research-article

Open Access

On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees

Authors:
Katriel Cohn-Gordon

University of Oxford, Oxford, United Kingdom

University of Oxford, Oxford, United Kingdom
View Profile

,
Cas Cremers

CISPA Helmholtz Center i.G., Saarbruecken, Germany

CISPA Helmholtz Center i.G., Saarbruecken, Germany
View Profile

,
Luke Garratt

University of Oxford, Oxford, United Kingdom

University of Oxford, Oxford, United Kingdom
View Profile

,
Jon Millican

Facebook, London, United Kingdom

Facebook, London, United Kingdom
View Profile

,
Kevin Milner

University of Oxford, Oxford, United Kingdom

University of Oxford, Oxford, United Kingdom
View Profile

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2018Pages 1802–1819https://doi.org/10.1145/3243734.3243747

Published:15 October 2018Publication History

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1802–1819

ABSTRACT

In the past few years secure messaging has become mainstream, with over a billion active users of end-to-end encryption protocols such as Signal. The Signal Protocol provides a strong property called post-compromise security to its users. However, it turns out that many of its implementations provide, without notification, a weaker property for group messaging: an adversary who compromises a single group member can read and inject messages indefinitely. We show for the first time that post-compromise security can be achieved in realistic, asynchronous group messaging systems. We present a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time. ART scales to groups containing thousands of members, while still providing provable security guarantees. It has seen significant interest from industry, and forms the basis for two draft IETF RFCs and a chartered working group. Our results show that strong security guarantees for group messaging are practically achievable in a modern setting.

