DeCAF: Decentralizable Continuous Group Key Agreement with Fast Healing

Joël Alwen; Benedikt Auerbach; Miguel Cueto Noval; Karen Klein; Guillermo Pascual-Perez; Krzysztof Pietrzak

Paper 2022/559

DeCAF: Decentralizable Continuous Group Key Agreement with Fast Healing

Joël Alwen, AWS Wickr

Benedikt Auerbach, ISTA

Miguel Cueto Noval, ISTA

Karen Klein, ETH Zurich

Guillermo Pascual-Perez, ISTA

Krzysztof Pietrzak, ISTA

Abstract

Continuous group key agreement (CGKA) allows a group of users to maintain a continuously updated shared key in an asynchronous setting where parties only come online sporadically and their messages are relayed by an untrusted server. CGKA captures the basic primitive underlying group messaging schemes. Current solutions including TreeKEM ("Messaging Layer Security'' (MLS) IETF RFC 9420) cannot handle concurrent requests while retaining low communication complexity. The exception being CoCoA, which is concurrent while having extremely low communication complexity (in groups of size $n$ and for $m$ concurrent updates the communication per user is $\log(n)$, i.e., independent of $m$). The main downside of CoCoA is that in groups of size $n$, users might have to do up to $\log(n)$ update requests to the server to ensure their (potentially corrupted) key material has been refreshed. In this work we present a "fast healing'' concurrent CGKA protocol, named DeCAF, where users will heal after at most $\log(t)$ requests, with $t$ being the number of corrupted users. While also suitable for the standard central-server setting, our protocol is particularly interesting for realizing decentralized group messaging, where protocol messages (add, remove, update) are being posted on some append-only data structure rather than sent to a server. In this setting, concurrency is crucial once the rate of requests exceeds, say, the rate at which new blocks are added to a blockchain. In the central-server setting, CoCoA (the only alternative with concurrency, sub-linear communication and basic post-compromise security) enjoys much lower download communication. However, in the decentralized setting - where there is no server which can craft specific messages for different users to reduce their download communication - our protocol significantly outperforms CoCoA. DeCAF heals in fewer rounds ($\log(t)$ vs. $\log(n)$) while incurring a similar per round per user communication cost.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Major revision. International Conference on Security and Cryptography for Networks (SCN) 2024
Keywords: group messaging CGKA MLS
Contact author(s): alwenjo @ amazon com
bauerbac @ ista ac at
mcuetono @ ista ac at
karen klein @ inf ethz ch
gpasper @ pm me
pietrzak @ ista ac at
History: 2024-07-10: last of 2 revisions; 2022-05-10: received; See all versions
Short URL: https://ia.cr/2022/559
License: CC BY

BibTeX

@misc{cryptoeprint:2022/559,
      author = {Joël Alwen and Benedikt Auerbach and Miguel Cueto Noval and Karen Klein and Guillermo Pascual-Perez and Krzysztof Pietrzak},
      title = {{DeCAF}: Decentralizable Continuous Group Key Agreement with Fast Healing},
      howpublished = {Cryptology ePrint Archive, Paper 2022/559},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/559}},
      url = {https://eprint.iacr.org/2022/559}
}