose index is the largest power of two less than the size of the log). The prefix_proof field of a SearchStep is the output of searching the prefix tree whose root is at that leaf for the search key, while the commitment field is the commitment to the update at that leaf. The inclusion field of SearchProof contains a batch inclusion proof for all of the leaves accessed by the binary search, relating them to the root of the log tree. A verifier interprets the output of each prefix_proof as -1 if it is a non-inclusion proof, or as counter if it is an inclusion proof. The proof can then be verified by checking that: McMillion Expires 7 September 2023 [Page 17] Internet-Draft Key Transparency March 2023 1. The elements of steps represent a monotonic series over the leaves of the log, and 2. The elements of steps correspond exactly to the lookups that would be made by the verifier while conducting the binary search. Once the validity of the search steps has been established, the verifier can compute the root of each prefix tree represented by a prefix_proof and combine it with the corresponding commitment to obtain the value of each leaf. These leaf values can then be combined with the proof in inclusion to check that the output matches the root of the log tree. 9. Update Format The updates committed to by a combined tree structure contain the new value of a search key, along with additional information depending on the deployment mode of the Transparency Log. They are serialized as follows: struct { select (Configuration.mode) { case thirdPartyManagement: opaque signature<0..2^16-1>; }; } UpdatePrefix; struct { UpdatePrefix prefix; opaque value<0..2^32-1>; } UpdateValue; The value field contains the new value of the search key. In the event that third-party management is used, the prefix field contains a signature from the service operator, using the public key from Configuration.leaf_public_key, over the following structure: struct { opaque search_key<0..2^16-1>; uint32 version; opaque value<0..2^32-1>; } UpdateTBS; The search_key field contains the search key being updated, version contains the new key version, and value contains the same contents as UpdateValue.value. Clients MUST successfully verify this signature before consuming UpdateValue.value. McMillion Expires 7 September 2023 [Page 18] Internet-Draft Key Transparency March 2023 10. User Operations 10.1. Search Users initiate a Search operation by submitting a SearchRequest to the Transparency Log containing the key that they're interested in. Users can optionally specify a version of the key that they'd like to receive, if not the most recent one. They can also include the tree_size of the last TreeHead that they successfully verified. struct { opaque search_key<0..2^16-1>; optional version; optional last; } SearchRequest; In turn, the Transparency Log responds with a SearchResult structure: struct { TreeHead tree_head; optional consistency; select (Configuration.mode) { case thirdPartyAuditing: AuditorTreeHead auditor_tree_head; }; } FullTreeHead; struct { opaque index; opaque proof<0..2^16-1>; } VRFResult; struct { opaque opening<16>; opaque value<0..2^32-1>; } SearchValue; struct { FullTreeHead full_tree_head; VRFResult vrf_result; SearchProof search; optional value; } SearchResult; If last is present, then the Transparency Log MUST provide a consistency proof between the current tree and the tree when it was this size, in the consistency field of FullTreeHead. McMillion Expires 7 September 2023 [Page 19] Internet-Draft Key Transparency March 2023 Users verify a search result by following these steps: 1. Verify the VRF proof in VRFResult.proof against the requested search key SearchRequest.search_key and the claimed VRF output VRFResult.index. 2. Evaluate the search proof in search according to the steps in Section 8.3. This will produce a verdict as to whether the search was executed correctly, and also a candidate root value for the tree. If it's determined that the search was executed incorrectly, abort with an error. 3. With the candidate root value for the tree: 1. Verify the proof in FullTreeHead.consistency, if one is expected. 2. Verify the signature in TreeHead.signature. 3. Verify that the timestamp in TreeHead is sufficiently recent. Additionally, verify that the timestamp and tree_size fields of the TreeHead are greater than or equal to what they were before. 4. If third-party auditing is used, verify auditor_tree_head with the steps described in Section 11.2. 4. If the proof in search determined that a valid entry was found, check that value is populated, and that the commitment in the terminal search step opens to SearchValue.value with opening SearchValue.opening. If the proof determined that a valid entry was not found, check that value is empty. Provided that the above verification is successful, users decode the encoded UpdateValue structure in SearchValue.value. Depending on the deployment mode of the Transparency Log, the UpdateValue may or may not require additional verification, specified in Section 9, before its contents may be consumed. If the Transparency Log is deployed with Contact Monitoring, users MUST retain the most recent version of the key that they've seen (even if that is not the most recent version overall) and the position of that it was stored at in the log. Users MAY retain the entire SearchResult if they wish to later be able to provide non- repudiable proof of misbehavior. McMillion Expires 7 September 2023 [Page 20] Internet-Draft Key Transparency March 2023 10.2. Update Users initiate