Supplemental Material

p1802-cohn-gordon.mp4

mp4

319.1 MB

Download

References

Michel Abdalla, Céline Chevalier, Mark Manulis, and David Pointcheval. 2010. Flexible group key exchange with on-demand computation of subgroup keys. In AFRICACRYPT 10 (LNCS). Daniel J. Bernstein and Tanja Lange, (Eds.) Vol. 6055. Springer, Heidelberg, (May 2010), 351--368. Google ScholarDigital Library
Christoph Bader, Dennis Hofheinz, Tibor Jager, Eike Kiltz, and Yong Li. 2015. Tightly-secure authenticated key exchange. In TCC 2015, Part I (LNCS). Yevgeniy Dodis and Jesper Buus Nielsen, (Eds.) Vol. 9014. Springer, Heidelberg, (Mar. 2015), 629--658.Google ScholarCross Ref
Daniel J. Bernstein. 2006. Curve25519: new Diffie-Hellman speed records. In PKC 2006 (LNCS). Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, (Eds.) Vol. 3958. Springer, Heidelberg, (Apr. 2006), 207--228. Google ScholarDigital Library
Dan Boneh and Alice Silverberg. 2003. Applications of multilinear forms to cryptography. In Topics in Algebraic and Noncommutative Geometry: Proceedings in Memory of Ruth Michler. Contemporary Mathematics. Vol. 324. Caroline Grant Mellesand Jean-Paul Brasseletand Gary Kennedyand Kristin Lauter and Lee McEwan, (Eds.) American Mathematical Society.Google ScholarCross Ref
Dan Boneh and Mark Zhandry. 2014. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In CRYPTO 2014, Part I (LNCS). Juan A. Garay and Rosario Gennaro, (Eds.) Vol. 8616. Springer, Heidelberg, (Aug. 2014), 480--499.Google ScholarCross Ref
Nikita Borisov, Ian Goldberg, and Eric Brewer. 2004. Off-the-record communication, or, why not to use pgp. In Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society (WPES '04). ACM. Google ScholarDigital Library
Timo Brecher, Emmanuel Bresson, and Mark Manulis. 2009. Fully robust tree-Diffie-Hellman group key exchange. In CANS 09 (LNCS). Juan A. Garay, Atsuko Miyaji, and Akira Otsuka, (Eds.) Vol. 5888. Springer, Heidelberg, (Dec. 2009), 478--497. Google ScholarDigital Library
Jacqueline Brendel, Marc Fischlin, Felix Günther, and Christian Janson. 2017. Prf-odh: relations, instantiations, and impossibility results. Cryptology ePrint Archive, Report 2017/517. http://eprint.iacr.org/2017/517. (2017).Google Scholar
Emmanuel Bresson, Olivier Chevassut, David Pointcheval, and Jean-Jacques Quisquater. 2001. Provably authenticated group Diffie-Hellman key exchange. In ACM CCS 01. ACM Press, (Nov. 2001), 255--264. Google ScholarDigital Library
Christina Brzuska, Marc Fischlin, Bogdan Warinschi, and Stephen C. Williams. 2011. Composability of Bellare-Rogaway key exchange protocols. In ACM CCS 11. Yan Chen, George Danezis, and Vitaly Shmatikov, (Eds.) ACM Press, (Oct. 2011), 51--62. Google ScholarDigital Library
Christian Cachin and Reto Strobl. 2004. Asynchronous group key exchange with failures. In Proceedings of the Twenty-third Annual ACM Symposium on Principles of Distributed Computing (PODC '04). ACM, 357--366. Google ScholarDigital Library
Yi-Ruei Chen and Wen-Guey Tzeng. 2017. Group key management with efficient rekey mechanism: a semi-stateful approach for out-of-synchronized members. Computer Communications, 98. Google ScholarDigital Library
Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2016. A formal security analysis of the signal messaging protocol. Cryptology ePrint Archive, Report 2016/1013. http://eprint.iacr.org/2016/1013. (2016).Google Scholar
Katriel Cohn-Gordon, Cas Cremers, and Luke Garratt. 2016. On post-compromise security. In Computer Security Foundations Symposium (CSF), 2016 IEEE 29th. IEEE, 164--178.Google ScholarCross Ref
Cas J. F. Cremers and Michele Feltz. 2012. Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In ESORICS 2012 (LNCS). Sara Foresti, Moti Yung, and Fabio Martinelli, (Eds.) Vol. 7459. Springer, Heidelberg, (Sept. 2012), 734--751.Google Scholar
Ivan Damgård. 2007. A "proof-reading" of some issues in cryptography (invited lecture). In ICALP 2007 (LNCS). Lars Arge, Christian Cachin, Tomasz Jurdzinski, and Andrzej Tarlecki, (Eds.) Vol. 4596. Springer, Heidelberg, (July 2007), 2--11. Google ScholarDigital Library
Yvo Desmedt, Tanja Lange, and Mike Burmester. 2007. Scalable authenticated tree based group key exchange for ad-hoc groups. In FC 2007 (LNCS). Sven Dietrich and Rachna Dhamija, (Eds.) Vol. 4886. Springer, Heidelberg, (Feb. 2007), 104--118. Google ScholarDigital Library
eQualit.ie. 2016. (N+1)sec. (2016). https://learn.equalit.ie/wiki/Np1sec.Google Scholar
