Abstract
Grubbs et al. [11] initiated the formal study of message franking protocols. This new type of service launched by Facebook, allows the receiver in a secure messaging application to verifiably report to a third party an abusive message some sender has sent. A novel cryptographic primitive: committing AEAD has been initiated, whose functionality apart from confidentiality and authenticity asks for a compact commitment over the message, which is delivered to the receiver as part of the ciphertext. A new construction \(\textsf{CEP}\) (Committing Encrypt and \(\textsf{PRF}\)) has then been proposed, which is multi-opening secure and reduces the computational costs for the sender and the receiver. In this paper we provide a formal treatment of message franking protocols with minimum leakage whereby only the abusive blocks are opened, while the rest non-abusive blocks of the message remain private.
I. LeontiadisâWork has been conducted while the author was affiliated with EPFL.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albertini, A., Duong, T., Gueron, S., Kolbl, S., Luykx, A., Schmieg, S.: How to abuse and fix authenticated encryption without key commitment. In: Butler, K.R.B., Thomas, K. (eds.), 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, 10â12 August 2022, pp. 3291â3308. USENIX Association (2022)
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS â05, New York, NY, USA, pp. 203â212. ACM (2005)
Bellare, M., Hoang, V.T.: Efficient schemes for committing authenticated encryption. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. Lecture Notes in Computer Science, vol. 13276, pp. 845â875. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_29
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317â330. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_24
Chan, J., Rogaway, P.: On committing authenticated-encryption. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security-ESORICS 2022. Lecture Notes in Computer Science, vol. 13555, pp. 275â294. Springer, Cham (2022)
Chen, L., Tang, Q.: People who live in glass houses should not throw stones: targeted opening message franking schemes. IACR Cryptol. ePrint Arch., 994 (2018)
Dodis, Y., Grubbs, P., Ristenpart, T., Woodage, J.: Fast message franking: from invisible salamanders to encryptment. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 155â186. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_6
Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS â13, New York, NY, USA, pp. 647â658. ACM (2013)
Facebook. Facebook messenger. https://www.messenger.com/
Facebook. Messenger secret conversations technical whitepaper (2016). https://fbnewsroomus.files.wordpress.com/2016/07/secret_conversations_whitepaper-1.pdf
Grubbs, P., Lu, J., Ristenpart, T.: Message franking via committing authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 66â97. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_3
Hirose, S., Minematsu, K.: Compactly committing authenticated encryption using encryptment and tweakable block cipher. IACR Cryptol. ePrint Arch., 1670 (2022)
Len, J., Grubbs, P., Ristenpart, T.: Partitioning oracle attacks. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, USENIX Association, 11â13 August 2021, pp. 195â212 (2021)
Tyagi, N., Grubbs, P., Len, J., Miers, I., Ristenpart, T.: Asymmetric message franking: content moderation for metadata-private end-to-end encryption. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 222â250. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_8
Yamamuro, H., Hara, K., Tezuka, M., Yoshida, Y., Tanaka, K.: Forward secure message franking. In: Park, J.H., Seo, S.H. (eds.) Information Security and Cryptology-ICISC 2021. Lecture Notes in Computer Science, vol. 13218, pp. 339â358. Springer, Cham (2021). https://doi.org/10.1007/978-3-031-08896-4_18
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
Proof
(Theorem 1) Similarly with the integrity proof for the \(\textsf{CEP}2\) protocol we assume without loss of generality that all queries \((H,N,C_1,C_2)\) to the \(\textsf{Dec}\) oracle are in the y list or that \(N\in l\). Otherwise we can use the \(\textsf{Challenge}\) oracle. The game halts also as soons as \(\textsf{win}=\textsf{true}\). Let \(G_0\) be the original game and \(G_1\) is equivalent with \(G_0\) except that calls to G are replaced with strings of the same size 2nm from a random function R. Then, it holds:
where is the advantage of an adversary \(\mathcal {B}\) to distinguish truly random string from R from pseudorandom strings from G making \(q_{\textsf{PRG}}=q_{\textsf{Enc}}+q_{\textsf{Dec}}+q_{\textsf{Challenge}}\) queries in time complexity t.
