In recent years, some of the most popular online chat services such as iMessage and WhatsApp have deployed end-to-end encryption to mitigate some of the privacy risks to the transmitted messages. But facilitating end-to-end encryption requires a Public Key Infrastructure (PKI), so these services still require the service provider to maintain a centralized directory of public keys. A downside of this design is placing a lot of trust in the service provider; a malicious or compromised service provider can still intercept and read users’ communication just by replacing the user’s public key with one for which they know the corresponding secret. A recent work by Melara et al. builds a system called CONIKS where the service provider is required to prove that it is returning a consistent for each user. This allows each user to monitor his own key and reduces some of the risks of placing a lot of trust in the service provider. New systems [EthIKS,Catena] are already being built on CONIKS. While these systems are extremely relevant in practice, the security and privacy guarantees of these systems are still based on some ad-hoc analysis rather than on a rigorous foundation. In addition, without modular treatment, improving on the efficiency of these systems is challenging. In this work, we formalize the security and privacy requirements of a verifiable key service for end-to-end communication in terms of the primitive called Verifiable Key Directories (VKD). Our abstraction captures the functionality of all three existing systems: CONIKS, EthIKS and Catena. We quantify the leakage from these systems giving us a better understanding of their privacy in concrete terms. Finally, we give a VKD construction (with concrete efficiency analysis) which improves significantly on the existing ones in terms of privacy and efficiency. Our design modularly builds from another primitive that we define as append-only zero knowledge sets (aZKS) and from append-only Strong Accumulators. By providing modular constructions, we allow for the independent study of each of these building blocks: an improvement in any of them would directly result in an improved VKD construction. Our definition of aZKS generalizes the definition of the zero knowledge set for updates, which is a secondary contribution of this work, and can be of independent interest.
[1]
Jan Camenisch,et al.
Accumulators with Applications to Anonymity-Preserving Revocation
,
2017,
2017 IEEE European Symposium on Security and Privacy (EuroS&P).
[2]
Tal Malkin,et al.
Mercurial Commitments with Applications to Zero-Knowledge Sets
,
2005,
Journal of Cryptology.
[3]
Dan S. Wallach,et al.
Efficient Data Structures For Tamper-Evident Logging
,
2009,
USENIX Security Symposium.
[4]
Melissa Chase,et al.
Simulatable VRFs with Applications to Multi-theorem NIZK
,
2007,
CRYPTO.
[5]
Silvio Micali,et al.
Zero-knowledge sets
,
2003,
44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..
[6]
Michael J. Freedman,et al.
CONIKS: Bringing Key Transparency to End Users
,
2015,
USENIX Security Symposium.
[7]
Hovav Shacham,et al.
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
,
2003,
EUROCRYPT.
[8]
Moses D. Liskov.
Updatable Zero-Knowledge Databases
,
2005,
ASIACRYPT.
[9]
Srinivas Devadas,et al.
Catena: Efficient Non-equivocation via Bitcoin
,
2017,
2017 IEEE Symposium on Security and Privacy (SP).
[10]
Marcos A. Kiwi,et al.
Strong accumulators from collision-resistant hashing
,
2008,
International Journal of Information Security.
[11]
Ian Goldberg,et al.
Constant-Size Commitments to Polynomials and Their Applications
,
2010,
ASIACRYPT.
[12]
Alina Oprea,et al.
Authentic Time-Stamps for Archival Storage
,
2009,
ESORICS.
[13]
Dan Boneh,et al.
Certificate Transparency with Privacy
,
2017,
Proc. Priv. Enhancing Technol..
[14]
Joseph Bonneau,et al.
EthIKS: Using Ethereum to Audit a CONIKS Key Transparency Log
,
2016,
Financial Cryptography Workshops.
[15]
Donald E. Knuth,et al.
The art of computer programming: sorting and searching (volume 3)
,
1973
.