Facebook. 2017. Messenger Secret Conversations (Technical Whitepaper Version 2.0). Tech. rep. Retrieved May 2017 from https://fbnewsroomus.files.wordpress.com/2016/07/messenger-secret-conversations-technical-whitepaper.pdf.Google Scholar
Michael Farb, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan McCune, and Adrian Perrig. 2013. Safeslinger: easy-to-use and secure public-key exchange. In Proceedings of the 19th Annual International Conference on Mobile Computing and Networking (MobiCom '13). ACM, 417--428. Google ScholarDigital Library
Marc Fischlin and Felix Günther. 2014. Multi-stage key exchange and the case of Google's QUIC protocol. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1193--1204. Google ScholarDigital Library
Ian Goldberg, Berkant Ustaoglu, Matthew Van Gundy, and Hao Chen. 2009. Multi-party off-the-record messaging. In ACM CCS 09. Ehab Al-Shaer, Somesh Jha, and Angelos D. Keromytis, (Eds.) ACM Press, (Nov. 2009), 358--368. Google ScholarDigital Library
Oded Goldreich. 1997. On the foundations of modern cryptography (invited lecture). In CRYPTO'97 (LNCS). Burton S. Kaliski Jr., (Ed.) Vol. 1294. Springer, Heidelberg, (Aug. 1997), 46--74. Google ScholarDigital Library
Matthew D. Green and Ian Miers. 2015. Forward secure asynchronous messaging from puncturable encryption. In 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, (May 2015), 305--320. Google ScholarDigital Library
Antoine Joux. 2004. A one round protocol for tripartite Diffie-Hellman. Journal of Cryptology, 17, 4, (Sept. 2004), 263--276. Google ScholarDigital Library
2001. Communication-efficient group key agreement. Trusted Information: The New Decade Challenge. Springer US.Google Scholar
Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2001. Communication-efficient group key agreement. In International Federation for Information Processing (IFIP SEC). Paris, France, (June 2001). Google ScholarDigital Library
Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2000. Simple and fault-tolerant key agreement for dynamic collaborative groups. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS '00). ACM. Google ScholarDigital Library
Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2000. Simple and fault-tolerant key agreement for dynamic collaborative groups. In Proceedings of ACM Conference on Computer and Communications Security (CCS), 235--244. Google ScholarDigital Library
Yongdae Kim, Adrian Perrig, and Gene Tsudik. 2004. Tree-based group key agreement. ACM Trans. Inf. Syst. Secur., (Feb. 2004). Google ScholarDigital Library
N. Kobeissi, K. Bhargavan, and B. Blanchet. 2017. Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In IEEE European Symposium on Security and Privacy (EuroS&P).Google Scholar
Brian A. LaMacchia, Kristin Lauter, and Anton Mityagin. 2007. Stronger security of authenticated key exchange. In ProvSec 2007 (LNCS). Willy Susilo, Joseph K. Liu, and Yi Mu, (Eds.) Vol. 4784. Springer, Heidelberg, (Nov. 2007), 1--16. Google ScholarDigital Library
Sangwon Lee, Yongdae Kim, Kwangjo Kim, and Dae-Hyun Ryu. 2003. An efficient tree-based group key agreement using bilinear map. In ACNS 03 (LNCS). Jianying Zhou, Moti Yung, and Yongfei Han, (Eds.) Vol. 2846. Springer, Heidelberg, (Oct. 2003), 357--371.Google ScholarCross Ref
Fermi Ma and Mark Zhandry. 2017. Encryptor combiners: a unified approach to multiparty nike, (h)ibe, and broadcast encryption. Cryptology ePrint Archive, Report 2017/152. http://eprint.iacr.org/2017/152. (2017).Google Scholar
Moxie Marlinspike. 2013. Forward secrecy for asynchronous messages. Blog. (Aug. 22, 2013). Retrieved May 2017 from https://whispersystems.org/blog/asynchronous-security/.Google Scholar
Moxie Marlinspike. 2016. Signal protocol documentation. (2016). Retrieved May 2017 from https://whispersystems.org/docs/.Google Scholar
Moxie Marlinspike. 2016. The x3dh key agreement protocol. Trevor Perrin, (Ed.) (Nov. 2016). Retrieved Nov. 2017 from https://signal.org/docs/specifications/x3dh/x3dh.pdf .Google Scholar
Ghita Mezzour, Ahren Studer, Michael Farb, Jason Lee, Jonathan McCune, Hsu-Chun Hsiao, and Adrian Perrig. 2010. Ho-Po Key: Leveraging Physical Constraints on Human Motion to Authentically Exchange Information in a Group. Tech. rep. Carnegie Mellon University, (Dec. 2010).Google Scholar
Jon Millican. 2018. ART prototype implementation. (2018). https://github.com/facebookresearch/asynchronousratchetingtree.Google Scholar
MLS Working Group Chairs. 2018. Messaging layer security working group. https://mlswg.github.io.Google Scholar
