Cryptology ePrint Archive: Report 2021/1456

Server-Aided Continuous Group Key Agreement

Joël Alwen and Dominik Hartmann and Eike Kiltz and Marta Mularczyk

Abstract: Continuous Group Key Agreement (CGKA) -- or Group Ratcheting -- lies at the heart of a new generation of End-to-End (E2E) secure group messaging (SGM) and VoIP protocols supporting very large groups. Yet even for these E2E protocols the primary constraint limiting practical group sizes continues to be their communication complexity. To date, the most important (and only deployed) CGKA is ITK which underpins the IETF's upcoming Messaging Layer Security SGM standard.

In this work, we introduce server-aided CGKA (saCGKA) to more precisely model how E2E protocols are usually deployed. saCGKA makes explicit the presence of an (untrusted) server mediating communication between honest parties (as opposed to mere insecure channels of some form or another). Next, we provide a simple and intuitive security model for saCGKA. We modify ITK accordingly to obtain SAIK; a practically efficient and easy to implement saCGKA designed to leverage the server to obtain greatly reduced communication and computational complexity (e.g. relative to ITK). Under the hood, SAIK uses a new type of signature called Reducible Signature which we construct from, so called, Weighted Accumulators. SAIK obtains further advantages by using Multi-Recipient Multi-Message PKE. Finally, we provide empirical data comparing the communication complexity for senders, receivers and the server in ITK vs. three saCGKAs including two instantiations of SAIK.

Category / Keywords: cryptographic protocols / group messaging, CGKA, end-to-end encryption

Date: received 29 Oct 2021

Contact author: alwenjo at amazon com, dominik hartmann at rub de, eike kiltz at rub de, mumarta at inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 20211106:154059 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]