Towards Bi­di­rec­tio­nal Rat­che­ted Key Ex­chan­ge

Ber­tram Poet­te­ring, Paul Rös­ler

In Ad­van­ces in Cryp­to­lo­gy, IACR CRYP­TO 2018

Ab­stract

Rat­che­ted key ex­chan­ge (RKE) is a cryp­to­gra­phic tech­ni­que used in in­stant mes­sa­ging sys­tems like Si­gnal and the Whats­App mes­sen­ger for at­tai­ning strong se­cu­ri­ty in the face of state ex­po­su­re at­tacks. RKE re­cei­ved aca­de­mic at­ten­ti­on in the re­cent works of Cohn-Gor­don et al. (EuroS&P 2017) and Bel­la­re et al. (CRYP­TO 2017). While the for­mer is ana­ly­ti­cal in the sense that it aims pri­ma­ri­ly at as­ses­sing the se­cu­ri­ty that one par­ti­cu­lar pro­to­col does achie­ve (which might be wea­ker than the no­ti­on that it should achie­ve), the aut­hors of the lat­ter de­ve­lop and in­stan­tia­te a no­ti­on of se­cu­ri­ty from scratch, in­de­pen­dent­ly of exis­ting im­ple­men­ta­ti­ons. Un­for­t­u­n­a­te­ly, howe­ver, their model is quite re­stric­ted, e.g. for con­s­i­de­ring only uni­di­rec­tio­nal com­mu­ni­ca­ti­on and the ex­po­su­re of only one of the two par­ties.

In this ar­ti­cle we re­sol­ve the li­mi­ta­ti­ons of prior work by de­ve­lo­ping al­ter­na­ti­ve se­cu­ri­ty de­fi­ni­ti­ons, for uni­di­rec­tio­nal RKE as well as for RKE where both par­ties cont­ri­bu­te. We fol­low a pu­rist ap­proach, ai­ming at fin­ding strong yet con­vin­cing no­ti­ons that cover a rea­lis­tic com­mu­ni­ca­ti­on model with fully con­cur­rent ope­ra­ti­on of both par­ti­ci­pants. We fur­ther pro­po­se se­cu­re in­stan­tia­ti­ons (as the pro­to­cols ana­ly­zed or pro­po­sed by Cohn-Gor­don et al. and Bel­la­re et al. turn out to be weak in our mo­dels). While our sche­me for the uni­di­rec­tio­nal case builds on a ge­ne­ric KEM as the main buil­ding block (dif­fer­ent­ly to prior work that re­qui­res ex­pli­cit­ly Dif­fie-Hell­man), our sche­mes for bi­di­rec­tio­nal RKE re­qui­re a stron­ger, HI­BE-li­ke com­po­nent.

Tags: For­ward Secrecy, Post-Com­pro­mi­se Se­cu­ri­ty, Rat­che­ted Key Ex­chan­ge, Rat­che­ting