Abstract
Following up mass surveillance and privacy issues, modern secure communication protocols now seek strong security, such as forward secrecy and post-compromise security, in the face of state exposures. To address this problem, ratcheting was thereby introduced, widely used in real-world messaging protocols like Signal. However, ratcheting comes with a high cost. Recently, Caforio et al. proposed pragmatic constructions which compose a weakly secure “light” protocol and a strongly secure “heavy” protocol, in order to achieve the so-called ratcheting on demand. The light protocol they proposed has still a high complexity.
In this paper, we prove the security of the lightest possible protocol we could imagine, which essentially encrypts then hashes the secret key. We prove it without any random oracle by introducing a new security notion in the standard model. Our protocol composes well with the generic transformation techniques by Caforio et al. to offer high security and performance at the same time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Scheduling communication is under the control of the adversary except in the \(\mathsf {CORRECTNESS}\) game, in which there is no adversary.
- 2.
By saying that \(\mathsf {received}_{\mathsf {pt}}^P\) is prefix of \(\mathsf {sent}_{\mathsf {pt}}^{\overline{P}}\), we mean that \(\mathsf {sent}_{\mathsf {pt}}^{\overline{P}}\) is the concatenation of \(\mathsf {received}_{\mathsf {pt}}^P\) with a (possible empty) list of \(\mathsf {(ad, pt)}\) pairs.
References
Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5
Balli, F., Rösler, P., Vaudenay, S.: Determining the core primitive for optimally secure ratcheting. IACR Cryptology ePrint Archive 2020/148 (2020)
Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_21
Blazy, O., Bossuat, A., Bultel, X., Fouque, P., Onete, C., Pagnin, E.: SAID: reshaping signal into an identity-based asynchronous messaging protocol with authenticated ratcheting. In: EuroS&P, pp. 294–309. IEEE (2019)
Borisov, N., Goldberg, I., Brewer, E.A.: Off-the-record communication, or, why not to use PGP. In: WPES, pp. 77–84. ACM (2004)
Caforio, A., Durak, F.B., Vaudenay, S.: On-demand ratcheting with security awareness. IACR Cryptology ePrint Archive 2019/965 (2019). https://eprint.iacr.org/2019/965
Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: EuroS&P, pp. 451–466. IEEE (2017)
Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_20
Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_2
Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6
Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 180–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_7
Perrin, T., Marlinspike, M.: The double ratchet algorithm. GitHub wiki (2016)
Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_1
Systems, O.W.: Signal protocol library for Java/Android. GitHub repository (2017). https://github.com/WhisperSystems/libsignal-protocol-java
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Used Definitions
Function Families. A function family H defines a key space \(H.\mathcal {K}(\lambda )\), a domain \(H.\mathcal {D}(\lambda )\), and a polynomially bounded deterministic algorithm \(H.\mathsf {Eval(hk,x)}\) which takes a key hk in \(H.\mathcal {K}(\lambda )\) and a message x in \(H.\mathcal {D}(\lambda )\) to produce a digest in \(H.\mathcal {D}(\lambda )\).
One-Time Authenticated Encryption (\(\mathsf {OTAE}\)). An \(\mathsf {OTAE}\) scheme defines a key space \(\mathsf {OTAE}.\mathcal {K}(\lambda )\) and two polynomially bounded deterministic algorithms \(\mathsf {OTAE.Enc}\) and \(\mathsf {OTAE.Dec}\), associated with a message domain \(\mathsf {OTAE}.\mathcal {D}(\lambda )\). \(\mathsf {OTAE.Enc}\) takes a key \(\mathsf {k}\) in \(\mathcal {K}(\lambda )\), an associated data \(\mathsf {ad}\) and a message \(\mathsf {pt}\) in \(\mathsf {OTAE}.\mathcal {D}(\lambda )\) and returns a string \(\mathsf {ct}=\mathsf {OTAE.Enc(k,ad,pt)}\). \(\mathsf {OTAE.Dec}\) takes \(\mathsf {k}\), \(\mathsf {ad}\) and \(\mathsf {ct}\) and returns a string in \(\mathsf {OTAE}.\mathcal {D}(\lambda )\) or else the distinguished symbol \(\perp \). It satisfies that
for all \(\mathsf {k}\in \mathcal {K}(\lambda )\), and \(\mathsf {ad},\mathsf {pt}\in \mathsf {OTAE}.\mathcal {D}(\lambda )\). Moreover, we require that it satisfy the one-time IND-CCA security and SEF-CMA security.
Definition 6
(IND-OTCCA [6]). An \(\mathsf {OTAE}\) scheme is \(\mathsf {IND}\)-\(\mathsf {OTCCA}\)-secure, if for any PPT adversary \(\mathcal {A}\) playing the following game, the advantage
is negligible.
Definition 7
(SEF-OTCMA [6]). An \(\mathsf {OTAE}\) scheme resists to strong existential forgeries under one-time chosen message attacks (SEF-OTCMA), if for any PPT adversary \(\mathcal {A}\) playing the following game, the advantage \(\mathrm{Pr}\left[ \mathsf {SEF\text {-}OTCMA}^{\mathcal {A}}\rightarrow 1\right] \) is negligible.
We further append some necessary definitions in \(\mathsf {ARCAD}\) [6] (adapted from Durak-Vaudenay protocol [8]). For more details, please refer to [6] and [8].
Definition 8
(Matching status [6]). We say that P is in a matching status at time t if
-
at any moment of the game before time t for P, \(\mathsf {received}^P_{\mathsf {ct}}\) is a prefix of \(\mathsf {sent}^{\overline{P}}_{\mathsf {ct}}\) — this defines this defines the time \(\overline{t}\) for \(\overline{P}\) when \(\overline{P}\) sent the last message in \(\mathsf {received}^P_{\mathsf {ct}}(t)\).
-
and at any moment of the game before time \(\overline{t}\) for \(\overline{P}\), \(\mathsf {received}^{\overline{P}}_{\mathsf {ct}}\) is a prefix of \(\mathsf {sent}^P_{\mathsf {ct}}\).
Definition 9
(Forgery [6]). Given a participant P in a game, we say that \(\mathsf {(ad,ct)}\in \mathsf {received}^P_{\mathsf {ct}}\) is a forgery if at the moment of the game just before P received \(\mathsf {(ad,ct)}\), P was in a matching status, but no longer after receiving \(\mathsf {(ad,ct)}\).
B Correctness Game
We formally define the CORRECTNESS game in Fig. 5.
C Hybrids and Adversaries in Security Proof
We define hybrids \(\Gamma ^b_{Q,m,n}\) in Fig. 6, adversary \(\mathcal {B}\) in Fig. 7, adversary \(\mathcal {D}\) in Fig. 8, hybrids \(\Gamma _{Q,m,n}\) in Fig. 9 and adversary \(\mathcal {E}\) in Fig. 10.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Yan, H., Vaudenay, S. (2020). Symmetric Asynchronous Ratcheted Communication with Associated Data. In: Aoki, K., Kanaoka, A. (eds) Advances in Information and Computer Security. IWSEC 2020. Lecture Notes in Computer Science(), vol 12231. Springer, Cham. https://doi.org/10.1007/978-3-030-58208-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-58208-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58207-4
Online ISBN: 978-3-030-58208-1
eBook Packages: Computer ScienceComputer Science (R0)