Skip to main content
SpringerLink
Log in
Book cover

Theory of Cryptography Conference

TCC 2022: Theory of Cryptography pp 213–243Cite as

On the Worst-Case Inefficiency of CGKA

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13748))

Abstract

Continuous Group Key Agreement (CGKA) is the basis of modern Secure Group Messaging (SGM) protocols. At a high level, a CGKA protocol enables a group of users to continuously compute a shared (evolving) secret while members of the group add new members, remove other existing members, and perform state updates. The state updates allow CGKA to offer desirable security features such as forward secrecy and post-compromise security.

CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers.

  1. 1.

    Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA’s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, then, some other special user securely communicates to these n users a shared key. Next, we show that CKE with communication cost o(n) by the special user cannot be realized in a black-box manner from public-key encryption, thus implying the same for CGKA, where n is the corresponding number of group members.

  2. 2.

    Can we realize one CGKA protocol that works as well as possible in all cases? Here again, we present negative evidence showing that no such protocol based on black-box use of public-key encryption exists. Specifically, we show two distributions over sequences of group operations such that no CGKA protocol obtains optimal communication costs on both sequences.

The full version [10] of this article is available in the IACR eprint archive as article 2022/1237.

Y. Dodis—Partially supported by gifts from VMware Labs and Algorand Foundation, and NSF grants 1815546 and 2055578.

S. Garg—This research is supported in part by DARPA under Agreement No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF CNS Award 1936826, and research grants by the Sloan Foundation, and Visa Inc. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

M. Hajiabadi—Work supported by an NSERC Discovery Grant RGPIN/03270-2022.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    First proposal of the TreeKEM design with a discussion about the double-join problem: https://mailarchive.ietf.org/arch/msg/mls/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8/.

  2. 2.

    Proposal to prevent double-joins in TreeKEM, resulting in linear complexity in the worst-case: https://mailarchive.ietf.org/arch/msg/mls/Zzw2tqZC1FCbVZA9LKERsMIQXik/.

  3. 3.

    Note: for any CGKA protocol, it could be that each of the added k users may share secrets with all of the current group members, derived from non-interactive key exchange using key-bundles stored on a server. However, these shared secrets are only between pairs of users, and thus do not seem useful for establishing the group secret (since secure communication between pairs of users can already be achieved via PKE).

  4. 4.

    Unlike in [1] who circumvent the [11] lower bound by allowing for slower PCS recovery.

  5. 5.

    If neither administrator is removed, of course \(O(\log n)\) communication can be retained if they share a multicast tree.

  6. 6.

    For the sake of comprehensible communication analysis, we do not provide an explicit \(\textrm{Create}(\textsf{ST},\textsf{PK}_1,\dots ,\textsf{PK}_n)\) algorithm (for which in practice, \(\varOmega (n)\) ciphertext size could be tolerated). Instead, we require the group creator to one-by-one add \(\textsf{PK}_1,\dots \textsf{PK}_n\), which allows us to prove a more meaningful lower bound on just \(\textrm{Add}\), \(\textrm{Rem}\), and \(\textrm{Up}\) operations.

  7. 7.

    Analyzing the effect of required authenticity under weak randomness [7] on (communication) complexity in the group setting [27], as well as of extended security goals such as anonymity [23] remains an interesting open question.

  8. 8.

    We strike out “collective” because each update assistance is conducted by a single active user in this execution schedule.

  9. 9.

    This can happen because of the presence of forbidding queries in \(\textsf{Forbid}\).

References

  1. Alwen, J., et al.: CoCoA: concurrent continuous group key agreement. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 815–844. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_28

    Chapter  Google Scholar 

  2. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5

    Chapter  Google Scholar 

  3. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9

    Chapter  Google Scholar 

  4. Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_10

    Chapter  Google Scholar 

  5. Alwen, J., Jost, D., Mularczyk, M.: On the insider security of MLS. Cryptology ePrint Archive, Report 2020/1327 (2020). https://eprint.iacr.org/2020/1327

  6. Alwen, J., et al.: Keep the dirt: tainted treekem, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy (SP). IEEE (2021)

    Google Scholar 

  7. Balli, F., Rösler, P., Vaudenay, S.: Determining the core primitive for optimally secure ratcheting. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 621–650. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_21

    Chapter  Google Scholar 

  8. Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol. Internet-Draft draft-ietf-mls-protocol-14, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-14. Work in Progress

  9. Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: Asynchronous Decentralized Key Management for Large Dynamic Groups (2018). pubs/treekem.pdf https://mailarchive.ietf.org/arch/msg/mls/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8

  10. Bienstock, A., Dodis, Y., Garg, S., Grogan, G., Hajiabadi, M., Rösler, P.: On the worst-case inefficiency of CGKA. Cryptology ePrint Archive (2022)

