Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
In the era of mass surveillance and information breaches, privacy of Internet communication, and messaging in particular, is a growing concern. As secure messaging protocols are executed on the not-so-secure end-user devices, and because their sessions are long-lived, they aim to guarantee strong security even if secret states and local randomness can be exposed.
The most basic security properties, including forward secrecy, can be achieved using standard techniques such as authenticated encryption. Modern protocols, such as Signal, go one step further and additionally provide the so-called backward secrecy, or healing from state exposures. These additional guarantees come at the price of a moderate efficiency loss (they require public-key primitives).
On the opposite side of the security spectrum are the works by Jaeger and Stepanovs and by Poettering and Rösler, which characterize the optimal security a secure-messaging scheme can achieve. However, their proof-of-concept constructions suffer from an extreme efficiency loss compared to Signal. Moreover, this caveat seems inherent.
This paper explores the area in between: our starting point are the basic, efficient constructions, and then we ask how far we can go towards the optimal security without losing too much efficiency. We present a construction with guarantees much stronger than those achieved by Signal, and slightly weaker than optimal, yet its efficiency is closer to that of Signal (only standard public-key cryptography is used).
On a technical level, achieving optimal guarantees inherently requires key-updating public-key primitives, where the update information is allowed to be public. We consider secret update information instead. Since a state exposure temporally breaks confidentiality, we carefully design such secretly-updatable primitives whose security degrades gracefully if the supposedly secret update information leaks.
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
Looking ahead, it turns out that in order to prove the security of this construction, we need circular-secure encryption. We achieve this in the random oracle model.
We can assume that Alice sends this value confidentially. It makes no sense to consider Bob’s state being exposed, as this would mean that both parties are exposed at the same time, in which case, clearly, we cannot guarantee any security.
The adversary knows which states are exposed, and hence can check himself before submitting a forgery attempt, whether this will make him lose the game.
In fact, the counter is not necessary to prove security of the construction, since every message is signed with a different key. However, we find it cleaner to include it.
For example, in our construction the public part of the update is a fresh verification key, and the secret part is the corresponding signing key. This would not satisfy the requirements of [11], since there is no way to update the signing key using only the fresh verification key.
Roughly, the additional data is needed to provide post-hijack security of the final construction: changing the additional data means that the adversary decided to hijack the channel, hence, the decryption key should be updated.