research-article

Open access

On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees

Authors:

Katriel Cohn-Gordon,

Kevin MilnerAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1802 - 1819

https://doi.org/10.1145/3243734.3243747

Published: 15 October 2018 Publication History

Abstract

In the past few years secure messaging has become mainstream, with over a billion active users of end-to-end encryption protocols such as Signal. The Signal Protocol provides a strong property called post-compromise security to its users. However, it turns out that many of its implementations provide, without notification, a weaker property for group messaging: an adversary who compromises a single group member can read and inject messages indefinitely. We show for the first time that post-compromise security can be achieved in realistic, asynchronous group messaging systems. We present a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time. ART scales to groups containing thousands of members, while still providing provable security guarantees. It has seen significant interest from industry, and forms the basis for two draft IETF RFCs and a chartered working group. Our results show that strong security guarantees for group messaging are practically achievable in a modern setting.

Supplementary Material

MP4 File (p1802-cohn-gordon.mp4)

Download
319.11 MB

References

[1]

Michel Abdalla, Céline Chevalier, Mark Manulis, and David Pointcheval. 2010. Flexible group key exchange with on-demand computation of subgroup keys. In AFRICACRYPT 10 (LNCS). Daniel J. Bernstein and Tanja Lange, (Eds.) Vol. 6055. Springer, Heidelberg, (May 2010), 351--368.

Digital Library

[2]

Christoph Bader, Dennis Hofheinz, Tibor Jager, Eike Kiltz, and Yong Li. 2015. Tightly-secure authenticated key exchange. In TCC 2015, Part I (LNCS). Yevgeniy Dodis and Jesper Buus Nielsen, (Eds.) Vol. 9014. Springer, Heidelberg, (Mar. 2015), 629--658.

[3]

Daniel J. Bernstein. 2006. Curve25519: new Diffie-Hellman speed records. In PKC 2006 (LNCS). Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, (Eds.) Vol. 3958. Springer, Heidelberg, (Apr. 2006), 207--228.

Digital Library

[4]

Dan Boneh and Alice Silverberg. 2003. Applications of multilinear forms to cryptography. In Topics in Algebraic and Noncommutative Geometry: Proceedings in Memory of Ruth Michler. Contemporary Mathematics. Vol. 324. Caroline Grant Mellesand Jean-Paul Brasseletand Gary Kennedyand Kristin Lauter and Lee McEwan, (Eds.) American Mathematical Society.

[5]

Dan Boneh and Mark Zhandry. 2014. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In CRYPTO 2014, Part I (LNCS). Juan A. Garay and Rosario Gennaro, (Eds.) Vol. 8616. Springer, Heidelberg, (Aug. 2014), 480--499.

[6]

Nikita Borisov, Ian Goldberg, and Eric Brewer. 2004. Off-the-record communication, or, why not to use pgp. In Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society (WPES '04). ACM.

Digital Library

[7]

Timo Brecher, Emmanuel Bresson, and Mark Manulis. 2009. Fully robust tree-Diffie-Hellman group key exchange. In CANS 09 (LNCS). Juan A. Garay, Atsuko Miyaji, and Akira Otsuka, (Eds.) Vol. 5888. Springer, Heidelberg, (Dec. 2009), 478--497.

Digital Library

[8]

Jacqueline Brendel, Marc Fischlin, Felix Günther, and Christian Janson. 2017. Prf-odh: relations, instantiations, and impossibility results. Cryptology ePrint Archive, Report 2017/517. http://eprint.iacr.org/2017/517. (2017).

[9]

Emmanuel Bresson, Olivier Chevassut, David Pointcheval, and Jean-Jacques Quisquater. 2001. Provably authenticated group Diffie-Hellman key exchange. In ACM CCS 01. ACM Press, (Nov. 2001), 255--264.

Digital Library

[10]

Christina Brzuska, Marc Fischlin, Bogdan Warinschi, and Stephen C. Williams. 2011. Composability of Bellare-Rogaway key exchange protocols. In ACM CCS 11. Yan Chen, George Danezis, and Vitaly Shmatikov, (Eds.) ACM Press, (Oct. 2011), 51--62.

Digital Library

[11]

Christian Cachin and Reto Strobl. 2004. Asynchronous group key exchange with failures. In Proceedings of the Twenty-third Annual ACM Symposium on Principles of Distributed Computing (PODC '04). ACM, 357--366.

