CryptoDB
Yiannis Tselekounis
Affiliation: National and Kapodistrian University of Athens
Publications
Year
Venue
Title
2020
CRYPTO
Security Analysis and Improvements for the IETF MLS Standard for Group Messaging
📺
Abstract
Secure messaging (SM) protocols allow users to communicate securely
over untrusted infrastructure. In contrast to most other secure
communication protocols (such as TLS, SSH, or Wireguard), SM
sessions may be long-lived (e.g., years) and highly asynchronous.
In order to deal with likely state compromises of users during the
lifetime of a session, SM protocols do not only protect authenticity
and privacy, but they also guarantee forward secrecy (FS) and
post-compromise security (PCS). The former ensures that
messages sent and received before a state compromise remain secure,
while the latter ensures that users can recover from state
compromise as a consequence of normal protocol usage.
SM has received considerable attention in the two-party
case, where prior work has studied the well-known double-ratchet
paradigm, in particular, and SM as a cryptographic primitive, in
general. Unfortunately, this paradigm does not scale well to the
problem of secure group messaging (SGM). In order to address
the lack of satisfactory SGM protocols, the IETF has launched the
message-layer security (MLS) working group, which aims to
standardize an eponymous SGM protocol.
In this work we analyze the TreeKEM protocol, which is at the
core of the SGM protocol proposed by the MLS working group.
On a positive note, we show that TreeKEM achieves PCS in isolation
(and slightly more). However, we observe that the current version
of TreeKEM does not provide an adequate form of FS. More precisely,
our work proceeds by formally capturing the exact security of
TreeKEM as a so-called continuous group key agreement (CGKA)
protocol, which we believe to be a primitive of independent
interest. To address the insecurity of TreeKEM, we propose a simple
modification to TreeKEM inspired by recent work of Jost et al.
(EUROCRYPT '19) and an idea due to Kohbrok (MLS Mailing List). We
then show that the modified version of TreeKEM comes with almost no
efficiency degradation but achieves optimal (according to MLS
specification) CGKA security, including FS and PCS. Our work also
lays out how a CGKA protocol can be used to design a full SGM
protocol.
2018
CRYPTO
Non-Malleable Codes for Partial Functions with Manipulation Detection
📺
Abstract
Non-malleable codes were introduced by Dziembowski, Pietrzak and Wichs (ICS ’10) and its main application is the protection of cryptographic devices against tampering attacks on memory. In this work, we initiate a comprehensive study on non-malleable codes for the class of partial functions, that read/write on an arbitrary subset of codeword bits with specific cardinality. Our constructions are efficient in terms of information rate, while allowing the attacker to access asymptotically almost the entire codeword. In addition, they satisfy a notion which is stronger than non-malleability, that we call non-malleability with manipulation detection, guaranteeing that any modified codeword decodes to either the original message or to $$\bot $$⊥. Finally, our primitive implies All-Or-Nothing Transforms (AONTs) and as a result our constructions yield efficient AONTs under standard assumptions (only one-way functions), which, to the best of our knowledge, was an open question until now. In addition to this, we present a number of additional applications of our primitive in tamper resilience.
Coauthors
- Joël Alwen (1)
- Sandro Coretti (1)
- Yevgeniy Dodis (1)
- Aggelos Kiayias (2)
- Feng-Hao Liu (1)