## Cryptology ePrint Archive: Report 2019/1489

Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement

Joël Alwen and Margarita Capretto and Miguel Cueto and Chethan Kamath and Karen Klein and Ilia Markov and Guillermo Pascual-Perez and Krzysztof Pietrzak and Michael Walter and Michelle Yeo

Abstract: While messaging systems with strong security guarantees are widely used in practice, designing a protocol that scales efficiently to large groups and enjoys similar security guarantees remains largely open. The two existing proposals to date are ART (Cohn-Gordon et al., CCS18) and TreeKEM (IETF, The Messaging Layer Security Protocol, draft). TreeKEM is the currently considered candidate by the IETF MLS working group, but dynamic group operations (i.e. adding and removing users) can cause efficiency issues. In this paper we formalize and analyze a variant of TreeKEM which we term Tainted TreeKEM (TTKEM for short). The basic idea underlying TTKEM was suggested by Millican (MLS mailing list, February 2018). This version is more efficient than TreeKEM for some natural distributions of group operations, we quantify this through simulations.

Our second contribution is two security proofs for TTKEM which establish post compromise and forward secrecy even against adaptive attackers. If $n$ is the group size and $Q$ the number of operations, the security loss (to the underlying PKE) in the Random Oracle Model is a polynomial factor $(Qn)^2$, and in the Standard Model a quasipolynomial $Q^{\log(n)}$. Our proofs can be adapted to TreeKEM as well. Before our work no security proof for any TreeKEM-like protocol establishing tight security against an adversary who can adaptively choose the sequence of operations was known. We also are the first to prove (or even formalize) active security where the server can arbitrarily deviate from the protocol specification. Proving fully active security - where also the users can arbitrarily deviate - remains open.

Category / Keywords: cryptographic protocols / Messaging Layer Security, Group Key-Agreement Protocols, TreeKEM, Adaptive Security

Original Publication (with major differences): IEEE Symposium on Security and Privacy 2021

Date: received 27 Dec 2019, last revised 20 Oct 2020

Contact author: guillermo pascualperez at ist ac at, michael walter at ist ac at, krzpie at gmail com, jalwen at wickr com, karen klein at ist ac at

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2019/1489

[ Cryptology ePrint archive ]