On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees

In the past few years secure messaging has become mainstream, with over a billion active users of end-to-end encryption protocols such as Signal. The Signal Protocol provides a strong property called post-compromise security to its users. However, it turns out that many of its implementations provide, without notification, a weaker property for group messaging: an adversary who compromises a single group member can read and inject messages indefinitely. We show for the first time that post-compromise security can be achieved in realistic, asynchronous group messaging systems. We present a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time. ART scales to groups containing thousands of members, while still providing provable security guarantees. It has seen significant interest from industry, and forms the basis for two draft IETF RFCs and a chartered working group. Our results show that strong security guarantees for group messaging are practically achievable in a modern setting.

[1]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2012, ESORICS.

[2]  Douglas Stebila,et al.  A Formal Security Analysis of the Signal Messaging Protocol , 2017, Journal of Cryptology.

[3]  Mark Zhandry,et al.  Encryptor Combiners: A Unified Approach to Multiparty NIKE, (H)IBE, and Broadcast Encryption , 2017, IACR Cryptol. ePrint Arch..

[4]  David Pointcheval,et al.  Flexible Group Key Exchange with On-demand Computation of Subgroup Keys , 2010, AFRICACRYPT.

[5]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[6]  Gene Tsudik,et al.  Key Agreement in Dynamic Peer Groups , 2000, IEEE Trans. Parallel Distributed Syst..

[7]  Marc Fischlin,et al.  PRF-ODH: Relations, Instantiations, and Impossibility Results , 2017, CRYPTO.

[8]  Oded Goldreich,et al.  On the Foundations of Modern Cryptography , 1997, CRYPTO.

[9]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[10]  Dawn Xiaodong Song,et al.  ELK, a new protocol for efficient large-group key distribution , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[11]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[12]  Tanja Lange,et al.  Scalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups , 2006, Financial Cryptography.

[13]  Gene Tsudik,et al.  Simple and fault-tolerant key agreement for dynamic collaborative groups , 2000, CCS.

[14]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[15]  Wen-Guey Tzeng,et al.  Group key management with efficient rekey mechanism: A Semi-Stateful approach for out-of-Synchronized members , 2017, Comput. Commun..

[16]  Adrian Perrig,et al.  Ho-Po Key: Leveraging Physical Constraints on Human Motion to Authentically Exchange Information in a Group (CMU-CyLab-11-004) , 2010 .

[17]  Marc Fischlin,et al.  Composability of bellare-rogaway key exchange protocols , 2011, CCS '11.

[18]  Cas J. F. Cremers,et al.  On Post-compromise Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[19]  Jörg Schwenk,et al.  More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[20]  Gene Tsudik,et al.  Tree-based group key agreement , 2004, TSEC.

[21]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[22]  Ian Goldberg,et al.  Multi-party off-the-record messaging , 2009, CCS.

[23]  Kwangjo Kim,et al.  An Efficient Tree-Based Group Key Agreement Using Bilinear Map , 2003, ACNS.

[24]  M. Slee,et al.  Thrift : Scalable Cross-Language Services Implementation , 2022 .

[25]  Adrian Perrig,et al.  SafeSlinger: easy-to-use and secure public-key exchange , 2013, MobiCom.

[26]  Zheng Yang,et al.  A new strong security model for stateful authenticated group key exchange , 2017, International Journal of Information Security.

[27]  Ivan Damgård,et al.  A "proof-reading" of Some Issues in Cryptography , 2007, ICALP.

[28]  Adrian Perrig,et al.  Efficient Collaborative Key Management Protocols for Secure Autonomous Group Communication , 1999 .

[29]  Christian Cachin,et al.  Asynchronous group key exchange with failures , 2004, PODC '04.

[30]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[31]  Emmanuel Bresson,et al.  Fully Robust Tree-Diffie-Hellman Group Key Exchange , 2009, CANS.

[32]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[33]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[34]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[35]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[36]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[37]  Gene Tsudik,et al.  Communication-Efficient Group Key Agreement , 2001, SEC.

[38]  Whitfield Diffie,et al.  A Secure Audio Teleconference System , 1988, CRYPTO.

[39]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange , 2015, IACR Cryptol. ePrint Arch..

[40]  Mark Zhandry,et al.  Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation , 2014, Algorithmica.

[41]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[42]  Matthew Green,et al.  Forward Secure Asynchronous Messaging from Puncturable Encryption , 2015, 2015 IEEE Symposium on Security and Privacy.