We enumerate the pairwise different nonces \(N_j, j=1\ldots q\cdot m\) as they appear in the oracle queries. We let J be the index of the nonces appeared in \(\textsf{Challenge}\) query and made \(\textsf{win}\) switch to true. Notice that compared with \(\textsf{CEP}2\), enumeration of nonces goes for each different key stream \(P_i, i=1\ldots m\), for each block \(b_i\). We let q queries for each different key stream. Then we have that:
\(\mathcal {A}\) wins the game only if it manages to present a tuple \((H,N,C_1,C_2)\) to the \(\textsf{Challenge}\) oracle without having queried the \(\textsf{Dec}\) oracle to avoid the trivial attack given by [11]. For each \(N_j, j\in [1,\ldots q]\), we define adversaries \(\mathcal {C}_j\) against the universal unforgeability on chosen messages against the collision resistance pseudorandom function \(\textsf{F}^{cr}\) keyed by \(P_j,j\in [1\ldots m]\). We make \(\mathcal {C}_j\) abort if \(N_j\) is queried to the \(\textsf{Dec}\) oracle. Thus:
Finally from (4), (5), (6) and accumulating the distinguishing probabilities of \(\mathcal {A}\) against the game we have:
\(\square \)
Sender binding is guaranteed as long as decryption algorithm \(\textsf{Dec}\) decrypts correctly: it outputs the correct message \(M\) or \(\perp \) when there is an error, and \(\textsf{Verify}\) run by an honest router.
Proof
(Theorem 2) Let \(G_0\) be the game. We change \(G_0\) in \(G_1\) as with the confidentiality proof for \(\textsf{CEP}2\). We introduce y, l lists and \(\textsf{win}\) variable as in the game and make \(G_1\) abort if \(\textsf{win}=\textsf{true}\). Then it holds that:
In \(G_1\) we are ensured that the nonce N submitted to the \(\textsf{Challenge}\) oracle is never submitted to the \(\textsf{Dec}\) oracle but to return \(\perp \). Then we can reduce to the \(\textsf{PRF}\) game such that .
Finally it holds that:
\(\square \)
Proof
(Theorem 3) Let game \(G_0\) be identical with the game.
In game \(G_1\) we substitute y with \(y_0\) and we introduce \(y_1\) similarly with the confidentiality game . Whenever halts \(G_0\) also halts. In the \(\textsf{Challenge}\) oracle \(\mathcal {A}\) submits messages \(M_0\) and \(M_1\) such that \((N\not \in y_0)\wedge (|M_0| =|M_1|)\wedge (\textsf{chall}=\perp )\wedge (R(M_0)=1)\wedge (R(M_1)=1)\). Whenever \(b=0\) in the \(\textsf{Challenge}\) of \(G_1\) the game returns to \(\mathcal {A}\) \((C_1,C_2)\leftarrow \textsf{Enc}_{\textsf{k}}(H,N,M_0)\). When \(b=1\) \(G_1\) runs \((C_1,C_2)\leftarrow \textsf{Enc}_{\textsf{k}}(H,N,\{0,1\}^{|M|})\). Thus:
\(\mathcal {A}\) can also win the game if she manages to forge \(C_2\) in order to issue a \(\textsf{chal}=(H,N,C_1,C_2')\) tuple in the \(\textsf{Dec}\) oracle, bypasses the check, decrypts the \(\textsf{chal}\) query and distinguishes with non negligible probability.
Finally it holds:
\(\square \)
Proof
(Theorem 4)[Sketch] \(\mathcal {B}\) runs \(\mathcal {A}\) until the latter outputs a tuple , whereby the \(\mathrm {r\hbox {-}BIND}\) game outputs 1. That is, for some \(i's\in B\), thus a valid collision of \(\textsf{F}^{cr}\). The maximum value of B equals the number of blocks m, thus
\(\square \)
Rights and permissions
Copyright information
Âİ 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Leontiadis, I., Vaudenay, S. (2023). Private Message Franking with After Opening Privacy. In: Wang, D., Yung, M., Liu, Z., Chen, X. (eds) Information and Communications Security. ICICS 2023. Lecture Notes in Computer Science, vol 14252. Springer, Singapore. https://doi.org/10.1007/978-981-99-7356-9_12
Download citation
DOI: https://doi.org/10.1007/978-981-99-7356-9_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7355-2
Online ISBN: 978-981-99-7356-9
eBook Packages: Computer ScienceComputer Science (R0)