Abstract
Key Transparency (KT) systems allow end-to-end encrypted service providers (messaging, calls, etc.) to maintain an auditable directory of their users’ public keys, producing proofs that all participants have a consistent view of those keys, and allowing each user to check updates to their own keys. KT has lately received a lot of attention, in particular its privacy preserving variants, which also ensure that users and auditors do not learn anything beyond what is necessary to use the service and keep the service provider accountable.
Abstractly, the problem of building such systems reduces to constructing so-called append-only Zero-Knowledge Sets (aZKS). Unfortunately, existing aZKS (and KT) solutions do not allow to adequately restore the privacy guarantees after a server compromise, a form of Post-Compromise Security (PCS), while maintaining the auditability properties. In this work we address this concern through the formalization of an extension of aZKS called Rotatable ZKS (\({{\textsf{RZKS}}}\)). In addition to providing PCS, our notion of \({{\textsf{RZKS}}}\) has several other attractive features, such as a stronger (extractable) soundness notion, and the ability for a communication party with out-of-date data to efficiently “catch up” to the current epoch while ensuring that the server did not erase any of the past data.
Of independent interest, we also introduce a new primitive called a Rotatable Verifiable Random Function (VRF), and show how to build \({{\textsf{RZKS}}}\) in a modular fashion from a rotatable VRF, ordered accumulator, and append-only vector commitment schemes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
KT is known under various names in the literature, such as auditable registries, verifiable key directories, auditable directories etc. For the purpose of this manuscript, we will stick to using KT.
- 2.
Additionally, if no \(({\textsf{label}},{\textsf{val}})\) pair exists for a given \({\textsf{label}} \), the proof \(\pi \) becomes an absence proof for this \({\textsf{label}} \).
- 3.
While Keybase posts its KT digests to a blockchain, official Keybase clients do not check them.
- 4.
Informally, a VRF [31] is similar to a standard pseudorandom function (PRF), except the secret key owner is also committed to the entire function in advance, and can selectively open some of its outputs in a verifiable manner..
- 5.
Property (c) is why VRF is needed, and regular commitments to \({\textsf{label}} \) do not work.
- 6.
The effect of compromise on authenticity/auditability is rather minimal anyway, as the key used to sign the commitments would typically be authenticated using the web PKI, and thus can be revoked upon compromise using existing techniques. Moreover, learning the secret server state doesn’t help break the binding of the commitment to the entire set of current records in the directory.
- 7.
According to a well-defined leakage profile. For [7], the only such leakage reveals if a \({\textsf{label}} \) known to be missing in D is later inserted in \(D'\), which seems acceptable for the main application to KT.
- 8.
For example, Keybase uses its KT dictionary to also store other statements signed by a user’s device, such as when a user wants to add another user to a group: knowing that the statement was signed before the key that signed it is revoked/rotated is important for the security of the system.
- 9.
Namely, so called ordered accumulators, and append-only vector commitment schemes. See Sect. 5.1.
- 10.
Namely, to a posteriori program random oracle in a manner depending on the strings y, on appropriate inputs involving the secret key sk.
- 11.
For simplicity of exposition, we omit salt from our description, but recommend that each application uses a fresh salt.
- 12.
Our final ZK proof will aggregate many such individual input rotation proofs into one compact proof.
- 13.
We stress that we only use GGM for the ZK property of our construction. Our stronger extractability-based soundness is still proven in the random oracle model, and does not require the GGM.
- 14.
Given that the old key \({sk} \) and new key are independent from one another, we could have equivalently defined \({{\textsf{Rotate}}} \) as taking any two secret keys as input.
- 15.
The Rotatable VRF presented in this work outputs group elements, while the ordered accumulator takes as input bit-strings, so we implicitly assume that these group elements have a unique bit-string representation.
References
Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_37
apple.com. Apple privacy. https://www.apple.com/privacy/features. Accessed 03 Aug 2022
Assal, H., Hurtado, S., Imran, A., Chiasson, S.: What’s the deal with privacy apps? A comprehensive exploration of user perception and usability. In: Proceedings of the 14th International Conference on Mobile and Ubiquitous Multimedia, MUM 2015, pp. 25–36. Association for Computing Machinery, New York (2015)
Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. Cryptology ePrint Archive, Report 2002/066 (2002). https://eprint.iacr.org/2002/066
Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_6
Blum, J., et al.: E2e encryption for zoom meetings. In: White paper (2021). https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf
Chase, M., Deshpande, A., Ghosh, E., Malvai, H.: H.: SEEMless: secure end-to-end encrypted messaging with less trust. In: Cavallaro, L., Kinder, J., Wang, X.F., Katz, J. (eds.) ACM CCS 2019, pp. 1639–1656. ACM Press, November 2019
Chase, M., Healy, A., Lysyanskaya, A., Malkin, T., Reyzin, L.: Mercurial commitments with applications to zero-knowledge sets. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 422–439. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_25
Chase, M., Lysyanskaya, A.: Simulatable VRFs with applications to multi-theorem NIZK. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 303–322. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_17
