Symmetric Asynchronous Ratcheted Communication with Associated Data

Abstract

Following up mass surveillance and privacy issues, modern secure communication protocols now seek strong security, such as forward secrecy and post-compromise security, in the face of state exposures. To address this problem, ratcheting was thereby introduced, widely used in real-world messaging protocols like Signal. However, ratcheting comes with a high cost. Recently, Caforio et al. proposed pragmatic constructions which compose a weakly secure “light” protocol and a strongly secure “heavy” protocol, in order to achieve the so-called ratcheting on demand. The light protocol they proposed has still a high complexity.

In this paper, we prove the security of the lightest possible protocol we could imagine, which essentially encrypts then hashes the secret key. We prove it without any random oracle by introducing a new security notion in the standard model. Our protocol composes well with the generic transformation techniques by Caforio et al. to offer high security and performance at the same time.

Appendices

A Used Definitions

Function Families. A function family H defines a key space \(H.\mathcal {K}(\lambda )\), a domain \(H.\mathcal {D}(\lambda )\), and a polynomially bounded deterministic algorithm \(H.\mathsf {Eval(hk,x)}\) which takes a key hk in \(H.\mathcal {K}(\lambda )\) and a message x in \(H.\mathcal {D}(\lambda )\) to produce a digest in \(H.\mathcal {D}(\lambda )\).

One-Time Authenticated Encryption (\(\mathsf {OTAE}\)). An \(\mathsf {OTAE}\) scheme defines a key space \(\mathsf {OTAE}.\mathcal {K}(\lambda )\) and two polynomially bounded deterministic algorithms \(\mathsf {OTAE.Enc}\) and \(\mathsf {OTAE.Dec}\), associated with a message domain \(\mathsf {OTAE}.\mathcal {D}(\lambda )\). \(\mathsf {OTAE.Enc}\) takes a key \(\mathsf {k}\) in \(\mathcal {K}(\lambda )\), an associated data \(\mathsf {ad}\) and a message \(\mathsf {pt}\) in \(\mathsf {OTAE}.\mathcal {D}(\lambda )\) and returns a string \(\mathsf {ct}=\mathsf {OTAE.Enc(k,ad,pt)}\). \(\mathsf {OTAE.Dec}\) takes \(\mathsf {k}\), \(\mathsf {ad}\) and \(\mathsf {ct}\) and returns a string in \(\mathsf {OTAE}.\mathcal {D}(\lambda )\) or else the distinguished symbol \(\perp \). It satisfies that

$$\begin{aligned} \mathsf {OTAE.Dec(k,ad,OTAE.Enc(k,ad,pt))=pt} \end{aligned}$$

for all \(\mathsf {k}\in \mathcal {K}(\lambda )\), and \(\mathsf {ad},\mathsf {pt}\in \mathsf {OTAE}.\mathcal {D}(\lambda )\). Moreover, we require that it satisfy the one-time IND-CCA security and SEF-CMA security.

Definition 6

(IND-OTCCA  [6]). An \(\mathsf {OTAE}\) scheme is \(\mathsf {IND}\)-\(\mathsf {OTCCA}\)-secure, if for any PPT adversary \(\mathcal {A}\) playing the following game, the advantage

$$\begin{aligned} \mathrm{Pr}\left[ \mathsf {IND\text {-}OTCCA}^{\mathcal {A}}_{0}\rightarrow 1]\right] -\mathrm{Pr}\left[ \mathsf {IND\text {-}OTCCA}^{\mathcal {A}}_{1}\rightarrow 1\right] \end{aligned}$$

is negligible.

Definition 7

(SEF-OTCMA  [6]). An \(\mathsf {OTAE}\) scheme resists to strong existential forgeries under one-time chosen message attacks (SEF-OTCMA), if for any PPT adversary \(\mathcal {A}\) playing the following game, the advantage \(\mathrm{Pr}\left[ \mathsf {SEF\text {-}OTCMA}^{\mathcal {A}}\rightarrow 1\right] \) is negligible.

We further append some necessary definitions in \(\mathsf {ARCAD}\)  [6] (adapted from Durak-Vaudenay protocol  [8]). For more details, please refer to  [6] and  [8].

Definition 8

(Matching status  [6]). We say that P is in a matching status at time t if

• at any moment of the game before time t for P, \(\mathsf {received}^P_{\mathsf {ct}}\) is a prefix of \(\mathsf {sent}^{\overline{P}}_{\mathsf {ct}}\) — this defines this defines the time \(\overline{t}\) for \(\overline{P}\) when \(\overline{P}\) sent the last message in \(\mathsf {received}^P_{\mathsf {ct}}(t)\).

• and at any moment of the game before time \(\overline{t}\) for \(\overline{P}\), \(\mathsf {received}^{\overline{P}}_{\mathsf {ct}}\) is a prefix of \(\mathsf {sent}^P_{\mathsf {ct}}\).

Definition 9

(Forgery  [6]). Given a participant P in a game, we say that \(\mathsf {(ad,ct)}\in \mathsf {received}^P_{\mathsf {ct}}\) is a forgery if at the moment of the game just before P received \(\mathsf {(ad,ct)}\), P was in a matching status, but no longer after receiving \(\mathsf {(ad,ct)}\).

B Correctness Game

We formally define the CORRECTNESS game in Fig. 5.

C Hybrids and Adversaries in Security Proof

We define hybrids \(\Gamma ^b_{Q,m,n}\) in Fig. 6, adversary \(\mathcal {B}\) in Fig. 7, adversary \(\mathcal {D}\) in Fig. 8, hybrids \(\Gamma _{Q,m,n}\) in Fig. 9 and adversary \(\mathcal {E}\) in Fig. 10.

Fig. 5.

The \(\mathsf {CORRECTNESS}\) Game of the \(\mathsf {SARCAD}\) Protocol

Fig. 6.

IND-CCA-Security: Hybrids \(\Gamma ^b_{Q,m,n}\)

Fig. 7.

Adversary \(\mathcal {B}\): Simulating \(\Gamma _{Q,m,n}\) and \(\Gamma _{Q,m+1,n}\)

Fig. 8.

Adversary \(\mathcal {D}\): Simulating \(\Gamma ^0_{Q,n+1,n}\) and \(\Gamma ^1_{Q,n+1,n}\)

Fig. 9.

FORGE-Security: Hybrids \(\Gamma _{Q,m,n}\)

Fig. 10.

Adversary \(\mathcal {E}\): Simulating \(\Gamma _{Q,n+1,n}\)