Affiliation:
1. University of Chinese Academy of Sciences , Beijing 100049 , China
2. École Polytechnique Fédérale de Lausanne (EPFL) , Lausanne 1015 , Switzerland
Abstract
Abstract
To mitigate state exposure threats to long-lived instant messaging sessions, ratcheting was introduced, which is used in practice in protocols like Signal. However, existing ratcheting protocols generally come with a high cost. Recently, Caforio et al. proposed pragmatic constructions, which compose a weakly secure ‘light’ protocol and a strongly secure ‘heavy’ protocol, in order to achieve so-called ratcheting on-demand. The light protocol they proposed has still a high complexity.
In this paper, we propose the lightest possible protocol we could imagine, which essentially encrypts and then hashes the secret key. We prove it secure in the standard model by introducing a new security notion, which relates symmetric encryption with key updates by hashing. Our protocol composes well with the generic transformation techniques by Caforio et al. to offer high security and performance at the same time. In a second step, we propose another protocol based on a newly defined integrated primitive, extending standard one-time authenticated encryption with an additional output block used as a secret key for the next message. We instantiate this primitive firstly from any authenticated encryption with associated data, and then we propose an efficient instantiation using advanced encryption standard (AES) encryption to update the key and AES-Galois/Counter mode of operation to encrypt and decrypt messages.
Funder
National Natural Science Foundation of China
Publisher
Oxford University Press (OUP)
Reference29 articles.
1. Signal protocol library for java/android;Systems,2017
2. Signal partners with Microsoft to bring end-to-end encryption to skype;Lund,2018
3. Open whisper systems partners with google on end-to-end encryption for Allo;Marlinspike,2016
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献