Open Whisper Systems. 2014. Libsignal-service-java. (2014). https://github.com/signalapp/libsignal-service-java/blob/c8d7c3c00445a81b81e0a7305151cda4534ba299/java/src/main/java/org/whispersystems/signalservice/api/SignalServiceMessageSender.java#L497.Google Scholar
Adrian Perrig. 1999. Efficient collaborative key management protocols for secure autonomous group communication. In Proceedings of International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC). (July 1999), 192--202.Google Scholar
Adrian Perrig, Dawn Song, and Doug Tygar. 2001. ELK, a new protocol for efficient large-group key distribution. In Proceedings of IEEE Symposium on Security and Privacy. (May 2001). Google ScholarDigital Library
Paul Rösler, Christian Mainka, and Jörg Schwenk. 2018. More is less: on the end-to-end security of group chats in signal, whatsapp, and threema. In 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, 415--429.Google ScholarCross Ref
Benedikt Schmidt, Simon Meier, Cas Cremers, and David A. Basin. 2012. Automated analysis of diffie-hellman protocols and advanced security properties. In 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25--27, 2012, 78--94. Google ScholarDigital Library
Victor Shoup. 2004. Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology EPrint Archive, 2004, 332.Google Scholar
Dmitry Skiba. 2008. Trevorbernard/curve25519-java. GitHub repository. (Feb. 23, 2008). Retrieved May 2017 from https://github.com/trevorbernard/curve25519-java.Google Scholar
Mark Slee, Aditya Agarwal, and Marc Kwiatkowski. 2007. Thrift: Scalable Cross-Language Services Implementation. Tech. rep. Retrieved Nov. 2017 from https://thrift.apache.org/static/files/thrift-20070401.pdf .Google Scholar
1990. A secure audio teleconference system. Advances in Cryptology - CRYPTO'88: Proceedings. Springer New York.Google Scholar
Michael Steiner, Gene Tsudik, and Michael Waidner. 2000. Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems, 11, 8, (Aug. 2000), 769--780. Google ScholarDigital Library
The Guardian. 2017. Contact the guardian securely. (2017). Retrieved June 2017 from https://gu.com/tip-us-off.Google Scholar
D. Wallner, E. Harder, and R. Agee. 1999. Key management for multicast: issues and architectures. RFC. United States, (1999). Google ScholarDigital Library
WhatsApp. 2016. WhatsApp Encryption Overview. Tech. rep. Retrieved July 2016 from https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.Google Scholar
Chung Kei Wong, Mohamed Gouda, and Simon S. Lam. 2000. Secure group communications using key graphs. IEEE/ACM Transactions on Networking, 8, 1, (Feb. 2000), 16--30. Google ScholarDigital Library
Zheng Yang, Chao Liu, Wanping Liu, Daigu Zhang, and Song Luo. 2017. A new strong security model for stateful authenticated group key exchange. International Journal of Information Security, 1--18. Google ScholarDigital Library

Index Terms

On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees

Recommendations

Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I

Design a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Read More
Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption

At ACNS 2007, Ateniese and Green proposed the concept of ID-based proxy re-encryption (IBPRE), where a semi-trusted proxy with some information (a.k.a. re-encryption key), can transform a ciphertext under an identity to another ciphertext under another ...
Read More
Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH
Science of Cyber Security
Abstract
End-to-end encryption (E2EE) is widely used in instant messaging applications to protect data privacy. Forward secrecy (FS) and post-compromised security (PCS) are two essential features that aim to protect security when the session keys are ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
October 2018
2359 pages
ISBN:9781450356930
DOI:10.1145/3243734
General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University
Copyright © 2018 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 October 2018
Check for updates
Author Tags
art
computational proof
end-to-end encryption
group messaging
security protocols
tree diffie-hellman
verification
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '18 Paper Acceptance Rate134of809submissions,17%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 61
  Total Citations
  View Citations
- 2,928
  Total Downloads
- Downloads (Last 12 months)519
- Downloads (Last 6 weeks)75
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Public-Key encryption from ID-Based encryption without one-time signature

Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption

Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH