Advertisement

Fast Message Franking: From Invisible Salamanders to Encryptment

  • Yevgeniy Dodis
  • Paul Grubbs
  • Thomas Ristenpart
  • Joanne Woodage
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)

Abstract

Message franking enables cryptographically verifiable reporting of abusive messages in end-to-end encrypted messaging. Grubbs, Lu, and Ristenpart recently formalized the needed underlying primitive, what they call compactly committing authenticated encryption (AE), and analyze security of a number of approaches. But all known secure schemes are still slow compared to the fastest standard AE schemes. For this reason Facebook Messenger uses AES-GCM for franking of attachments such as images or videos.

We show how to break Facebook’s attachment franking scheme: a malicious user can send an objectionable image to a recipient but that recipient cannot report it as abuse. The core problem stems from use of fast but non-committing AE, and so we build the fastest compactly committing AE schemes to date. To do so we introduce a new primitive, called encryptment, which captures the essential properties needed. We prove that, unfortunately, schemes with performance profile similar to AES-GCM won’t work. Instead, we show how to efficiently transform Merkle-Damgärd-style hash functions into secure encryptments, and how to efficiently build compactly committing AE from encryptment. Ultimately our main construction allows franking using just a single computation of SHA-256 or SHA-3. Encryptment proves useful for a variety of other applications, such as remotely keyed AE and concealments, and our results imply the first single-pass schemes in these settings as well.

Notes

Acknowledgments

The authors thank Jon Millican for his help on understanding Facebook’s message franking systems. Dodis is partially supported by gifts from VMware Labs and Google, and NSF grants 1619158, 1319051, 1314568. Grubbs is supported by an NSF Graduate Research Fellowship. A portion of this work was completed while Grubbs visited Royal Holloway University, and he thanks Kenny Patterson for generously hosting him. Ristenpart is supported in part by NSF grants 1704527 and 1514163, as well as a gift from Microsoft. Woodage is supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).

References

  1. 1.
    Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480–497. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11799-2_28CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Jaeger, J., Len, J.: Better than advertised: improved collision-resistance guarantees for MD-based hash functions. In: ACM CCS (2017)Google Scholar
  3. 3.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_31CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_41CrossRefGoogle Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission to NIST SHA3 (2009)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0_19CrossRefGoogle Scholar
  7. 7.
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_1CrossRefGoogle Scholar
  8. 8.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_14CrossRefGoogle Scholar
  9. 9.
    Black, J., Cochran, M., Shrimpton, T.: On the impossibility of highly-efficient blockcipher-based hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 526–541. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_31CrossRefGoogle Scholar
  10. 10.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. JCSS 37, 156–189 (1988)MathSciNetzbMATHGoogle Scholar
  11. 11.
    Advanced Micro Devices: The ZEN microarchitecture (2016). https://www.amd.com/en/technologies/zen-core
  12. 12.
    Dodis, Y., An, J.H.: Concealment and its applications to authenticated encryption. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 312–329. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_19CrossRefGoogle Scholar
  13. 13.
    Facebook: Facebook Messenger app (2016). https://www.messenger.com/
  14. 14.
    Facebook: Messenger Secret Conversations Technical Whitepaper (2016)Google Scholar
  15. 15.
    Farshim, P., Libert, B., Paterson, K.G., Quaglia, E.A.: Robust encryption, revisited. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 352–368. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36362-7_22CrossRefGoogle Scholar
  16. 16.
    Farshim, P., Orlandi, C., Rosie, R: Security of symmetric primitives under incorrect usage of keys. In: FSE (2017)Google Scholar
  17. 17.
    Grubbs, P., Lu, J., Ristenpart, T.: Message franking via committing authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 66–97. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_3CrossRefGoogle Scholar
  18. 18.
    Gulley, S., Gopal, V., Yap, K., Feghali, W., Guilford, J.: Intel SHA extensions (2013). https://software.intel.com/en-us/articles/intel-sha-extensions
  19. 19.
    Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preimage attacks: first results on full tiger, and improved results on MD4 and SHA-2. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_4CrossRefGoogle Scholar
  20. 20.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_3CrossRefGoogle Scholar
  21. 21.
    Hong, S., Kim, J., Lee, S., Preneel, B.: Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 368–383. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_25CrossRefGoogle Scholar
  22. 22.
    Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_32CrossRefGoogle Scholar
  23. 23.
    Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_15CrossRefGoogle Scholar
  24. 24.
    Kim, J., Kim, G., Hong, S., Lee, S., Hong, D.: The related-key rectangle attack – application to SHACAL-1. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 123–136. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-27800-9_11CrossRefGoogle Scholar
  25. 25.
    Kim, J., Kim, G., Lee, S., Lim, J., Song, J.: Related-key attacks on reduced rounds of SHACAL-2. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 175–190. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30556-9_15CrossRefGoogle Scholar
  26. 26.
    Lamberger, M., Mendel, F.: Higher-order differential attack on reduced SHA-256. IACR ePrint, Report 2011/037 (2011)Google Scholar
  27. 27.
    Lu, J., Kim, J., Keller, N., Dunkelman, O.: Related-key rectangle attack on 42-round SHACAL-2. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 85–100. Springer, Heidelberg (2006).  https://doi.org/10.1007/11836810_7CrossRefGoogle Scholar
  28. 28.
    McGrew, D., Viega, J.: The Galois/counter mode of operation (GCM). In: NIST Modes of Operation (2004)Google Scholar
  29. 29.
    Millican, J.: Personal communication, Feb 2018Google Scholar
  30. 30.
    Millican, J.: Challenges of E2E Encryption in Facebook Messenger. RWC (2017)Google Scholar
  31. 31.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_31CrossRefGoogle Scholar
  32. 32.
    Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM TISSEC 6, 365–403 (2003)CrossRefGoogle Scholar
  33. 33.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_23CrossRefGoogle Scholar
  34. 34.
    Rogaway, P., Steinberger, J.: Constructing cryptographic hash functions from fixed-key blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_24CrossRefGoogle Scholar
  35. 35.
    Rogaway, P., Steinberger, J.: Security/efficiency tradeoffs for permutation-based hashing. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_13CrossRefGoogle Scholar
  36. 36.
    Sanadhya, S.K., Sarkar, P.: New collision attacks against up to 24-step SHA-2. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-89754-5_8CrossRefGoogle Scholar
  37. 37.
    Shrimpton, T., Stam, M.: Building a collision-resistant compression function from non-compressing primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70583-3_52CrossRefGoogle Scholar
  38. 38.
    Open Whisper Systems: Signal (2016). https://signal.org/
  39. 39.
    van der Linde, W.: Parallel SHA-256 in NEON for use in hash-based signatures. BSc thesis, Radboud University (2016)Google Scholar
  40. 40.
    Whatsapp: Whatsapp (2016). https://www.whatsapp.com/

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Paul Grubbs
    • 2
  • Thomas Ristenpart
    • 2
  • Joanne Woodage
    • 3
  1. 1.New York UniversityNew YorkUSA
  2. 2.Cornell TechNew YorkUSA
  3. 3.Royal Holloway, University of LondonEghamUK

Personalised recommendations