Paper 2019/965

On-Demand Ratcheting with Security Awareness

Andrea Caforio and F Betül Durak and Serge Vaudenay

Abstract

Ratcheting communication strengthens privacy, specifically in the presence of internal state exposures or random coin corruptions. This is called post-compromise security. There have been several such secure protocols proposed in the last few years. The strongest level of security comes with a high cost, because of the need for hierarchical identity-based encryption (HIBE) or at least public-key cryptography. In this paper, we propose two generic constructions with favorable properties. We start with formally and explicitly defining the notion of security awareness. Concretely, we, as protocol designers, want users to clearly see which of their messages are safe during the communication and to be able to detect active attacks. Ideally, the communication between honest participants should abort in the case of an active attack. This is because an active attack indicates that the adversary has synchronized with one of the honest participants. This type of attacks are captured by RECOVER security. Aborted sessions can be resumed with our second construction. In our second construction, we define a hybrid system formed by combining two protocols: typically, a weakly secure "light'' protocol and a strongly secure "heavy" protocol. The design goals of our hybrid construction are, first, to let the sender decide which one of to use in order to obtain an efficient protocol with \emph {ratchet on demand}; and second, to restore the communication between honest participants in the case of a message loss or an active attack initiated after a state exposure. We can build our hybrid system with any existing protocol. For this work, we chose to hybridize $\BARK$ with a light design liteARCAD of ours that uses only symmetric-key primitives. Hence, there is no post-compromise security until a sender demands to ratchet. Last but not least, we find it quite appealing and intuitive to use the security-aware and ratchet-on-demand protocols together in order to strengthen each other by building one design on top of the other.