Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Brendel, Jacqueline; Fiedler, Rune; Günther, Felix; Janson, Christian; Stebila, Douglas

doi:10.1007/978-3-030-97131-1_1

Cited by 17 publications

(9 citation statements)

References 83 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, following the KEMTLS paper [29], several recent works used the notion of IND-1CCA KEM to build secure protocols (e.g. [19,31,6]), showing the growing importance of such a notion.…”

Section: Related Workmentioning

confidence: 99%

“…In another recent paper, Brendel et al [6] propose an alternative to the Signal handshake based on KEMs and designated verifier signature schemes. They first define a core protocol that uses two KEMs in the same vein as KEMTLS: one with long-term keys for implicit authentication of one of the parties and another one with ephemeral keys for guaranteeing forward security.…”

Section: Kemtlsmentioning

confidence: 99%

See 1 more Smart Citation

On IND-qCCA Security in the ROM and Its Applications

Huguenin-Dumittan

Vaudenay

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Bounded IND-CCA security (IND-qCCA) is a notion similar to the traditional IND-CCA security, except the adversary is restricted to a constant number q of decryption/decapsulation queries. We show in this work that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in the Fujisaki-Okamoto (FO) transform [15]. This makes the decapsulation process of such IND-qCCA KEM much more efficient than its FO-derived counterpart. In addition, IND-qCCA KEMs could be used in the recently proposed KEMTLS protocol [29] that requires IND-1CCA ephemeral key-exchange mechanisms or in TLS 1.3. Then, using similar proof techniques, we show that CPA-secure KEMs are sufficient for the TLS 1.3 handshake to be secure, solving an open problem in the ROM. In turn, this implies that the PRF-ODH assumption used to prove the security of TLS 1.3 is not necessary and can be replaced by the CDH assumption in the ROM. We also highlight and briefly discuss several use cases of IND-1CCA KEMs in protocols and ratcheting primitives. K0 ← H(σ * ); h * ← H (σ * , ct * 0 ) K1 ←$ K ct * ← (ct * 0 , h * )

show abstract

“…Finally, following the KEMTLS paper [29], several recent works used the notion of IND-1CCA KEM to build secure protocols (e.g. [19,31,6]), showing the growing importance of such a notion.…”

Section: Related Workmentioning

confidence: 99%

Section: Kemtlsmentioning

confidence: 99%

On IND-qCCA Security in the ROM and Its Applications

Huguenin-Dumittan

Vaudenay

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…4 Furthermore, a key-derivation function (KDF), which is used to derive a stage key, is modeled as a random oracle. 5 Basically, the ART protocol described in [7] is a tree Diffie-Hellman (DH) key agreement. Each user is assigned to a leaf node, and a secret key of a parent node is defined as the DH key of the children nodes.…”

Section: Cohn-gordon Et Al Sgm Protocol (Art)mentioning

confidence: 99%

“…The Signal protocol consists of two subprotocols, X3DH (Extended Triple Diffie-Hellman) and double ratcheting, and Hashimoto et al [3] and Alwen et al [4] proposed a generic construction, respectively. Analyzing the Signal protocol is still an ongoing research area, e.g., [5,6]. In addition to two-party messaging, secure group messaging (SGM) protocols also have been proposed [7][8][9][10][11][12][13][14].…”

Section: Introduction 1backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Emura¹,

Kajita²,

Nojima³

et al. 2022

JOWUA

View full text Add to dashboard Cite

A secure messaging protocol, such as the Signal protocol, provides end-to-end encrypted asynchronous communication. This paper focuses on a secure group messaging (SGM) protocol, and proposes a method capable of hiding membership information from the viewpoint of non group members, which we call “membership privacy”. In this work, we add membership privacy to the Asynchronous Ratcheting Trees (ART) protocol (proposed by Cohn-Gordon et al., (ACM CCS 2018)). For hiding membership-related values in the setup phase, we employ a key-private and robust publickey encryption (Abdalla et al., TCC2010/JoC2018). Moreover, we introduce a group common key to encrypt membership information in the key update phase. Our modification achieves asymptotically the same efficiency of the ART protocol in the setup phase. Any additional cost for key update does not depend on the number of group members. Therefore, the proposed protocol can add membership privacy to the ART protocol with a quite small overhead. Specifically, one encryption and decryption of a symmetric-key encryption scheme and one execution of a key-derivation function for each key update are employed. Finally, we discuss how to extend our protocol to provide sender-specific authentication, dynamic groups, group-size hiding, and how to adopt our technique to the Messaging Layer Security (MLS) protocol. We note that, although Chase et al. (ACM CCS 2020) have considered the same notion, their proposal is an extension of Signal so called “Pairwise Signal” where a group message is repeatedly sent over individual Signal channels. Thus their protocol is not scalable.

show abstract