Efficient Post-Compromise Security Beyond One Group

Modern secure messaging protocols such as Signal [1] can offer strong security guarantees, in particular PostCompromise Security (PCS) [2]. The core PCS mechanism in these protocols is designed for pairwise communication, making it inefficient for large groups. To address this, recently proposed designs for secure group messaging, ART [3], IETF’s MLS Draft-07 [4]/TreeKEM [5], use group keys derived from tree structures to efficiently achieve PCS in large groups. In this work we explore the healing behaviors of the pairwise and group-key based approaches. We show that both approaches have inherent limitations to what they can heal, and that without additional mechanisms, both ART and TreeKEM/MLS Draft-07 offer significantly weaker PCS guarantees than those offered by groups based on pairwise PCS channels: for example, we show that if new users can be created dynamically, ART, TreeKEM, and MLS Draft-07 never fully heal authentication. The core underlying problem is that the scope of the healing in ART and MLS is limited to a single group. We lay out the design space of this complex healing problem to identify mechanisms that narrow the gap between the pairwise and group-key approaches, and provide stronger healing for both. Optimizing security and minimizing overhead leads us to a promising solution based on (i) global updates and (ii) post-compromise secure signatures. We provide a security definition for post-compromise secure signatures and an instantiation. Notably, our solution can also be used to improve the healing properties of pairwise protocols such as Signal towards new users who did not previously receive a message of a compromised user.

[1]  Richard Barnes,et al.  The Messaging Layer Security (MLS) Protocol , 2019 .

[2]  Jörg Schwenk,et al.  More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[3]  Douglas Stebila,et al.  A Formal Security Analysis of the Signal Messaging Protocol , 2017, Journal of Cryptology.

[4]  Cas J. F. Cremers,et al.  On Post-compromise Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[5]  Cédric Fournet,et al.  State Separation for Code-Based Game-Playing Proofs , 2018, ASIACRYPT.

[6]  Yevgeniy Dodis,et al.  The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol , 2019, IACR Cryptol. ePrint Arch..

[7]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[8]  Serge Vaudenay,et al.  Bidirectional Asynchronous Ratcheted Key Agreement with Linear Complexity , 2019, IWSEC.

[9]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[10]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[11]  David Pointcheval,et al.  On the Tightness of Forward-Secure Signature Reductions , 2018, Journal of Cryptology.

[12]  Tal Malkin,et al.  On the performance, feasibility, and use of forward-secure signatures , 2003, CCS '03.

[13]  Moti Yung,et al.  Forward-secure signatures in untrusted update environments: efficient and generic constructions , 2007, CCS '07.

[14]  Cas J. F. Cremers,et al.  On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees , 2018, IACR Cryptol. ePrint Arch..

[15]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2006/297. Forward-Secure Signatures with Untrusted Update , 2006 .

[16]  Tal Malkin,et al.  Efficient Generic Forward-Secure Signatures with an Unbounded Number Of Time Periods , 2002, EUROCRYPT.

[17]  Ueli Maurer,et al.  Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging , 2019, IACR Cryptol. ePrint Arch..

[18]  Hugo Krawczyk,et al.  Simple forward-secure signatures from any signature scheme , 2000, IACR Cryptol. ePrint Arch..