    Google Scholar 

  11. Bienstock, A., Dodis, Y., Rösler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 198–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_8

    Chapter  MATH  Google Scholar 

  12. Bienstock, A., Dodis, Y., Tang, Y.: Multicast key agreement, revisited. In: Galbraith, S.D. (ed.) CT-RSA 2022. LNCS, vol. 13161, pp. 1–25. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95312-6_1

    Chapter  Google Scholar 

  13. Bienstock, A., Dodis, Y., Yeo, K.: Forward secret encrypted RAM: lower bounds and applications. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13044, pp. 62–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_3

    Chapter  Google Scholar 

  14. Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the signal double ratchet algorithm. Cryptology ePrint Archive, Report 2022/355 (2022). https://ia.cr/2022/355

  15. Boneh, D., Papakonstantinou, P.A., Rackoff, C., Vahlis, Y., Waters, B.: On the impossibility of basing identity based encryption on trapdoor permutations. In: 49th FOCS, pp. 283–292. IEEE Computer Society Press (2008)

    Google Scholar 

  16. Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 480–499. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_27

    Chapter  Google Scholar 

  17. Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM 1999. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320), vol. 2, pp. 708–716 (1999)

    Google Scholar 

  18. Canetti, R., Jain, P., Swanberg, M., Varia, M.: Universally composable end-to-end secure messaging. Cryptology ePrint Archive, Report 2022/376 (2022). https://ia.cr/2022/376

  19. Chung, K.M., Lin, H., Mahmoody, M., Pass, R.: On the power of nonuniformity in proofs of security. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 389–400. ACM (2013)

    Google Scholar 

  20. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS P), pp. 451–466 (2017)

    Google Scholar 

  21. Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1802–1819. ACM Press (2018)

    Google Scholar 

  22. Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_9

    Chapter  Google Scholar 

  23. Dowling, B., Hauck, E., Riepel, D., Rösler, P.: Strongly anonymous ratcheted key exchange. In: ASIACRYPT 2022. LNCS (2022)

    Google Scholar 

  24. Harney, H., Muckenhirn, C.: RFC2093: Group key management protocol (GKMP) specification (1997)

    Google Scholar 

  25. Mittra, S.: Iolus: a framework for scalable secure multicasting. In: Proceedings of the ACM SIGCOMM 1997 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM 1997, pp. 277–288. Association for Computing Machinery, New York (1997). https://doi.org/10.1145/263105.263179

  26. Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/

  27. Poettering, B., Rösler, P., Schwenk, J., Stebila, D.: SoK: game-based security models for group key exchange. In: Paterson, K.G. (ed.) CT-RSA 2021. LNCS, vol. 12704, pp. 148–176. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75539-3_7

    Chapter  Google Scholar 

  28. Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in signal, Whatsapp, and Threema. In: 2018 IEEE European Symposium on Security and Privacy, EuroS &P 2018 (2018)

    Google Scholar 

  29. Sherman, A.T., McGrew, D.A.: Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng. 29(5), 444–458 (2003)

    Article  Google Scholar 

  30. Smart, N.P.: Efficient key encapsulation to multiple parties. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 208–219. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30598-9_15

    Chapter  Google Scholar 

  31. Wallner, D., Harder, E., Agee, R.: RFC2627: key management for multicast: issues and architectures (1999)

    Google Scholar 

  32. Weidner, M., Kleppmann, M., Hugenroth, D., Beresford, A.R.: Key agreement for decentralized secure group messaging with strong security guarantees. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2024–2045. ACM Press (2021)

    Google Scholar 

  33. Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. In: Proceedings of the ACM SIGCOMM 1998 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM 1998, pp. 68–79. Association for Computing Machinery, New York (1998). https://doi.org/10.1145/285237.285260

Download references

Author information

Authors and Affiliations

  1. New York University, New York, USA

    Alexander Bienstock, Yevgeniy Dodis & Paul Rösler

  2. UC Berkeley, Berkeley, USA

    Sanjam Garg

  3. NTT Research, East Palo Alto, USA

    Sanjam Garg

  4. University of Waterloo, Waterloo, Canada

    Mohammad Hajiabadi

  5. Berkeley, USA

    Garrison Grogan

Authors
  1. Alexander Bienstock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yevgeniy Dodis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sanjam Garg
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Garrison Grogan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mohammad Hajiabadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Paul Rösler
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Bienstock .

Editor information

Editors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Eike Kiltz

  2. Massachusetts Institute of Technology, Cambridge, MA, USA

    Vinod Vaikuntanathan

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bienstock, A., Dodis, Y., Garg, S., Grogan, G., Hajiabadi, M., Rösler, P. (2022). On the Worst-Case Inefficiency of CGKA. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13748. Springer, Cham. https://doi.org/10.1007/978-3-031-22365-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22365-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22364-8

  • Online ISBN: 978-3-031-22365-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation