Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal

  • Lior RotemEmail author
  • Gil Segev
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)


Extensive efforts are currently put into securing messaging platforms, where a key challenge is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and recent attacks indicate that the security of group messaging is still quite fragile.

We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other’s voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO ’05) and Naor et al. (CRYPTO ’06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it.

Within our framework we establish tight bounds on the tradeoff between the adversary’s success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff.

In particular, considering groups that consist of an administrator and k additional users, for statistically-secure protocols we show that at least \((k+1)\cdot (\log (1/\epsilon ) - \varTheta (1))\) bits must be out-of-band authenticated, whereas for computationally-secure ones \(\log (1/\epsilon ) + \log k\) bits suffice, where \(\epsilon \) is the adversary’s success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).


  1. [BM94]
    Bellovin, S.M., Merritt, M.: An attack on the Interlock protocol when used for authentication. IEEE Trans. Inf. Theory 40(1), 273–275 (1994)CrossRefGoogle Scholar
  2. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  3. [BSJ+17]
    Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). Scholar
  4. [CCD+17]
    Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the Signal messaging protocol. In: Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466 (2017)Google Scholar
  5. [CF01]
    Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001). Scholar
  6. [CGCG+17]
    Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees. Cryptology ePrint Archive, Report 2017/666 (2017)Google Scholar
  7. [CIO98]
    Crescenzo, G.D., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pp. 141–150 (1998)Google Scholar
  8. [CKO+01]
    Di Crescenzo, G., Katz, J., Ostrovsky, R., Smith, A.: Efficient and non-interactive non-malleable commitment. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 40–59. Springer, Heidelberg (2001). Scholar
  9. [COS+17]
    Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Four-round concurrent non-malleable commitments from one-way functions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 127–157. Springer, Cham (2017). Scholar
  10. [DDN00]
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)MathSciNetCrossRefGoogle Scholar
  11. [DG03]
    Damgard, I., Groth, J.: Non-interactive and reusable non-malleable commitment schemes. In: Proceedings of the 35th Annual ACM Symposium on Theory of Computing, pp. 426–437 (2003)Google Scholar
  12. [Ell96]
    Ellison, C.M.: Establishing identity without certification authorities. In: Proceedings of the 6th USENIX Security Symposium, p. 7 (1996)Google Scholar
  13. [FF00]
    Fischlin, M., Fischlin, R.: Efficient non-malleable commitment schemes. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 413–431. Springer, Heidelberg (2000). Scholar
  14. [FMB+16]
    Frosch, T., Mainka, C., Bader, C., Bergsma, F., Schwenk, J., Holz, T.: How secure is TextSecure? In: Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P), pp. 457–472 (2016)Google Scholar
  15. [Gol01]
    Goldreich, O.: Foundations of Cryptography – Volume 1: Basic Techniques. Cambridge University Press, Cambridge (2001)CrossRefGoogle Scholar
  16. [Goy11]
    Goyal, V.: Constant round non-malleable protocols using one way functions. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pp. 695–704 (2011)Google Scholar
  17. [Gre18a]
    Green, M.: Attack of the week: Group messaging in WhatsApp and Signal. A Few Thoughts on Cryptographic Engineering (2018).
  18. [Gre18b]
    Greenberg, A.: WhatsApp security flaws could allow snoops to slide into group chats. Wired Mag. (2018).
  19. [KBB17]
    Kobeissi, N., Bhargavan, K., Blanchet, B.: Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In: Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 435–450 (2017)Google Scholar
  20. [LP11]
    Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pp. 705–714 (2011)Google Scholar
  21. [LPV08]
    Lin, H., Pass, R., Venkitasubramaniam, M.: Concurrent non-malleable commitments from any one-way function. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 571–588. Springer, Heidelberg (2008). Scholar
  22. [NSS06]
    Naor, M., Segev, G., Smith, A.: Tight bounds for unconditional authentication protocols in the manual channel and shared key models. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 214–231. Springer, Heidelberg (2006). Scholar
  23. [NSS08]
    Naor, M., Segev, G., Smith, A.D.: Tight bounds for unconditional authentication protocols in the manual channel and shared key models. IEEE Trans. Inf. Theory 54(6), 2408–2425 (2008)MathSciNetCrossRefGoogle Scholar
  24. [PM16]
    Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016). Accessed 16 May 2018
  25. [PR05]
    Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science, pp. 563–572 (2005)Google Scholar
  26. [PR08]
    Pass, R., Rosen, A.: New and improved constructions of nonmalleable cryptographic protocols. SIAM J. Comput. 38(2), 702–752 (2008)MathSciNetCrossRefGoogle Scholar
  27. [PV06]
    Pasini, S., Vaudenay, S.: An optimal non-interactive message authentication protocol. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 280–294. Springer, Heidelberg (2006). Scholar
  28. [RMS18]
    Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in Signal, WhatsApp, and Threema. In: Proceedings of the 3rd IEEE European Symposium on Security and Privacy (EuroS&P) (2018)Google Scholar
  29. [RS84]
    Rivest, R.L., Shamir, A.: How to expose an eavesdropper. Commun. ACM 27(4), 393–395 (1984)CrossRefGoogle Scholar
  30. [RS18]
    Rotem, L., Segev, G.: Out-of-band authentication in group messaging: computational, statistical, optimal. Cryptology ePrint Archive, Report 2018/493 (2018)Google Scholar
  31. [Tela]
    Telegram. End-to-end encrypted voice calls - key verification. Accessed 16 May 2018
  32. [Telb]
    Telegram. End-to-end encryption. Accessed 16 May 2018
  33. [Vau05]
    Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005). Scholar
  34. [Vib]
    Viber encryption overview. Accessed 16 May 2018
  35. [Wha]
    WhatsApp encryption overview. Accessed 16 May 2018
  36. [Wik]
    Wikipedia. Instant messaging. Accessed 16 May 2018

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.School of Computer Science and EngineeringHebrew University of JerusalemJerusalemIsrael

Personalised recommendations