Chase, M., Meiklejohn, S.: Transparency overlays and applications. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 168–179. ACM Press, October 2016
Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption. In: ACM CCS 2020, pp. 1445–1459. ACM Press (2020)
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7
Novi Financial. Auditable key directory (2021). https://github.com/novifinancial/akd/. Accessed 26 May 2022
Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G.: In log we trust: revealing poor security practices with certificate transparency logs and internet measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 173–185. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_13
Ghoshal, A., Tessaro, S.: Tight state-restoration soundness in the algebraic group model. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 64–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_3
Goldberg, S., Reyzin, L., Papadopoulos, D., Včelák, J.: Verifiable random functions (VRFs). Internet-Draft draft-irtf-cfrg-vrf-12, Internet Engineering Task Force, May 2022. Work in Progress
Google: Key transparency overview. https://github.com/google/keytransparency/blob/master/docs/overview.md. Accessed 31 Aug 2022
Herzberg, A., Leibowitz, H.: Can Johnny finally encrypt? Evaluating E2E-encryption in popular IM applications. In: Proceedings of the 6th Workshop on Socio-technical Aspects in Security and Trust, STAST 2016, pp. 17–28. Association for Computing Machinery, New York (2016)
Herzberg, A., Leibowitz, H., Seamons, K., Vaziripour, E., Justin, W., Zappala, D.: Secure messaging authentication ceremonies are broken. IEEE Secur. Privacy 19(2), 29–37 (2021)
Hu, Y., Hooshmand, K., Kalidhindi, H., Yang, S.J., Popa, R.A.: Merkle2: a low-latency transparency log system. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 285–303 (2021)
Keybase.io: Keybase chat. https://book.keybase.io/docs/chat. Accessed 03 Aug 2022
keybase.io: Keybase is now writing to the stellar blockchain. https://book.keybase.io/docs/server/stellar. Accessed 29 July 2022
Keybase.io: Meet your sigchain (and everyone else’s). https://book.keybase.io/docs/server#meet-your-sigchain-and-everyone-elses. Accessed 29 July 2022
keybase.io: Keybase first commitment (2014). https://keybase.io/_/api/1.0/merkle/root.json?seqno=1. Accessed 26 May 2022
Keybase.io: Keybase is not softer than tofu (2019). https://keybase.io/blog/chat-apps-softer-than-tofu. Accessed 05 May 2019
Laurie, B., Langley, A., Kasper, E., Messeri, E., Stradling, R.: Certificate Transparency Version 2.0. RFC 9162, December 2021
Lerner, A., Zeng, E., Roesner, F.: Confidante: usable encrypted email: a case study with lawyers and journalists. In: 2017 IEEE European Symposium on Security and Privacy, EuroS &P 2017, Paris, France, 26–28 April 2017, pp. 385–400. IEEE (2017)
Meiklejohn, S., et al.: Think global, act local: gossip and client audits in verifiable data structures (2020)
Melara, M.S., Blankstein, A., Bonneau, J., Felten, E.W., Freedman, M.J.: Coniks: bringing key transparency to end users. In: Usenix Security, pp. 383–398 (2015)
Micali, S., Rabin, M., Kilian, J.: Zero-knowledge sets. In: Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2003, p. 80. IEEE Computer Society, USA (2003)
Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: 40th FOCS, pp. 120–130. IEEE Computer Society Press, October 1999
microsoft.com: Teams end-to-end encryption (2022). https://docs.microsoft.com/en-us/microsoftteams/teams-end-to-end-encryption. Accessed 26 May 2022
Muthukrishnan, S., Rajaraman, R., Shaheen, A., Gehrke, J.: Online scheduling to minimize average stretch. In: 40th FOCS, pp. 433–442. IEEE Computer Society Press, October 1999
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8
Elaine Barker (NIST): Nist sp 800-57 part 1 rev. 5 recommendation for key management: Part 1 - general (2022). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf. Accessed 10 Aug 2022
LLC. PCI Security Standards Council: Payment card industry data security standard: Requirements and testing procedures, v4.0 (2022). https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf. Accessed 10 Aug 2022
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
signal.org: Technical information (2016). https://www.signal.org/docs. Accessed 03 Aug 2022
signal.org: Technology preview: signal private group system (2019). https://signal.org/blog/signal-private-group-system/. Accessed 22 Aug 2022
Tomescu, A., Bhupatiraju, V., Papadopoulos, D., Papamanthou, C., Triandopoulos, N., Devadas, S.: Transparency logs via append-only authenticated dictionaries. In: Cavallaro, L., Kinder, J., Wang, X.F., Katz, J. (eds.) ACM CCS 2019, pp. 1299–1316. ACM Press, November 2019
Tyagi, N., Fisch, B., Bonneau, J., Tessaro, S.: Client-auditable verifiable registries. Cryptology ePrint Archive, Paper 2021/627 (2021). https://eprint.iacr.org/2021/627
Tzialla, I., Kothapalli, A., Parno, B., Setty, S.: Transparency dictionaries with succinct proofs of correct operation. Cryptology ePrint Archive, Paper 2021/1263 (2021). https://eprint.iacr.org/2021/1263
Vaziripour, E., et al.: Is that you, Alice? A usability study of the authentication ceremony of secure messaging applications. : Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pp. 29–47. USENIX Association, Santa Clara, July 2017
webex.com: Webex end-to-end encryption (2022). https://help.webex.com/en-us/article/WBX44739/What-Does-End-to-End-Encryption-Do?. Accessed 26 May 2022
whatsapp.com: Whatsapp encryption overview. In: White paper (2021). Accessed 03 Aug 2022
Acknowledgements
At the commencement of the work leading to this paper, the authors had discussions with Melissa Chase (of Microsoft), and Julia Len (an intern at Zoom). The authors are appreciative of their contributions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Chen, B. et al. (2022). Rotatable Zero Knowledge Sets. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-22969-5_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22968-8
Online ISBN: 978-3-031-22969-5
eBook Packages: Computer ScienceComputer Science (R0)