Paper 2023/394

Fork-Resilient Continuous Group Key Agreement

Joël Alwen, AWS-Wickr
Marta Mularczyk, AWS-Wickr
Yiannis Tselekounis, Carnegie Mellon University
Abstract

Continuous Group Key Agreement (CGKA) lets a evolving group of clients agree on a sequence of group keys. An important application of CGKA is scalable asynchronous end-to-end (E2E) encrypted group messaging. A major problem preventing the use of CGKA over unreliable infrastructure are so-called forks. A fork occurs when group members have diverging views of the group's history (and thus its current state); e.g. due to network or server failures. Once communication channels are restored, members resolve a fork by agreeing on the state of the group again. Today's CGKA protocols make fork resolution challenging, as natural resolution strategies seem to conflict with the way the protocols enforce group state agreement and forward secrecy. Meanwhile, secure group messaging protocols which do support fork resolution do not scale nearly as well as CGKA does. In this work, we pave the way to practical scalable E2E messaging over unreliable infrastructure. To that end, we generalize CGKA to Fork Resilient-CGKA which allows clients to process significantly more types of out-of-order network traffic. This is important for many natural fork resolution procedures as they are based, in part, on replaying missed traffic. Next, we give two FR-CGKA constructions: a practical one based on the CGKA underlying the MLS messaging standard and an optimally secure one (albeit with only theoretical efficiency). To further assist with fork resolution, we introduce a simple new abstraction to describe a client's local protocol state. The abstraction describes all and only the information relevant to natural fork resolution, making it easier for higher-level fork resolution procedures to work with and reason about. We define a black-box extension of an FR-CGKA which maintains such a description of a client's internal state. Finally, as a proof of concept, we give a basic fork resolution protocol.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2023
DOI
10.1007/978-3-031-38551-3_13
Keywords
key agreementsecure messagingmessaging layer security
Contact author(s)
jalwen @ amazon com
mulmarta @ amazon com
itseleko @ cs cmu edu
History
2024-02-22: revised
2023-03-19: received
See all versions
Short URL
https://ia.cr/2023/394
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/394,
      author = {Joël Alwen and Marta Mularczyk and Yiannis Tselekounis},
      title = {Fork-Resilient Continuous Group Key Agreement},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/394},
      year = {2023},
      doi = {10.1007/978-3-031-38551-3_13},
      url = {https://eprint.iacr.org/2023/394}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.