an Update operation by submitting an UpdateRequest to the Transparency Log containing the new key and value to store. Users can also optionally include the tree_size of the last TreeHead that they successfully verified. struct { opaque search_key<0..2^16-1>; opaque value<0..2^32-1>; optional last; } UpdateRequest; If the request is valid, the Transparency Log adds the new key-value pair to the log and returns an UpdateResult structure: struct { FullTreeHead full_tree_head; VRFResult vrf_result; SearchProof search; opaque opening<16>; UpdatePrefix prefix; } UpdateResult; Users verify the UpdateResult as if it were a SearchResult for the most recent version of search_key. Note that the contents of UpdateRequest.value is the new value of the lookup key and NOT a serialized UpdateValue object. To aid verification, the update result provides the UpdatePrefix structure necessary to reconstruct the UpdateValue. Users MUST retain the new version of the key and the position that it is stored at in the log for the purpose of monitoring. Users MAY retain the entire UpdateResult if they wish to later be able to provide non-repudiable proof of misbehavior. 10.3. Monitor Users initiate a Monitor operation by submitting a MonitorRequest to the Transparency Log containing information about the keys they wish to monitor. Similar to Search and Update operations, users can include the tree_size of the last TreeHead that they successfully verified. McMillion Expires 7 September 2023 [Page 21] Internet-Draft Key Transparency March 2023 opaque SearchKey<0..2^16-1>; struct { opaque search_key<0..2^16-1>; uint32 version; } ContactKey; struct { SearchKey search_keys<0..2^16-1>; select (Configuration.mode) { case contactMonitoring: ContactKey contact_keys<0..2^16-1>; }; optional last; } MonitorRequest; Users include each of the keys that they own in search_keys. If the Transparency Log is deployed with Contact Monitoring, users also include any keys they've looked up in contact_keys, potentially omitting any that they reasonably expect will not produce new monitoring data. The Transparency Log responds with a MonitorResponse structure: struct { PrefixProof prefix_proof; opaque commitment; } ContactProofStep; struct { ContactProofStep steps<0..2^8-1>; InclusionProof inclusion; } ContactProof; struct { FullTreeHead full_tree_head; SearchProof search_proofs<0..2^16-1>; select (Configuration.mode) { case contactMonitoring: ContactProof contact_proofs<0..2^16-1>; }; } MonitorResponse; Each proof in search_proofs represents a search for the most recent version of the corresponding key in search_keys. If MonitorRequest.last is populated, any search steps in SearchProof.steps for entries of the log before last are omitted to save space. McMillion Expires 7 September 2023 [Page 22] Internet-Draft Key Transparency March 2023 The elements of contact_proofs also correspond one-to-one with the elements of contact_keys. Each ContactProof is meant to convince the user that the key they looked up is still properly included in the log and has not been surreptitiously concealed. The steps of a ContactProof represent the *parents* of the entry that contain the specified version of the search key. That is, the parents of an entry are defined as the log entries that are accessed while following a binary search to the given entry, before the entry itself is reached. However, if MonitorRequest.last is populated, then any parents before last are omitted to save space. Each step contains a prefix_proof which is a search for the user- specified key in the prefix tree rooted at that parent, along with the commitment contained in the parent. Users verify that the prefix_proof is an inclusion proof and that the included counter is greater than or equal to what they'd expect, assuring them that the tree is being constructed correctly. The prefix_proof combined with the commitment allow the user to compute the value of each parent's log entry which, combined further with ContactProof.inclusion, produces the root value of the tree for verification against full_tree_head. In full, users verify a monitor response by following these steps: 1. Verify that the length of search_proofs is the same as search_keys. For each proof in search_proof: 1. Evaluate the search proof according to the steps in Section 8.3, which will produce a verdict as to whether the search was executed correctly and also a candidate root value for the tree. 2. Verify that each search arrives at the expected version of the key, at the expected position in the tree (based on the original Update query). 2. Ensure that all of the candidate root values are the same. With the candidate root value: 1. Verify the proof in FullTreeHead.consistency, if one is expected. 2. Verify the signature in TreeHead.signature. McMillion Expires 7 September 2023 [Page 23] Internet-Draft Key Transparency March 2023 3. Verify that the timestamp in TreeHead is sufficiently recent. Additionally, verify that the timestamp and tree_size fields of the TreeHead are greater than or equal to what they were before. 4. If third-party auditing is used, verify auditor_tree_head with the steps described in Section 11.2. 3. If contact monitoring is used, verify that the length of contact_proofs is the same as contact_keys. For each proof in contact_proofs: 1. Verify that steps has the expected number of entries, based on any new parents that have been created over the entry being monitored. 