## Cryptology ePrint Archive: Report 2021/1407

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Keitaro Hashimoto and Shuichi Katsumata and Eamonn Postlethwaite and Thomas Prest and Bas Westerbaan

Abstract: Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs.

We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of $N$ members, a commit message costs $O(N)$ to upload and $O(1)$ to download, for a total bandwidth cost of $O(N)$. In contrast, TreeKEM [19, 24, 76] costs $\Omega(\log N)$ in both directions, for a total cost $\Omega(N\log N)$. Our protocol relies on generic primitives, and is therefore readily post-quantum.

We go one step further and propose post-quantum primitives that are tailored to Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as $N = 2^{10}$, commit messages can be computed and processed in less than 100 ms.

Category / Keywords: cryptographic protocols / secure messaging; continuous group key agreement; post-quantum assumptions; (committing) multi-recipient PKE

Original Publication (with major differences): ACM CCS 2021

Date: received 18 Oct 2021

Contact author: hashimoto k au at m titech ac jp, shuichi katsumata at aist go jp, ewp at cwi nl, thomas prest at pqshield com, bas at westerbaan name

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2021/1407

[ Cryptology ePrint archive ]