Advertisement

A Unified and Composable Take on Ratcheting

  • Daniel JostEmail author
  • Ueli Maurer
  • Marta Mularczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11892)

Abstract

Ratcheting, an umbrella term for certain techniques for achieving secure messaging with strong guarantees, has spurred much interest in the cryptographic community, with several novel protocols proposed as of lately. Most of them are composed from several sub-protocols, often sharing similar ideas across different protocols. Thus, one could hope to reuse the sub-protocols to build new protocols achieving different security, efficiency, and usability trade-offs. This is especially desirable in view of the community’s current aim for group messaging, which has a significantly larger design space. However, the underlying ideas are usually not made explicit, but rather implicitly encoded in a (fairly complex) security game, primarily targeted at the overall security proof. This not only hinders modular protocol design, but also makes the suitability of a protocol for a particular application difficult to assess.

In this work we demonstrate that ratcheting components can be modeled in a composable framework, allowing for their reuse in a modular fashion. To this end, we first propose an extension of the Constructive Cryptography framework by so-called global event histories, to allow for a clean modularization even if the component modules are not fully independent but actually subtly intertwined, as in most ratcheting protocols. Second, we model a unified, flexibly instantiable type of strong security statement for secure messaging within that framework. Third, we show that one can phrase strong guarantees for a number of sub-protocols from the existing literature in this model with only minor modifications, slightly stronger assumptions, and reasonably intuitive formalizations.

When expressing existing protocols’ guarantees in a simulation-based framework, one has to address the so-called commitment problem. We do so by reflecting the removal of access to certain oracles under specific conditions, appearing in game-based security definitions, in the real world of our composable statements. We also propose a novel non-committing protocol for settings where the number of messages a party can send before receiving a reply is bounded.

References

  1. 1.
    Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-17653-2_5CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_21CrossRefGoogle Scholar
  3. 3.
    Broadnax, B., Döttling, N., Hartung, G., Müller-Quade, J., Nagel, M.: Concurrently composable security with shielded super-polynomial simulators. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 351–381. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_13CrossRefGoogle Scholar
  4. 4.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd IEEE Symposium on Foundations of Computer Science - FOCS 2001, pp. 136–145. IEEE Computer Society (2001)Google Scholar
  5. 5.
    Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30576-7_9CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_22CrossRefGoogle Scholar
  7. 7.
    Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017, pp. 451–466 (2017)Google Scholar
  8. 8.
    Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. Cryptology ePrint Archive, Report 2018/889 (2018). https://eprint.iacr.org/2018/889
  9. 9.
    Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_2CrossRefGoogle Scholar
  10. 10.
    Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-17653-2_6CrossRefGoogle Scholar
  11. 11.
    Jost, D., Maurer, U., Marta, M.: A unified and composable take on ratcheting. Cryptology ePrint Archive, Report 2019/694 (2019). https://eprint.iacr.org/2019/694
  12. 12.
    Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)constructing TLS 1.3. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 85–102. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-26617-6_5CrossRefGoogle Scholar
  13. 13.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_19CrossRefGoogle Scholar
  14. 14.
    Kuesters, R., Tuengerthal, M., Rausch, D.: The IITM model: a simple and expressive model for universal composability. Cryptology ePrint Archive, Report 2013/025 (2013). https://eprint.iacr.org/2013/025
  15. 15.
    Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-27375-9_3CrossRefzbMATHGoogle Scholar
  16. 16.
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_8CrossRefGoogle Scholar
  17. 17.
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_8CrossRefGoogle Scholar
  18. 18.
    Maurer, U., Renner, R.: Abstract cryptography. In: Innovations in Computer Science - ICS 2011, pp. 1–21. Tsinghua University (2011)Google Scholar
  19. 19.
    Maurer, U., Renner, R.: From indifferentiability to constructive cryptography (and back). In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 3–24. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53641-4_1CrossRefzbMATHGoogle Scholar
  20. 20.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_8CrossRefGoogle Scholar
  21. 21.
    Open Whisper Systems. Signal protocol library for Java/Android. GitHub repository (2017). https://github.com/WhisperSystems/libsignal-protocol-java. Accessed 01 Oct 2018
  22. 22.
    Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_10CrossRefGoogle Scholar
  23. 23.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proceedings 2001 IEEE Symposium on Security and Privacy - S&P 2001, pp. 184–200, May 2001.  https://doi.org/10.1109/SECPRI.2001.924298
  24. 24.
    Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_1CrossRefGoogle Scholar
  25. 25.
    Prabhakaran, M., Sahai, A.: New notions of security: achieving universal composability without trusted setup. In: Proceedings of the Thirty-sixth Annual ACM Symposium on Theory of Computing, STOC 2004, pp. 242–251. ACM, New York (2004).  https://doi.org/10.1145/1007352.1007394. http://doi.acm.org/10.1145/1007352.1007394

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceETH ZurichZurichSwitzerland

Personalised recommendations