Digital Library

[12]

Yi-Ruei Chen and Wen-Guey Tzeng. 2017. Group key management with efficient rekey mechanism: a semi-stateful approach for out-of-synchronized members. Computer Communications, 98.

Digital Library

[13]

Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2016. A formal security analysis of the signal messaging protocol. Cryptology ePrint Archive, Report 2016/1013. http://eprint.iacr.org/2016/1013. (2016).

[14]

Katriel Cohn-Gordon, Cas Cremers, and Luke Garratt. 2016. On post-compromise security. In Computer Security Foundations Symposium (CSF), 2016 IEEE 29th. IEEE, 164--178.

[15]

Cas J. F. Cremers and Michele Feltz. 2012. Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In ESORICS 2012 (LNCS). Sara Foresti, Moti Yung, and Fabio Martinelli, (Eds.) Vol. 7459. Springer, Heidelberg, (Sept. 2012), 734--751.

[16]

Ivan Damgård. 2007. A "proof-reading" of some issues in cryptography (invited lecture). In ICALP 2007 (LNCS). Lars Arge, Christian Cachin, Tomasz Jurdzinski, and Andrzej Tarlecki, (Eds.) Vol. 4596. Springer, Heidelberg, (July 2007), 2--11.

Digital Library

[17]

Yvo Desmedt, Tanja Lange, and Mike Burmester. 2007. Scalable authenticated tree based group key exchange for ad-hoc groups. In FC 2007 (LNCS). Sven Dietrich and Rachna Dhamija, (Eds.) Vol. 4886. Springer, Heidelberg, (Feb. 2007), 104--118.

Digital Library

[18]

eQualit.ie. 2016. (N+1)sec. (2016). https://learn.equalit.ie/wiki/Np1sec.

[19]

Facebook. 2017. Messenger Secret Conversations (Technical Whitepaper Version 2.0). Tech. rep. Retrieved May 2017 from https://fbnewsroomus.files.wordpress.com/2016/07/messenger-secret-conversations-technical-whitepaper.pdf.

[20]

Michael Farb, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan McCune, and Adrian Perrig. 2013. Safeslinger: easy-to-use and secure public-key exchange. In Proceedings of the 19th Annual International Conference on Mobile Computing and Networking (MobiCom '13). ACM, 417--428.

Digital Library

[21]

Marc Fischlin and Felix Günther. 2014. Multi-stage key exchange and the case of Google's QUIC protocol. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1193--1204.

Digital Library

[22]

Ian Goldberg, Berkant Ustaoglu, Matthew Van Gundy, and Hao Chen. 2009. Multi-party off-the-record messaging. In ACM CCS 09. Ehab Al-Shaer, Somesh Jha, and Angelos D. Keromytis, (Eds.) ACM Press, (Nov. 2009), 358--368.

Digital Library

[23]

Oded Goldreich. 1997. On the foundations of modern cryptography (invited lecture). In CRYPTO'97 (LNCS). Burton S. Kaliski Jr., (Ed.) Vol. 1294. Springer, Heidelberg, (Aug. 1997), 46--74.

Digital Library

[24]

Matthew D. Green and Ian Miers. 2015. Forward secure asynchronous messaging from puncturable encryption. In 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, (May 2015), 305--320.

Digital Library

[25]

Antoine Joux. 2004. A one round protocol for tripartite Diffie-Hellman. Journal of Cryptology, 17, 4, (Sept. 2004), 263--276.

Digital Library

[26]

2001. Communication-efficient group key agreement. Trusted Information: The New Decade Challenge. Springer US.

[27]

Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2001. Communication-efficient group key agreement. In International Federation for Information Processing (IFIP SEC). Paris, France, (June 2001).

Digital Library

[28]

Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2000. Simple and fault-tolerant key agreement for dynamic collaborative groups. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS '00). ACM.

Digital Library

[29]

Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2000. Simple and fault-tolerant key agreement for dynamic collaborative groups. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 235--244.

Digital Library

[30]

Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2004. Tree-based group key agreement. ACM Trans. Inf. Syst. Secur., (Feb. 2004).

Digital Library

[31]

N. Kobeissi, K. Bhargavan, and B. Blanchet. 2017. Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In IEEE European Symposium on Security and Privacy (EuroS&P).

[32]

Brian A. LaMacchia, Kristin Lauter, and Anton Mityagin. 2007. Stronger security of authenticated key exchange. In ProvSec 2007 (LNCS). Willy Susilo, Joseph K. Liu, and Yi Mu, (Eds.) Vol. 4784. Springer, Heidelberg, (Nov. 2007), 1--16.

