Top

Published in:

2021 | OriginalPaper | Chapter

Beyond Security and Efficiency: On-Demand Ratcheting with Security Awareness

Authors : Andrea Caforio, F. Betül Durak, Serge Vaudenay

Published in: Public-Key Cryptography – PKC 2021

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Secure asynchronous two-party communication applies ratcheting to strengthen privacy, in the presence of internal state exposures. Security with ratcheting is provided in two forms: forward security and post-compromise security. There have been several such secure protocols proposed in the last few years. However, they come with a high cost.

In this paper, we propose two generic constructions with favorable properties. Concretely, our first construction achieves security awareness. It allows users to detect non-persistent active attacks, to determine which messages are not safe given a potential leakage pattern, and to acknowledge for deliveries.

In our second construction, we define a hybrid system formed by combining two protocols: typically, a weakly secure “light” protocol and a strongly secure “heavy" protocol. The design goals of our hybrid construction are, first, to let the sender decide which one to use in order to obtain an efficient protocol with ratchet on demand; and second, to restore the communication between honest participants in the case of a message loss or an active attack.

We can apply our generic constructions to any existing protocol.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter On Publicly-Accountable Zero-Knowledge and Small Shuffle Arguments

next chapter Group Encryption: Full Dynamicity, Message Filtering and Code-Based Instantiation

Available only for authorised users

More precisely, the security is called “sub-optimal ” [7].

They call this security level “near-optimal ” [9].

Proceedings version.

In our work, we assume that \(\mathsf {acc}=\mathsf {false}\) implies that \(\mathsf {st}'_P = \mathsf {st}_P\) and \(\mathsf {pt}= \bot \), i.e. the state is not updated when the reception fails. Other authors assume that \(\mathsf {st}'_{P} = \mathsf {pt}= \bot \), i.e. no further reception can be done.

We use the programming technique of “function overloading” to define the \(\mathsf {RATCH}\) oracle: there are two definitions depending on whether the second input is \(``\mathsf {rec}"\) or \(``\mathsf {send}"\).

By saying that \(\mathsf {received}_\mathsf {pt}^{P}\) is prefix of \(\mathsf {sent}_\mathsf {pt}^{\overline{P}}\), we mean that \(\mathsf {sent}_\mathsf {pt}^{\overline{P}}\) is the concatenation of \(\mathsf {received}_\mathsf {pt}^P\) with a (possible empty) list of \((\mathsf {ad},\mathsf {pt})\) pairs.

It is called \(\mathsf {RECOVER}\)-security in \(\mathsf {DV}\) [7]. We call it \(\mathsf {r\text {-}RECOVER}\) because we will enrich it with an \(\mathsf {s\text {-}RECOVER}\) notion in Sect. 3.1.

The notion of epoch appeared in Poettering-Rösler [10] before.

The proof is provided in the full version [4].

More precisely, in \(\mathsf {PR}\), if A is exposed then issues a message \(\mathsf {ct}\), the adversary can actually forge a ciphertext \(\mathsf {ct}'\) transporting the same \(\mathsf {pk}\) and \(\mathsf {vfk}\) and deliver it to B in a way which makes B accept. If A issues a new message \(\mathsf {ct}''\), delivering \(\mathsf {ct}''\) to B will pass the signature verification. The decryption following-up may fail, except if the kuKEM encryption scheme taking care of encryption does not check consistency, which is the case in the proposed one [10, Fig. 3, eprint version]. Therefore, \(\mathsf {ct}''\) may be accepted by B so \(\mathsf {PR}\) is not \(\mathsf {r\text {-}RECOVER}\) secure. The same holds for \(\mathsf {s\text {-}RECOVER}\) security.

We want it to be able to apply Lemma 12 and be aware of matching status.

The proof is given in the full version [4].

More details are provided in the full version [4].

Our code is available at https://github.com/qantik/ratcheted.

https://golang.org/.

https://golang.org/pkg/testing/.

H uses a common key \(\mathsf {hk}\) generated by \(H.\mathsf {Gen}\) and an algorithm \(H.\mathsf {Eval}\).

\(\mathsf {Sym}\) uses a key of length \(\mathsf {Sym}.\mathsf {kl}\), encrypts over the domain \(\mathsf {Sym}.\mathcal {D}\) with algorithm \(\mathsf {Sym}.\mathsf {Enc}\) and decrypts with \(\mathsf {Sym}.\mathsf {Dec}\).

\(\mathsf {DSS}\) uses a key generation \(\mathsf {DSS}.\mathsf {Gen}\), a signing algorithm \(\mathsf {DSS}.\mathsf {Sign}\), and a verification algorithm \(\mathsf {DSS}.\mathsf {Verify}\).

\(\mathsf {PKC}\) uses a key generation \(\mathsf {PKC}.\mathsf {Gen}\), an encryption algorithm \(\mathsf {PKC}.\mathsf {Enc}\), and a decryption algorithm \(\mathsf {PKC}.\mathsf {Dec}\).

\(\mathsf {SEF\text {-}OTCMA}\) is the strong existential one-time chosen message attack. \(\mathsf {IND\text {-}OTCCA}\) is the real-or-random indistinguishability under one-time chosen plaintext and chosen ciphertext attack. Their definitions are given in [7].

Following Durak-Vaudenay [7], for a \(C_\mathsf {trivial}\)-\(\mathsf {FORGE}\)-secure scheme, \((C_\mathsf {leak}\wedge C^{A,B}_\mathsf {forge})\)-\(\mathsf {IND\text {-}CCA}\) security is equivalent to \((C_\mathsf {leak}\wedge C^{A,B}_\mathsf {trivial\ forge})\)-\(\mathsf {IND\text {-}CCA}\) security, which corresponds to the “sub-optimal” security in Table 1.

Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5CrossRef

Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_21CrossRef

Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES 2004, New York, NY, USA, pp. 77–84. ACM (2004)

Caforio, A., Betül Durak, F., Vaudenay, S.: On-demand ratcheting with security awareness. IACR Eprint 2019/965. https://eprint.iacr.org/2019/965.pdf

Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466, April 2017

Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 164–178, June 2016

Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_20CrossRef

Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_2CrossRef

Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6CrossRef

10.

Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_1CrossRef

11.

Open Whisper Systems. Signal protocol library for Java/Android. GitHub repository (2017). https://github.com/WhisperSystems/libsignal-protocol-java

12.

Unger, N., et al.: SoK: secure messaging. In: 2015 IEEE Symposium on Security and Privacy, pp. 232–249, May 2015

13.

Yan, H., Vaudenay, S.: Symmetric asynchronous ratcheted communication with associated data. In: Aoki, K., Kanaoka, A. (eds.) IWSEC 2020. LNCS, vol. 12231, pp. 184–204. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58208-1_11CrossRef

Title: Beyond Security and Efficiency: On-Demand Ratcheting with Security Awareness
Authors: Andrea Caforio
F. Betül Durak
Serge Vaudenay
Publisher: Springer International Publishing
Book: Public-Key Cryptography – PKC 2021
Print ISBN: 978-3-030-75247-7

Electronic ISBN: 978-3-030-75248-4

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-3-030-75248-4_23

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner