Paper 2017/786

With one it is easy, with many it gets complicated: Understanding Channel Security for Groups

Giorgia Azzurra Marson and Bertram Poettering

Abstract

Secure messaging systems such as TextSecure and Signal aim, among others, at providing authenticated and confidential channels between two or more communicating users. The general understanding seems to be that providing security in the sense of authenticated encryption (AE) for every point-to-point link suffices to make the constructed messaging systems secure, i.e., authentic and confidential. However, as recently shown (in FSE17/ToSC17), in the bidirectional (two-party) case, just requiring the two unidirectional links to provide security independently of each other does not lead to a secure communication channel in general. Briefly, the reason for this is that security notions need to take into account the increased level of interaction between users. This also applies, a fortiori, in a multi-user setting where many parties communicate concurrently and in multiple directions. We observe that in the current academic literature there is no rigorous definition of security for (broadcast) group communication. Applying the method of provable security, we fill this gap by defining security goals and showing how to provably achieve them. Concretely, the contributions of this paper are as follows: We develop a set of formal definitions of security goals for broadcast communication, capturing targets like confidentiality and authenticity. Our notions in particular take into account the causal dependencies that exchanged messages might have. (Note that these have no counterpart in the much simpler unidirectional case.) We then switch to the constructive side, designing an efficient protocol that requires only reliable point-to-point links between users and a standard cryptographic building block (AEAD), achieving all security goals defined in this paper. Our work thus paves the ground towards understanding the exact level of security that current secure messaging systems achieve.