Advertisement

Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging

  • Joseph Jaeger
  • Igors Stepanovs
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)

Abstract

We aim to understand the best possible security of a (bidirectional) cryptographic channel against an adversary that may arbitrarily and repeatedly learn the secret state of either communicating party. We give a formal security definition and a proven-secure construction. This construction provides better security against state compromise than the Signal Double Ratchet Algorithm or any other known channel construction. To facilitate this we define and construct new forms of public-key encryption and digital signatures that update their keys over time.

Notes

Acknowledgments

We thank Mihir Bellare for extensive discussion on preliminary versions of this paper. We thank the CRYPTO 2018 reviewers for their comments. Jaeger and Stepanovs were supported in part by NSF grants CNS-1717640 and CNS-1526801.

References

  1. 1.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_18CrossRefzbMATHGoogle Scholar
  2. 2.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS 1997 (1997)Google Scholar
  3. 3.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055718CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the ssh authenticated encryption scheme: a case study of the encode-then-encrypt-and-mac paradigm. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 206–241 (2004)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_28CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_25CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_21CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36563-X_1CrossRefGoogle Scholar
  9. 9.
    Boldyreva, A., Degabriele, J.P., Paterson, K.G., Stam, M.: Security of symmetric encryption in the presence of ciphertext fragmentation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 682–699. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_40CrossRefzbMATHGoogle Scholar
  10. 10.
    Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: ACM Workshop on Privacy in the Electronic Society (2004)Google Scholar
  11. 11.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001 (2001)Google Scholar
  12. 12.
    Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. J. Cryptol. 20(3), 265–294 (2007)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_28CrossRefGoogle Scholar
  14. 14.
    Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the Signal messaging protocol. In: Proceedings of IEEE European Symposium on Security and Privacy (EuroS&P) (2017)Google Scholar
  15. 15.
    Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: IEEE Computer Security Foundations Symposium (CSF) (2016)Google Scholar
  16. 16.
    Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_28CrossRefGoogle Scholar
  17. 17.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Dodis, Y., Katz, J., Xu, S., Yung, M.: Key-insulated public key cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 65–82. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_5CrossRefGoogle Scholar
  19. 19.
    Dodis, Y., Katz, J., Xu, S., Yung, M.: Strong key-insulated signature schemes. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 130–144. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36288-6_10CrossRefGoogle Scholar
  20. 20.
    Dodis, Y., Luo, W., Xu, S., Yung, M.: Key-insulated symmetric key cryptography and mitigating attacks against cryptographic cloud software. In: ASIACCS 2012 (2012)Google Scholar
  21. 21.
    Perrin, T. (ed.), Marlinspike, M.: The double ratchet algorithm, 20 November 2016. https://whispersystems.org/docs/specifications/doubleratchet/
  22. 22.
    Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 545–564. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48000-7_27CrossRefGoogle Scholar
  23. 23.
    Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-36178-2_34CrossRefGoogle Scholar
  24. 24.
    Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: IEEE Symposium on Security and Privacy (2015)Google Scholar
  25. 25.
    Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990).  https://doi.org/10.1007/3-540-46885-4_5CrossRefGoogle Scholar
  26. 26.
    Günther, F., Mazaheri, S.: A formal treatment of multi-key channels. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 587–618. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_20CrossRefGoogle Scholar
  27. 27.
    Jaeger, J., Stepanovs, I.: Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging. Cryptology ePrint Archive, Report 2018/XYZ (2018, To appear)Google Scholar
  28. 28.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_19CrossRefGoogle Scholar
  29. 29.
    Langley, A.: Pond. GitHub repository, README.md (2012). https://github.com/agl/pond/commit/7bb06244b9aa121d367a6d556867992d1481f0c8
  30. 30.
    Marson, G.A., Poettering, B.: Security notions for bidirectional channels. IACR Trans. Symm. Cryptol. 2017(1), 405–426 (2017)Google Scholar
  31. 31.
    Mignotte, M.: How to share a secret? In: Beth, T. (ed.) EUROCRYPT 1982. LNCS, vol. 149, pp. 371–375. Springer, Heidelberg (1983).  https://doi.org/10.1007/3-540-39466-4_27CrossRefGoogle Scholar
  32. 32.
    Namprempre, C.: Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 515–532. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-36178-2_32CrossRefGoogle Scholar
  33. 33.
    Open Whisper Systems. Signal protocol library for Java/Android. GitHub repository (2017). https://github.com/WhisperSystems/libsignal-protocol-java
  34. 34.
    Ostrovsky, R., Yung, M.: How to withstand mobile virus attacks (extended abstract). In: ACM PODC 1991 (1991)Google Scholar
  35. 35.
    Poettering, B., Rösler, P.: Ratcheted key exchange, revisited. Cryptology ePrint Archive, Report 2018/296 (2018). https://eprint.iacr.org/2018/296
  36. 36.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM CCS 2002 (2002)Google Scholar
  37. 37.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_23CrossRefGoogle Scholar
  38. 38.
    Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)MathSciNetzbMATHGoogle Scholar
  39. 39.
    Shoup, V.: On formal models for secure key exchange. Cryptology ePrint Archive, Report 1999/012 (1999). http://eprint.iacr.org/1999/012
  40. 40.
    Shoup, V.: A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112 (2001). https://eprint.iacr.org/2001/112
  41. 41.
    Tompa, M., Woll, H.: How to share a secret with cheaters. J. Cryptol. 1(2), 133–138 (1988)MathSciNetzbMATHGoogle Scholar
  42. 42.
    Unger, N., Dechand, S., Bonneau, J., Fahl, S., Perl, H., Goldberg, I., Smith, M.: SoK: secure messaging. In: IEEE Symposium on Security and Privacy (2015)Google Scholar
  43. 43.
    WhatsApp Blog. Connecting one billion users every day, 26 July 2017. https://blog.whatsapp.com/10000631/Connecting-One-Billion-Users-Every-Day

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringUniversity of California San DiegoLa JollaUSA

Personalised recommendations