Cryptology ePrint Archive: Report 2019/477

Revisiting Post-Compromise Security Guarantees in Group Messaging

Cas Cremers and Britta Hale and Konrad Kohbrok

Abstract: Modern secure messaging protocols such as Signal can offer strong security guarantees, in particular Post-Compromise Security (PCS). The core PCS mechanism in these protocols is inherently pairwise, which causes bad scaling behaviour and makes PCS inefficient for large groups. To address this, two recently proposed designs for secure group messaging, ART and MLS Draft-04, use group keys derived from tree structures to efficiently enable PCS mechanisms in large groups.

In this work we highlight a previously unexplored difference between the pairwise and group-key based approaches. We show that without additional mechanisms, both ART and MLS Draft-04 offer significantly lower PCS guarantees than those offered by groups based on pairwise PCS channels. In particular, for MLS Draft-04, it seems that the protocol does not yet meet the informal PCS security guarantees described in the draft.

We explore the causes of this problem and lay out the design space to identify solutions. Optimizing security and minimizing overhead leads us to a promising solution based on (i) global updates and (ii) post-compromise secure signatures. While rotating signatures had been discussed before as options for both MLS and ART, our work indicates that combining specific update patterns for all groups with a post-compromise secure signature scheme, may be strictly necessary to achieve any reasonable PCS guarantee.

Category / Keywords: cryptographic protocols / post-compromise security, forward secrecy, group messaging protocols, message-layer security

Date: received 10 May 2019

Contact author: cas cremers at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20190510:124547 (All versions of this report)

Short URL: ia.cr/2019/477


[ Cryptology ePrint archive ]