Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement

While messaging systems with strong security guarantees are widely used in practice, designing a protocol that scales efficiently to large groups and enjoys similar security guarantees remains largely open. The two existing proposals to date are ART (Cohn-Gordon et al., CCS18) and TreeKEM (IETF, The Messaging Layer Security Protocol, draft). TreeKEM is the currently considered candidate by the IETF MLS working group, but dynamic group operations (i.e. adding and removing users) can cause efficiency issues. In this paper we formalize and analyze a variant of TreeKEM which we term Tainted TreeKEM (TTKEM for short). The basic idea underlying TTKEM was suggested by Millican (MLS mailing list, February 2018). This version is more efficient than TreeKEM for some natural distributions of group operations, we quantify this through simulations.Our second contribution is two security proofs for TTKEM which establish post compromise and forward secrecy even against adaptive attackers. The security loss (to the underlying PKE) in the Random Oracle Model is a polynomial factor, and a quasipolynomial one in the Standard Model. Our proofs can be adapted to TreeKEM as well. Before our work no security proof for any TreeKEM-like protocol establishing tight security against an adversary who can adaptively choose the sequence of operations was known. We also are the first to prove (or even formalize) active security where the server can arbitrarily deviate from the protocol specification. Proving fully active security – where also the users can arbitrarily deviate – remains open.

[1]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[2]  Georg Fuchsbauer,et al.  A Quasipolynomial Reduction for Generalized Selective Decryption on Trees , 2015, CRYPTO.

[3]  Ilan Komargodski,et al.  Be Adaptive, Avoid Overcommitting , 2017, CRYPTO.

[4]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[5]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[6]  Charles H. Bennett Time/Space Trade-Offs for Reversible Computation , 1989, SIAM J. Comput..

[7]  Mihir Bellare,et al.  Ratcheted Encryption and Key Exchange: The Security of Messaging , 2017, CRYPTO.

[8]  Daniel Jost,et al.  Continuous Group Key Agreement with Active Security , 2020, IACR Cryptol. ePrint Arch..

[9]  Richard Barnes,et al.  The Messaging Layer Security (MLS) Protocol , 2019 .

[10]  Britta Hale,et al.  Efficient Post-Compromise Security Beyond One Group , 2019 .

[11]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[12]  Cas J. F. Cremers,et al.  On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees , 2018, IACR Cryptol. ePrint Arch..

[13]  Ahmed Obied,et al.  Broadcast Encryption , 2008, Encyclopedia of Multimedia.

[14]  Ueli Maurer,et al.  Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging , 2019, IACR Cryptol. ePrint Arch..

[15]  Yevgeniy Dodis,et al.  The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol , 2019, IACR Cryptol. ePrint Arch..

[16]  Serge Vaudenay,et al.  Bidirectional Asynchronous Ratcheted Key Agreement with Linear Complexity , 2019, IWSEC.

[17]  S. Havlin,et al.  Scaling laws of human interaction activity , 2009, Proceedings of the National Academy of Sciences.

[18]  X. Gabaix Zipf's Law for Cities: An Explanation , 1999 .

[19]  Yevgeniy Dodis,et al.  Security Analysis and Improvements for the IETF MLS Standard for Group Messaging , 2020, IACR Cryptol. ePrint Arch..

[20]  Igors Stepanovs,et al.  Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging , 2018, IACR Cryptol. ePrint Arch..

[21]  Georg Fuchsbauer,et al.  Adaptively Secure Proxy Re-encryption , 2019, IACR Cryptol. ePrint Arch..

[22]  Saurabh Panjwani,et al.  Tackling Adaptive Corruptions in Multicast Encryption Protocols , 2007, TCC.

[23]  Paul Rösler,et al.  Towards Bidirectional Ratcheted Key Exchange , 2018, CRYPTO.