2. For each new parent, which should be in steps in the same order that each entry is stored in the log tree, verify that prefix_proof is an inclusion proof and that the included version counter is greater than or equal to the most recent version of the key observed by the user. 3. Compute the log entry represented by each ContactProofStep and evaluate the inclusion proof inclusion with these log entries. Verify that the root value outputted is equal to the candidate root value verified in step 2. Some information is omitted from MonitorResponse in the interest of efficiency, due to the fact that the user would have already seen and verified it as part of conducting other queries. In particular, the VRF output and proof for each search key is not provided, given that it can be cached from the original Search or Update query for the key. Generally, users MUST retain the most recent TreeHead they've successfully verified as part of any query result, and populate the last field of any query request with the tree_size from this TreeHead. 11. Third Parties McMillion Expires 7 September 2023 [Page 24] Internet-Draft Key Transparency March 2023 11.1. Management With the Third-party Management deployment mode, a third party is responsible for the majority of the work of storing and operating the log, while the service operator serves mainly to enforce access control and authenticate the addition of new entries to the log. All user queries specified in Section 10 are initially sent by users directly to the service operator, and the service operator proxies them to the third-party manager if they pass access control. The service operator only maintains one private key that is kept secret from the third-party manager, which is the private key corresponding to Configuration.leaf_public_key. This private key is used to sign new entries before they're added to the log. As such, all requests and their corresponding responses from Section 10 are proxied between the user and the third-party manager unchanged with the exception of UpdateRequest, which needs to carry the service operator's signature over the update: struct { UpdateRequest request; opaque signature<0..2^16-1>; } ManagerUpdateRequest; The signature is computed over the UpdateTBS structure from Section 9. 11.2. Auditing With the Third-party Auditing deployment mode, the service operator obtains signatures from a lightweight third-party auditor attesting to the fact that the service operator is constructing the tree correctly. These signatures are provided to users along with the results of their queries. The third-party auditor is expected to run asynchronously, downloading and authenticating a log's contents in the background, so as not to become a bottleneck for the service operator. This means that the signatures from the auditor will usually be somewhat delayed. Applications MUST specify a maximum amount of time after which an auditor signature will no longer be accepted. It MUST also specify a maximum number of entries that an auditor's signature may be behind the most recent TreeHead before it will no longer be accepted. Failing to verify an auditor's signature in a query MUST result in an error that prevent's the query's result from being consumed or accepted by the application. McMillion Expires 7 September 2023 [Page 25] Internet-Draft Key Transparency March 2023 The service operator submits updates to the auditor in batches, in the order that they were added to the log tree: struct { opaque index; opaque commitment; } AuditorUpdate; struct { AuditorUpdate updates<0..2^16-1>; } AuditorRequest; The index field of each AuditorUpdate contains the VRF output of the search key that was updated and commitment contains the service provider's commitment to the update. The auditor responds with: struct { TreeHead tree_head; } AuditorResponse; The tree_head field contains a signature from the auditor's private key, corresponding to Configuration.auditor_public_key, over the serialized TreeHeadTBS structure. The tree_size field of the TreeHead is equal to the number of entries processed by the auditor and the timestamp field is set to the time the signature was produced (in milliseconds since the Unix epoch). The auditor TreeHead from this response is provided to users wrapped in the following struct: struct { TreeHead tree_head; opaque root_value; ConsistencyProof consistency; } AuditorTreeHead; The root_value field contains the root hash of the tree at the point that the signature was produced and consistency contains a consistency proof between the tree at this point and the most recent TreeHead provided by the service operator. To check that an AuditorTreeHead structure is valid, users follow these steps: 1. Verify the signature in TreeHead.signature. 2. Verify that TreeHead.timestamp is sufficiently recent. McMillion Expires 7 September 2023 [Page 26] Internet-Draft Key Transparency March 2023 3. Verify that TreeHead.tree_size is sufficiently close to the most recent tree head from the service operator. 4. Verify the consistency proof consistency between this tree head and the most recent tree head from the service operator. 12. Security Considerations While providing a formal security proof is outside the scope of this document, this section attempts to explain the intuition behind the security of each deployment mode. 12.1. Contact Monitoring Contact Monitoring works by splitting the monitoring burden between both the owner of a key and those that look it up. Stated as simply as possible, the monitoring obligations of each party are: 1. The key owner, on a regular basis, searches for the most recent version of the key in the log. They verify that this search results in the expected version of the key, at the expected position in the log. 2. The user that looks up a key, whenever a new parent is established on the key's direct path, searches for the key in the prefix tree stored in this new parent. They verify that the version counter returned is greater than or equal to the expected version. To understand why this is secure, we look at what happens when the service operator tampers with the log in different ways. First, say that the service operator attempts to cover up the latest version of a key, with then goal of causing a "most recent version" search for the key to resolve in a lower version. To do this, the service operator must add a parent over the latest version of the key with a prefix tree that contains an incorrect version counter. Left unchanged, the key owner will observe that the most recent version of their key is no longer available the next time they perform monitoring. Alternatively, the service operator could add the new version of the key back at a later position in the log. But even so, the key owner will observe that the key's position has changed the next time they perform monitoring. The service operator is unable to restore the latest version of the key without violating the log's append-only property or presenting a forked view of the log to different users. McMillion Expires 7 September 2023 [Page 27] Internet-Draft Key Transparency March 2023 Second, say that the service operator attempts to present a fake new version of a key, with the goal of causing a "most recent version" search for the key to resolve to the fake version. To do this, the service operator can simply add the new version of the key as the most recent entry to the log, with the next highest version counter. Left unchanged, or if the log continues to be constructed correctly, the key owner will observe that a new version of their key has been added without their permission the next time they perform monitoring. Alternatively, the service operator can add a parent over the fake version with an incorrect version counter to attempt to conceal the existence of the fake entry. However, the user that previously consumed the fake version of the key will detect this attempt at concealment the next time they perform monitoring. 12.2. Third-party Management Third-party Management works by separating the construction of the log from the ability to approve which new entries are added to the log, such that tricking users into accepting malicious data requires the collusion of both parties. The service operator maintains a private key that signs new entries before they're added to the log, which means that it has the ability to sign malicious new entries and have them successfully published. However, without the collusion of the third-party manager to later conceal those entries by constructing the tree incorrectly, their existence will be apparent to the key owner the next time they perform monitoring. Similarly, while the third-party manager has the ability to construct the tree incorrectly, it cannot add new entries on its own without the collusion of the service operator. Without access to the service operator's signing key, the third-party manager can only attempt to selectively conceal the latest version of a key from certain users. However, as discussed in Section 12.1, this is also apparent to the key owner through monitoring. 12.3. Third-party Auditing Third-party Auditing works by requiring users to verify a signature from a third-party auditor attesting to the fact that the service operator has been constructing the tree correctly. McMillion Expires 7 September 2023 [Page 28] Internet-Draft Key Transparency March 2023 While the service operator can still construct the tree incorrectly and temporarily trick users into accepting malicious data, an honest auditor will no longer provide its signatures over the tree at this point. Once there are no longer any sufficiently recent auditor tree roots, the log will become non-functional as the service operator won't be able to produce any query results that would be accepted by users. 13. IANA Considerations This document requests the creation of the following new IANA registries: * KT Ciphersuites (Section 13.1) All of these registries should be under a heading of "Key Transparency", and assignments are made via the Specification Required policy [RFC8126]. See Section 13.2 for additional information about the KT Designated Experts (DEs). RFC EDITOR: Please replace XXXX throughout with the RFC number assigned to this document 13.1. KT Ciphersuites TODO 13.2. KT Designated Expert Pool TODO 14. References 14.1. Normative References [I-D.irtf-cfrg-vrf] Goldberg, S., Reyzin, L., Papadopoulos, D., and J. Včelák, "Verifiable Random Functions (VRFs)", Work in Progress, Internet-Draft, draft-irtf-cfrg-vrf-15, 9 August 2022, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC Editor report, DOI 10.17487/rfc2104, February 1997, . McMillion Expires 7 September 2023 [Page 29] Internet-Draft Key Transparency March 2023 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate Transparency", RFC Editor report, DOI 10.17487/rfc6962, June 2013, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . 14.2. Informative References [Merkle2] Hu, Y., Hooshmand, K., Kalidhindi, H., Yang, S. J., and R. A. Popa, "Merkle^2: A Low-Latency Transparency Log System", 8 April 2021, . Acknowledgments TODO acknowledge. Author's Address Brendan McMillion Email: brendanmcmillion@gmail.com McMillion Expires 7 September 2023 [Page 30]