Digital Library

[33]

Sangwon Lee, Yongdae Kim, Kwangjo Kim, and Dae-Hyun Ryu. 2003. An efficient tree-based group key agreement using bilinear map. In ACNS 03 (LNCS). Jianying Zhou, Moti Yung, and Yongfei Han, (Eds.) Vol. 2846. Springer, Heidelberg, (Oct. 2003), 357--371.

[34]

Fermi Ma and Mark Zhandry. 2017. Encryptor combiners: a unified approach to multiparty nike, (h)ibe, and broadcast encryption. Cryptology ePrint Archive, Report 2017/152. http://eprint.iacr.org/2017/152. (2017).

[35]

Moxie Marlinspike. 2013. Forward secrecy for asynchronous messages. Blog. (Aug. 22, 2013). Retrieved May 2017 from https://whispersystems.org/blog/asynchronous-security/.

[36]

Moxie Marlinspike. 2016. Signal protocol documentation. (2016). Retrieved May 2017 from https://whispersystems.org/docs/.

[37]

Moxie Marlinspike. 2016. The x3dh key agreement protocol. Trevor Perrin, (Ed.) (Nov. 2016). Retrieved Nov. 2017 from https://signal.org/docs/specifications/x3dh/x3dh.pdf .

[38]

Ghita Mezzour, Ahren Studer, Michael Farb, Jason Lee, Jonathan McCune, Hsu-Chun Hsiao, and Adrian Perrig. 2010. Ho-Po Key: Leveraging Physical Constraints on Human Motion to Authentically Exchange Information in a Group. Tech. rep. Carnegie Mellon University, (Dec. 2010).

[39]

Jon Millican. 2018. ART prototype implementation. (2018). https://github.com/facebookresearch/asynchronousratchetingtree.

[40]

MLS Working Group Chairs. 2018. Messaging layer security working group. https://mlswg.github.io.

[41]

Open Whisper Systems. 2014. Libsignal-service-java. (2014). https://github.com/signalapp/libsignal-service-java/blob/c8d7c3c00445a81b81e0a7305151cda4534ba299/java/src/main/java/org/whispersystems/signalservice/api/SignalServiceMessageSender.java#L497.

[42]

Adrian Perrig. 1999. Efficient collaborative key management protocols for secure autonomous group communication. In Proceedings of International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC). (July 1999), 192--202.

[43]

Adrian Perrig, Dawn Song, and Doug Tygar. 2001. ELK, a new protocol for efficient large-group key distribution. In Proceedings of IEEE Symposium on Security and Privacy. (May 2001).

Digital Library

[44]

Paul Rösler, Christian Mainka, and Jörg Schwenk. 2018. More is less: on the end-to-end security of group chats in signal, whatsapp, and threema. In 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, 415--429.

[45]

Benedikt Schmidt, Simon Meier, Cas Cremers, and David A. Basin. 2012. Automated analysis of diffie-hellman protocols and advanced security properties. In 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25--27, 2012, 78--94.

Digital Library

[46]

Victor Shoup. 2004. Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology EPrint Archive, 2004, 332.

[47]

Dmitry Skiba. 2008. Trevorbernard/curve25519-java. GitHub repository. (Feb. 23, 2008). Retrieved May 2017 from https://github.com/trevorbernard/curve25519-java.

[48]

Mark Slee, Aditya Agarwal, and Marc Kwiatkowski. 2007. Thrift: Scalable Cross-Language Services Implementation. Tech. rep. Retrieved Nov. 2017 from https://thrift.apache.org/static/files/thrift-20070401.pdf .

[49]

1990. A secure audio teleconference system. Advances in Cryptology - CRYPTO'88: Proceedings. Springer New York.

[50]

Michael Steiner, Gene Tsudik, and Michael Waidner. 2000. Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems, 11, 8, (Aug. 2000), 769--780.

Digital Library

[51]

The Guardian. 2017. Contact the guardian securely. (2017). Retrieved June 2017 from https://gu.com/tip-us-off.

[52]

D. Wallner, E. Harder, and R. Agee. 1999. Key management for multicast: issues and architectures. RFC. United States, (1999).

Digital Library

[53]

WhatsApp. 2016. WhatsApp Encryption Overview. Tech. rep. Retrieved July 2016 from https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.

