Modular Design of Secure Group Messaging Protocols and the Security of MLS

The Messaging Layer Security (MLS) project is an IETF effort aiming to establish an industry-wide standard for secure group messaging (SGM). Its development is supported by several major secure-messaging providers (with a combined user base in the billions) and a growing body of academic research. MLS has evolved over many iterations to become a complex, non-trivial, yet relatively ad-hoc cryptographic protocol. In an effort to tame its complexity and build confidence in its security, past analyses of MLS have restricted themselves to sub-protocols of MLS---most prominently a type of sub-protocol embodying so-called continuous group key agreement (CGKA). However, to date the task of proving or even defining the security of the full MLS protocol has been left open. In this work, we fill in this missing piece. First, we formally capture the security of SGM protocols by defining a corresponding security game, which is parametrized by a safety predicate that characterizes the exact level of security achieved by a construction. Then, we cast MLS as an SGM protocol, showing how to modularly build it from the following three main components (and some additional standard cryptographic primitives) in a black-box fashion: (a) CGKA, (b) forward-secure group AEAD (FS-GAEAD), which is a new primitive and roughly corresponds to an "epoch'' of group messaging, and (c) a so-called PRF-PRNG, which is a two-input hash function that is a pseudorandom function (resp.\ generator with input) in its first (resp.\ second) input. Crucially, the security predicate for the SGM security of MLS can be expressed purely as a function of the security predicates of the underlying primitives, which allows to swap out any of the components and immediately obtain a security statement for the resulting SGM construction. Furthermore, we provide instantiations of all component primitives, in particular of CGKA with MLS's TreeKEM sub-protocol (which we prove adaptively secure) and of FS-GAEAD with a novel construction (which has already been adopted by MLS). Along the way we introduce a collection of new techniques, primitives, and results with applications to other SGM protocols and beyond. For example, we extend the Generalized Selective Decryption proof technique (which is central in CGKA literature) and prove adaptive security for another (practical) more secure CGKA protocol called RTreeKEM (Alwen et al.,\ CRYPTO '20). The modularity of our approach immediately yields a corollary characterizing the security of an SGM construction using RTreeKEM.

[1]  Cas J. F. Cremers,et al.  On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees , 2018, IACR Cryptol. ePrint Arch..

[2]  Yevgeniy Dodis,et al.  Public Key Broadcast Encryption for Stateless Receivers , 2002, Digital Rights Management Workshop.

[3]  Richard Barnes,et al.  The Messaging Layer Security (MLS) Protocol , 2019 .

[4]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[5]  Douglas Stebila,et al.  A Formal Security Analysis of the Signal Messaging Protocol , 2017, Journal of Cryptology.

[6]  Gene Tsudik,et al.  Group key agreement efficient in communication , 2004, IEEE Transactions on Computers.

[7]  Saurabh Panjwani,et al.  Tackling Adaptive Corruptions in Multicast Encryption Protocols , 2007, TCC.

[8]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[9]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[10]  Michael Walter,et al.  Keep the Dirt: Tainted TreeKEM, an Efficient and Provably Secure Continuous Group Key Agreement Protocol , 2019, IACR Cryptol. ePrint Arch..

[11]  Yevgeniy Dodis,et al.  On the Price of Concurrency in Group Ratcheting Protocols , 2020, IACR Cryptol. ePrint Arch..

[12]  Yevgeniy Dodis,et al.  Security Analysis and Improvements for the IETF MLS Standard for Group Messaging , 2020, IACR Cryptol. ePrint Arch..

[13]  Daniel Jost,et al.  On The Insider Security of MLS , 2020, IACR Cryptol. ePrint Arch..

[14]  Karthikeyan Bhargavan,et al.  Formal Models and Verified Protocols for Group Messaging: Attacks and Proofs for IETF MLS , 2019 .

[15]  Whitfield Diffie,et al.  A Secure Audio Teleconference System , 1988, CRYPTO.

[16]  Ueli Maurer,et al.  Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging , 2019, IACR Cryptol. ePrint Arch..

[17]  Ilan Komargodski,et al.  Be Adaptive, Avoid Overcommitting , 2017, CRYPTO.

[18]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[19]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[20]  Daniel Jost,et al.  Continuous Group Key Agreement with Active Security , 2020, IACR Cryptol. ePrint Arch..

[21]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[22]  Suvo Mittra,et al.  Iolus: a framework for scalable secure multicasting , 1997, SIGCOMM '97.

[23]  Britta Hale,et al.  Revisiting Post-Compromise Security Guarantees in Group Messaging , 2019, IACR Cryptol. ePrint Arch..

[24]  Konrad Kohbrok,et al.  Cryptographic Security of the MLS RFC, Draft 11 , 2021, IACR Cryptol. ePrint Arch..

[25]  David Jao,et al.  Towards Post-Quantum Updatable Public-Key Encryption via Supersingular Isogenies , 2020, IACR Cryptol. ePrint Arch..

[26]  Yevgeniy Dodis,et al.  The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol , 2019, IACR Cryptol. ePrint Arch..