Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement

Klein, Karen; Pascual-Perez, Guillermo; Walter, Michael; Kamath, Chethan; Capretto, Margarita; Cueto, Miguel; Markov, Ilia; Yeo, Michelle M L; Alwen, Joël; Pietrzak, Krzysztof

doi:10.1109/sp40001.2021.00035

Cited by 11 publications

(14 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition to the standard TreeKEM discussed in MLS, variants of TreeKEM have been proposed. Tainted TreeKEM [6] enjoys efficiency advantages for large groups maintained by a small number of 'administrators'. Re-randomized TreeKEM [8] and TreeKEM with active security [9] improve the PCFS property against passive and active adversaries, respectively, but require relatively heavy cryptographic primitives.…”

Section: Related Workmentioning

confidence: 99%

“…Continuous Group Key Agreement. The notions of continuous (group) key agreement (CKA and CGKA) were put forward [6][7][8][9][10] to capture the particular setting that secure (group) messaging contends with, e.g., asynchrony and large groups, and achieve the security notions it requires, e.g., PCFS. In addition to representing a clean abstraction, CGKAs also include the complex cryptographic machinery of secure group messaging, and are therefore convenient objects to reason on.…”

Section: Introductionmentioning

confidence: 99%

“…A documented property[6] of TreeKEM is that the number n c of ciphertexts depends on the topology of the ratcheting tree, which might contain blank nodes. This number is ⌈log N ⌉ in the best case, but may degrade to N − 1 for heavily blanked trees 2.…”

mentioning

confidence: 99%

“…If we run a standard PKE in parallel for all N users and set T := ⊥, then we obtain a succinct scheme but this is clearly not commitment-binding. On the other hand, if we add a non-interactive zero-knowledge (NIZK) proof π to further prove that all the PKE ciphertexts encrypt the same message and set6 In the proof of our CGKA protocol, we require that the adversary cannot find a "bad" randomness that leads to a decryption error. Since we use a PRG modeled as a random oracle to expand the randomness, standard correctness immediately implies that no PPT adversary can find such bad randomness.…”

mentioning

confidence: 99%

See 3 more Smart Citations

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Hashimoto

Katsumata²,

Postlethwaite

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs.We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of N members, a commit message costs O(N ) to upload and O(1) to download, for a total bandwidth cost of O(N ). In contrast, TreeKEM [14,19,52] costs Ω(log N ) in both directions, for a total cost Ω(N log N ). Our protocol relies on generic primitives, and is therefore readily post-quantum.We go one step further and propose post-quantum primitives that are tailored to Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as N = 2 10 , commit messages can be computed and processed in less than 100 ms.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Hashimoto

Katsumata²,

Postlethwaite

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Analyzing the Signal protocol is still an ongoing research area, e.g., [5,6]. In addition to two-party messaging, secure group messaging (SGM) protocols also have been proposed [7][8][9][10][11][12][13][14].…”

Section: Introduction 1backgroundmentioning

confidence: 99%

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Emura¹,

Kajita²,

Nojima³

et al. 2022

JOWUA

View full text Add to dashboard Cite

A secure messaging protocol, such as the Signal protocol, provides end-to-end encrypted asynchronous communication. This paper focuses on a secure group messaging (SGM) protocol, and proposes a method capable of hiding membership information from the viewpoint of non group members, which we call “membership privacy”. In this work, we add membership privacy to the Asynchronous Ratcheting Trees (ART) protocol (proposed by Cohn-Gordon et al., (ACM CCS 2018)). For hiding membership-related values in the setup phase, we employ a key-private and robust publickey encryption (Abdalla et al., TCC2010/JoC2018). Moreover, we introduce a group common key to encrypt membership information in the key update phase. Our modification achieves asymptotically the same efficiency of the ART protocol in the setup phase. Any additional cost for key update does not depend on the number of group members. Therefore, the proposed protocol can add membership privacy to the ART protocol with a quite small overhead. Specifically, one encryption and decryption of a symmetric-key encryption scheme and one execution of a key-derivation function for each key update are employed. Finally, we discuss how to extend our protocol to provide sender-specific authentication, dynamic groups, group-size hiding, and how to adopt our technique to the Messaging Layer Security (MLS) protocol. We note that, although Chase et al. (ACM CCS 2020) have considered the same notion, their proposal is an extension of Signal so called “Pairwise Signal” where a group message is repeatedly sent over individual Signal channels. Thus their protocol is not scalable.

show abstract

CoCoA: Concurrent Continuous Group Key Agreement

Alwen¹,

Auerbach

Noval

et al. 2022

Advances in Cryptology – EUROCRYPT 2022

View full text Add to dashboard Cite

Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement

Cited by 11 publications

References 20 publications

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

CoCoA: Concurrent Continuous Group Key Agreement

Contact Info

Product

Resources

About