Paper 2020/752

Continuous Group Key Agreement with Active Security

Joël Alwen, Sandro Coretti, Daniel Jost, and Marta Mularczyk

Abstract

A continuous group key agreement (CGKA) protocol allows a long-lived group of parties to agree on a continuous stream of fresh secret key material. The protocol must support constantly changing group membership, make no assumptions about when, if, or for how long members come online, nor rely on any trusted group managers. Due to sessions' long life-time, CGKA protocols must simultaneously ensure both post-compromise security and forward secrecy (PCFS). That is, current key material should be secure despite both past and future compromises. The work of Alwen et al. (CRYPTO'20), introduced the CGKA primitive and identified it as a crucial component for constructing end-to-end secure group messaging protocols (SGM) (though we believe there are certainly more applications given the fundamental nature of key agreement). The authors analyzed the TreeKEM CGKA, which lies at the heart of the SGM protocol under development by the IETF working group on Messaging Layer Security (MLS). In this work, we continue the study of CGKA as a stand-alone cryptographic primitive. We present $3$ new security notions with increasingly powerful adversaries. Even the weakest of the 3 (passive security) already permits attacks to which all prior constructions (including all variants of TreeKEM) are vulnerable. Going further, the 2 stronger (active security) notions additionally allow the adversary to use parties' exposed states (and full network control) to mount attacks. These are closely related to so-called insider attacks, which involve malicious group members actively deviating from the protocol. Insider attacks present a significant challenge in the study of CGKA (and SGM). Indeed, we believe ours to be the first security notions (and constructions) to formulate meaningful guarantees (e.g. PCFS) against such powerful adversaries. They are also the first composable security notions for CGKA of any type at all. In terms of constructions, for each of the 3 security notions we provide a new CGKA scheme enjoying sub-linear (potentially even logarithmic) communication complexity in the number of group members. We prove each scheme optimally secure, in the sense that the only security violations possible are those necessarily implied by correctness.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
Continuous Group Key AgreementSecure MessagingMessaging Layer SecurityTreeKEMActive Security
Contact author(s)
jalwen @ wickr com
sandro coretti @ iohk io
dajost @ inf ethz ch
mumarta @ inf ethz ch
History
2020-06-21: received
Short URL
https://ia.cr/2020/752
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/752,
      author = {Joël Alwen and Sandro Coretti and Daniel Jost and Marta Mularczyk},
      title = {Continuous Group Key Agreement with Active Security},
      howpublished = {Cryptology ePrint Archive, Paper 2020/752},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/752}},
      url = {https://eprint.iacr.org/2020/752}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.