A More Complete Analysis of the Signal Double Ratchet Algorithm

Bienstock, Alexander; Fairoze, Jaiden; Garg, Sanjam; Mukherjee, Pratyay; Raghuraman, Srinivasan

doi:10.1007/978-3-031-15802-5_27

Cited by 15 publications

(6 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Key confirmation [24] allows one party to ascertain that the second (possibly unidentified) party indeed possesses a specific secret key (or all keying material necessary for its computation). Backward secrecy [25] ensures that compromising long-term keys does not compromise keys from past sessions. Key agreement [26] employs dynamic key management to derive new session keys.…”

Section: Protocol Security Propertiesmentioning

confidence: 99%

Approaches to Developing Key Distribution Protocols Based on Quantum Key Distribution

Begimbayeva Y.

2024

jes

View full text Add to dashboard Cite

Quantum protocols for generating shared secret keys represent an effective method of ensuring secure information transmission using quantum communication channels. However, they are limited in scalability due to the physical constraints of quantum channels, which necessitates the use of classical communication channels for exchanging information between participants. This leads to the necessity of developing security threat models and network protection, especially in the case of hybrid networks, where quantum channels are used alongside classical ones. The peculiarity of constructing quantum key distribution protocols is associated with the costliness of implementation and implies the inevitable use of classical communication channels for key distribution. This paper addresses the task of ensuring the security of communication between subscribers not directly connected by quantum channels, through intermediary nodes, and analyzes threats from internal and external adversaries. Special attention is paid to situations where both types of adversaries have information about the processes and protocols in the network. The paper examines widely used key distribution protocols employed in practice. It describes the main security requirements applied to key distribution protocols, and presents the results of an analysis of the compliance of the discussed protocols with these requirements

show abstract

Section: Protocol Security Propertiesmentioning

confidence: 99%

Approaches to Developing Key Distribution Protocols Based on Quantum Key Distribution

Begimbayeva Y.

2024

jes

View full text Add to dashboard Cite

show abstract

“…Output 𝑐 𝐴𝐵 , 𝑧 𝐴𝐵 , 𝑐 𝐽 , 𝑧 𝐽 , 𝐸 𝐴 , 𝑅 𝐴 , 𝑅 𝐵 , 𝑘 rel , NOTRY-Kex-Sim transcript, Enc (𝑘 rel , (𝑐 𝐴 , 𝑧 𝐴 , 𝑠 𝐴 )) , Enc (𝑘 rel , (𝑐 𝐵 , 𝑧 𝐵 )). secrecy of ratcheted key generation mechanisms is studied extensively by Alwen et al [1] and Bienstock et al [10]. (4) Post-specified peer [21]: Instead of specifying the identity of the intended peer when initiating NOTRY-Kex, parties learn the identity of their peers during protocol execution.…”

Section: Notry Security Goalsmentioning

confidence: 99%

“…We, therefore, compare it against Signal, which represents the best-in-class for secure messaging with deniability. Additional overhead is paid for a UC-secure Signal [10]. Therefore, we implement NOTRY without a straight-line compiler for a fair comparison.…”

Section: Real World Evaluationmentioning

confidence: 99%

NOTRY: Deniable messaging with retroactive avowal

Wang,

Cohney,

Wahby

et al. 2024

PoPETs

View full text Add to dashboard Cite

Modern secure messaging protocols typically aim to provide deniability. Achieving this requires that convincing cryptographic transcripts can be forged without the involvement of genuine users. In this work, we observe that parties may wish to revoke deniability and avow a conversation after it has taken place. We propose a new protocol called Not-on-the-Record-Yet (NOTRY) which enables users to prove a prior conversation transcript is genuine. As a key building block we propose avowable designated verifier proofs which may be of independent interest. Our implementation in- curs roughly 8× communication and computation overhead over the standard Signal protocol during regular operation. We find it is nonetheless deployable in a realistic setting as key exchanges (the source of the overhead) still complete in just over 1ms on a modern computer. The avowal protocol induces only constant computation and communication performance for the communicating parties and scales linearly in the number of messages avowed for the verifier—in the tens of milliseconds per avowal.

show abstract

“…Moreover, it is weak robust when C is generated by the Ecn algorithm. 6 This essentially employs a generic construction of anonymous broadcast encryption proposed by Libert et al [33].…”

Section: Proposed Sgm Protocol Providing Membership Privacymentioning

confidence: 99%

“…The Signal protocol consists of two subprotocols, X3DH (Extended Triple Diffie-Hellman) and double ratcheting, and Hashimoto et al [3] and Alwen et al [4] proposed a generic construction, respectively. Analyzing the Signal protocol is still an ongoing research area, e.g., [5,6]. In addition to two-party messaging, secure group messaging (SGM) protocols also have been proposed [7][8][9][10][11][12][13][14].…”

Section: Introduction 1backgroundmentioning

confidence: 99%

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Emura¹,

Kajita²,

Nojima³

et al. 2022

JOWUA

View full text Add to dashboard Cite

A secure messaging protocol, such as the Signal protocol, provides end-to-end encrypted asynchronous communication. This paper focuses on a secure group messaging (SGM) protocol, and proposes a method capable of hiding membership information from the viewpoint of non group members, which we call “membership privacy”. In this work, we add membership privacy to the Asynchronous Ratcheting Trees (ART) protocol (proposed by Cohn-Gordon et al., (ACM CCS 2018)). For hiding membership-related values in the setup phase, we employ a key-private and robust publickey encryption (Abdalla et al., TCC2010/JoC2018). Moreover, we introduce a group common key to encrypt membership information in the key update phase. Our modification achieves asymptotically the same efficiency of the ART protocol in the setup phase. Any additional cost for key update does not depend on the number of group members. Therefore, the proposed protocol can add membership privacy to the ART protocol with a quite small overhead. Specifically, one encryption and decryption of a symmetric-key encryption scheme and one execution of a key-derivation function for each key update are employed. Finally, we discuss how to extend our protocol to provide sender-specific authentication, dynamic groups, group-size hiding, and how to adopt our technique to the Messaging Layer Security (MLS) protocol. We note that, although Chase et al. (ACM CCS 2020) have considered the same notion, their proposal is an extension of Signal so called “Pairwise Signal” where a group message is repeatedly sent over individual Signal channels. Thus their protocol is not scalable.

show abstract

A More Complete Analysis of the Signal Double Ratchet Algorithm

Cited by 15 publications

References 42 publications

Approaches to Developing Key Distribution Protocols Based on Quantum Key Distribution

Approaches to Developing Key Distribution Protocols Based on Quantum Key Distribution

NOTRY: Deniable messaging with retroactive avowal

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Contact Info

Product

Resources

About