Private Message Franking with After Opening Privacy

Abstract

Grubbs et al. [11] initiated the formal study of message franking protocols. This new type of service launched by Facebook, allows the receiver in a secure messaging application to verifiably report to a third party an abusive message some sender has sent. A novel cryptographic primitive: committing AEAD has been initiated, whose functionality apart from confidentiality and authenticity asks for a compact commitment over the message, which is delivered to the receiver as part of the ciphertext. A new construction \(\textsf{CEP}\) (Committing Encrypt and \(\textsf{PRF}\)) has then been proposed, which is multi-opening secure and reduces the computational costs for the sender and the receiver. In this paper we provide a formal treatment of message franking protocols with minimum leakage whereby only the abusive blocks are opened, while the rest non-abusive blocks of the message remain private.

I. Leontiadis—Work has been conducted while the author was affiliated with EPFL.

A Proofs

Proof

(Theorem 1) Similarly with the integrity proof for the \(\textsf{CEP}2\) protocol we assume without loss of generality that all queries \((H,N,C_1,C_2)\) to the \(\textsf{Dec}\) oracle are in the y list or that \(N\in l\). Otherwise we can use the \(\textsf{Challenge}\) oracle. The game halts also as soons as \(\textsf{win}=\textsf{true}\). Let \(G_0\) be the original game and \(G_1\) is equivalent with \(G_0\) except that calls to G are replaced with strings of the same size 2nm from a random function R. Then, it holds:

(4)

where is the advantage of an adversary \(\mathcal {B}\) to distinguish truly random string from R from pseudorandom strings from G making \(q_{\textsf{PRG}}=q_{\textsf{Enc}}+q_{\textsf{Dec}}+q_{\textsf{Challenge}}\) queries in time complexity t.

We enumerate the pairwise different nonces \(N_j, j=1\ldots q\cdot m\) as they appear in the oracle queries. We let J be the index of the nonces appeared in \(\textsf{Challenge}\) query and made \(\textsf{win}\) switch to true. Notice that compared with \(\textsf{CEP}2\), enumeration of nonces goes for each different key stream \(P_i, i=1\ldots m\), for each block \(b_i\). We let q queries for each different key stream. Then we have that:

$$\begin{aligned} \Pr [G_1\Rightarrow 1]=\sum _{j=1}^{q\cdot m}{\Pr [G_{1}\Rightarrow 1{\;:\;\;}J=j]} \end{aligned}$$

(5)

\(\mathcal {A}\) wins the game only if it manages to present a tuple \((H,N,C_1,C_2)\) to the \(\textsf{Challenge}\) oracle without having queried the \(\textsf{Dec}\) oracle to avoid the trivial attack given by [11]. For each \(N_j, j\in [1,\ldots q]\), we define adversaries \(\mathcal {C}_j\) against the universal unforgeability on chosen messages against the collision resistance pseudorandom function \(\textsf{F}^{cr}\) keyed by \(P_j,j\in [1\ldots m]\). We make \(\mathcal {C}_j\) abort if \(N_j\) is queried to the \(\textsf{Dec}\) oracle. Thus:

(6)

Finally from (4), (5), (6) and accumulating the distinguishing probabilities of \(\mathcal {A}\) against the game we have:

\(\square \)

Sender binding is guaranteed as long as decryption algorithm \(\textsf{Dec}\) decrypts correctly: it outputs the correct message \(M\) or \(\perp \) when there is an error, and \(\textsf{Verify}\) run by an honest router.

Proof

(Theorem 2) Let \(G_0\) be the game. We change \(G_0\) in \(G_1\) as with the confidentiality proof for \(\textsf{CEP}2\). We introduce y, l lists and \(\textsf{win}\) variable as in the game and make \(G_1\) abort if \(\textsf{win}=\textsf{true}\). Then it holds that:

In \(G_1\) we are ensured that the nonce N submitted to the \(\textsf{Challenge}\) oracle is never submitted to the \(\textsf{Dec}\) oracle but to return \(\perp \). Then we can reduce to the \(\textsf{PRF}\) game such that .

Finally it holds that:

\(\square \)

Proof

(Theorem 3) Let game \(G_0\) be identical with the game.

In game \(G_1\) we substitute y with \(y_0\) and we introduce \(y_1\) similarly with the confidentiality game . Whenever halts \(G_0\) also halts. In the \(\textsf{Challenge}\) oracle \(\mathcal {A}\) submits messages \(M_0\) and \(M_1\) such that \((N\not \in y_0)\wedge (|M_0| =|M_1|)\wedge (\textsf{chall}=\perp )\wedge (R(M_0)=1)\wedge (R(M_1)=1)\). Whenever \(b=0\) in the \(\textsf{Challenge}\) of \(G_1\) the game returns to \(\mathcal {A}\) \((C_1,C_2)\leftarrow \textsf{Enc}_{\textsf{k}}(H,N,M_0)\). When \(b=1\) \(G_1\) runs \((C_1,C_2)\leftarrow \textsf{Enc}_{\textsf{k}}(H,N,\{0,1\}^{|M|})\). Thus:

\(\mathcal {A}\) can also win the game if she manages to forge \(C_2\) in order to issue a \(\textsf{chal}=(H,N,C_1,C_2')\) tuple in the \(\textsf{Dec}\) oracle, bypasses the check, decrypts the \(\textsf{chal}\) query and distinguishes with non negligible probability.

Finally it holds:

\(\square \)

Proof

(Theorem 4)[Sketch] \(\mathcal {B}\) runs \(\mathcal {A}\) until the latter outputs a tuple , whereby the \(\mathrm {r\hbox {-}BIND}\) game outputs 1. That is, for some \(i's\in B\), thus a valid collision of \(\textsf{F}^{cr}\). The maximum value of B equals the number of blocks m, thus

\(\square \)