Towards Bidirectional Ratcheted Key Exchange. / Poettering, Bertram; Rösler, Paul.

2018. 3-32 Paper presented at 38th International Cryptology Conference, CRYPTO 2018, Santa Barbara , United States.

Research output: Contribution to conferencePaper

Published

Standard

Towards Bidirectional Ratcheted Key Exchange. / Poettering, Bertram; Rösler, Paul.

2018. 3-32 Paper presented at 38th International Cryptology Conference, CRYPTO 2018, Santa Barbara , United States.

Research output: Contribution to conferencePaper

Harvard

Poettering, B & Rösler, P 2018, 'Towards Bidirectional Ratcheted Key Exchange' Paper presented at 38th International Cryptology Conference, CRYPTO 2018, Santa Barbara , United States, 19/08/18 - 23/08/18, pp. 3-32. https://doi.org/10.1007/978-3-319-96884-1_1

APA

Poettering, B., & Rösler, P. (2018). Towards Bidirectional Ratcheted Key Exchange. 3-32. Paper presented at 38th International Cryptology Conference, CRYPTO 2018, Santa Barbara , United States. https://doi.org/10.1007/978-3-319-96884-1_1

Vancouver

Poettering B, Rösler P. Towards Bidirectional Ratcheted Key Exchange. 2018. Paper presented at 38th International Cryptology Conference, CRYPTO 2018, Santa Barbara , United States. https://doi.org/10.1007/978-3-319-96884-1_1

Author

Poettering, Bertram ; Rösler, Paul. / Towards Bidirectional Ratcheted Key Exchange. Paper presented at 38th International Cryptology Conference, CRYPTO 2018, Santa Barbara , United States.30 p.

BibTeX

@conference{128aae433f624fd8bc2f16685055ccf2,
title = "Towards Bidirectional Ratcheted Key Exchange",
abstract = "Ratcheted key exchange (RKE) is a cryptographic technique used in instant messaging systems like Signal and the WhatsApp messenger for attaining strong security in the face of state exposure attacks. RKE received academic attention in the recent works of Cohn-Gordon et al. (EuroS&P 2017) and Bellare et al. (CRYPTO 2017). While the former is analytical in the sense that it aims primarily at assessing the security that one particular protocol does achieve (which might be weaker than the notion that it should achieve), the authors of the latter develop and instantiate a notion of security from scratch, independently of existing implementations. Unfortunately, however, their model is quite restricted, e.g. for considering only unidirectional communication and the exposure of only one of the two parties.In this article we resolve the limitations of prior work by developing alternative security definitions, for unidirectional RKE as well as for RKE where both parties contribute. We follow a purist approach, aiming at finding strong yet convincing notions that cover a realistic communication model with fully concurrent operation of both participants. We further propose secure instantiations (as the protocols analyzed or proposed by Cohn-Gordon et al. and Bellare et al. turn out to be weak in our models). While our scheme for the unidirectional case builds on a generic KEM as the main building block (differently to prior work that requires explicitly Diffie–Hellman), our schemes for bidirectional RKE require a stronger, HIBE-like component.",
author = "Bertram Poettering and Paul R{\"o}sler",
year = "2018",
doi = "10.1007/978-3-319-96884-1_1",
language = "English",
pages = "3--32",
note = "38th International Cryptology Conference, CRYPTO 2018 ; Conference date: 19-08-2018 Through 23-08-2018",
url = "https://crypto.iacr.org/2018/",

}

RIS

TY - CONF

T1 - Towards Bidirectional Ratcheted Key Exchange

AU - Poettering, Bertram

AU - Rösler, Paul

PY - 2018

Y1 - 2018

N2 - Ratcheted key exchange (RKE) is a cryptographic technique used in instant messaging systems like Signal and the WhatsApp messenger for attaining strong security in the face of state exposure attacks. RKE received academic attention in the recent works of Cohn-Gordon et al. (EuroS&P 2017) and Bellare et al. (CRYPTO 2017). While the former is analytical in the sense that it aims primarily at assessing the security that one particular protocol does achieve (which might be weaker than the notion that it should achieve), the authors of the latter develop and instantiate a notion of security from scratch, independently of existing implementations. Unfortunately, however, their model is quite restricted, e.g. for considering only unidirectional communication and the exposure of only one of the two parties.In this article we resolve the limitations of prior work by developing alternative security definitions, for unidirectional RKE as well as for RKE where both parties contribute. We follow a purist approach, aiming at finding strong yet convincing notions that cover a realistic communication model with fully concurrent operation of both participants. We further propose secure instantiations (as the protocols analyzed or proposed by Cohn-Gordon et al. and Bellare et al. turn out to be weak in our models). While our scheme for the unidirectional case builds on a generic KEM as the main building block (differently to prior work that requires explicitly Diffie–Hellman), our schemes for bidirectional RKE require a stronger, HIBE-like component.

AB - Ratcheted key exchange (RKE) is a cryptographic technique used in instant messaging systems like Signal and the WhatsApp messenger for attaining strong security in the face of state exposure attacks. RKE received academic attention in the recent works of Cohn-Gordon et al. (EuroS&P 2017) and Bellare et al. (CRYPTO 2017). While the former is analytical in the sense that it aims primarily at assessing the security that one particular protocol does achieve (which might be weaker than the notion that it should achieve), the authors of the latter develop and instantiate a notion of security from scratch, independently of existing implementations. Unfortunately, however, their model is quite restricted, e.g. for considering only unidirectional communication and the exposure of only one of the two parties.In this article we resolve the limitations of prior work by developing alternative security definitions, for unidirectional RKE as well as for RKE where both parties contribute. We follow a purist approach, aiming at finding strong yet convincing notions that cover a realistic communication model with fully concurrent operation of both participants. We further propose secure instantiations (as the protocols analyzed or proposed by Cohn-Gordon et al. and Bellare et al. turn out to be weak in our models). While our scheme for the unidirectional case builds on a generic KEM as the main building block (differently to prior work that requires explicitly Diffie–Hellman), our schemes for bidirectional RKE require a stronger, HIBE-like component.

U2 - 10.1007/978-3-319-96884-1_1

DO - 10.1007/978-3-319-96884-1_1

M3 - Paper

SP - 3

EP - 32

ER -