Paper 2019/965

On-Demand Ratcheting with Security Awareness

Andrea Caforio and F Betül Durak and Serge Vaudenay

Abstract

Ratcheting communication strengthens privacy, specifically in the presence of internal state exposures or random coin corruptions. This is called post-compromise security. There have been several such secure protocols proposed in the last few years. The strongest level of security comes with a high cost, because of the need for HIBE or at least public-key cryptography. In this paper, we first design a lightweight protocol called liteARCAD which is solely based on symmetric cryptography, hence only forward secure. We then present a generic hybrid protocol allowing to compose any two protocols so that the sender can select which of the two protocols to use. When composing liteARCAD and a post-compromise secure protocol, the sender can decide to ratchet or not. For instance, the sender can ratchet once a while, or after letting his device unattended. When doing so with infrequent ratchet, we obtain the strongest security at the price of efficient symmetric cryptography. We then propose the notion of security awareness. This lets a sender learns, after a while, if his message was safely received (i.e. if it was received and if no adversary can decrypt it, except from trivial attacks) and that no finished active attack occurred (i.e. active attack must continue forever or be detected). We finally propose a generic strengthening to add security awareness to any protocol.