[54]

Chung Kei Wong, Mohamed Gouda, and Simon S. Lam. 2000. Secure group communications using key graphs. IEEE/ACM Transactions on Networking, 8, 1, (Feb. 2000), 16--30.

Digital Library

[55]

Zheng Yang, Chao Liu, Wanping Liu, Daigu Zhang, and Song Luo. 2017. A new strong security model for stateful authenticated group key exchange. International Journal of Information Security, 1--18.

Digital Library

Cited By

Yu FMeng LLi XJiang DZhu WZeng Z(2024)An Attribute-Based End-to-End Policy-Controlled Signcryption Scheme for Secure Group Chat CommunicationMathematics10.3390/math1218290612:18(2906)Online publication date: 18-Sep-2024
https://doi.org/10.3390/math12182906
Scheffler SMayer J(2024)Group Moderation Under End-to-End EncryptionProceedings of the Symposium on Computer Science and Law10.1145/3614407.3643704(36-47)Online publication date: 12-Mar-2024
https://dl.acm.org/doi/10.1145/3614407.3643704
Namavari AWang BMenda SNassi BTyagi NGrimmelmann JZhang ARistenpart T(2024)Private Hierarchical Governance for Encrypted Messaging2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00235(2610-2629)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00235
Show More Cited By

Index Terms

On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees

Recommendations

Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I

Design a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption

At ACNS 2007, Ateniese and Green proposed the concept of ID-based proxy re-encryption (IBPRE), where a semi-trusted proxy with some information (a.k.a. re-encryption key), can transform a ciphertext under an identity to another ciphertext under another ...
Safely composing security protocols

Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
3,115
Total Downloads

Downloads (Last 12 months)565
Downloads (Last 6 weeks)75

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yu FMeng LLi XJiang DZhu WZeng Z(2024)An Attribute-Based End-to-End Policy-Controlled Signcryption Scheme for Secure Group Chat CommunicationMathematics10.3390/math1218290612:18(2906)Online publication date: 18-Sep-2024
https://doi.org/10.3390/math12182906
Scheffler SMayer J(2024)Group Moderation Under End-to-End EncryptionProceedings of the Symposium on Computer Science and Law10.1145/3614407.3643704(36-47)Online publication date: 12-Mar-2024
https://dl.acm.org/doi/10.1145/3614407.3643704
Namavari AWang BMenda SNassi BTyagi NGrimmelmann JZhang ARistenpart T(2024)Private Hierarchical Governance for Encrypted Messaging2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00235(2610-2629)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00235
Schadt DCoijanovic CWeis CStrufe T(2024)PolySphinx: Extending the Sphinx Mix Format With Better Multicast Support2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00044(4386-4404)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00044
Cremers CRonen EZhao M(2024)Multi-Stage Group Key Distribution and PAKEs: Securing Zoom Groups against Malicious Servers without New Security Elements2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00037(2686-2704)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00037
Li ZXiao MXu R(2024)Formal analysis of signal protocol based on logic of events theoryScientific Reports10.1038/s41598-024-71666-y14:1Online publication date: 4-Sep-2024
https://doi.org/10.1038/s41598-024-71666-y
Abdmeziem MAhmed Nacer ADeroues N(2024)Group key management in the Internet of Things: Handling asynchronicityFuture Generation Computer Systems10.1016/j.future.2023.10.023152(273-287)Online publication date: Mar-2024
https://doi.org/10.1016/j.future.2023.10.023
Paillat LIgnat CFrey DTuruani MIsmail A(2024)Discreet: distributed delivery service with context-aware cooperationAnnals of Telecommunications10.1007/s12243-024-01053-1Online publication date: 11-Jul-2024
https://doi.org/10.1007/s12243-024-01053-1
Erbatur SMarshall ANarendran PRingeissen C(2024)Deciding Knowledge Problems Modulo Classes of Permutative TheoriesLogic-Based Program Synthesis and Transformation10.1007/978-3-031-71294-4_3(47-63)Online publication date: 7-Sep-2024
https://doi.org/10.1007/978-3-031-71294-4_3
Alwen JAuerbach BCueto Noval MKlein KPascual-Perez GPietrzak K(2024)DeCAF: Decentralizable CGKA with Fast HealingSecurity and Cryptography for Networks10.1007/978-3-031-71073-5_14(294-313)Online publication date: 10-Sep-2024
https://doi.org/10.1007/978-3-031-71073-5_14
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents