Natural sd-RCCA secure public-key encryptions from hybrid paradigms

The existence of natural public-key encryption (PKE) schemes satisfying secretly detectable replayable CCA (sd-RCCA) security is left as open. By introducing probabilistic message authentication codes (MACs) into popular KEM plus DEM paradigms, several instances of such schemes are presented in this paper. It is known that the encrypt-then-authenticate paradigm gives an RCCA secure DEM when the underlying MAC is regular (but not strong) secure, where forgeries for old messages might be possible. By further requiring that the validity of such forgeries can be verified only secretly, sd-RCCA secure DEMs is obtained. Combining such DEMs with CCA secure KEMs gives sd-RCCA secure hybrid PKEs. We first formalize the related notions and this paradigm, and also other variants of KEM plus DEM hybrid paradigm since MACs are commonly used in them. Then we show natural examples of desired probabilistic MACs under the standard DDH assumption, and find appropriate KEMs to match the message space for those MACs and then obtain natural instances of sd-RCCA secure hybrid PKEs

Natural sd-RCCA Secure Public-key Encryptions from Hybrid Paradigms

The existence of natural public-key encryption (PKE) schemes satisfying secretly detectable replayable CCA (sd-RCCA) security is left as open. By introducing probabilistic message authentication codes (MACs) into popular KEM plus DEM paradigms, several instances of such schemes are presented in this paper. It is known that the encrypt-then-authenticate paradigm gives an RCCA secure DEM when the underlying MAC is regular (but not strong) secure, where forgeries for old messages might be possible. By further requiring that the validity of such forgeries can be verified only secretly, sd-RCCA secure DEMs is obtained. Combining such DEMs with CCA secure KEMs gives sd-RCCA secure hybrid PKEs. We first formalize the related notions and this paradigm, and also other variants of KEM plus DEM hybrid paradigm since MACs are commonly used in them. Then we show natural examples of desired probabilistic MACs under the standard DDH assumption, and find appropriate KEMs to match the message space for those MACs and then obtain natural instances of sd-RCCA secure hybrid PKEs

Server-Aided Continuous Group Key Agreement

Continuous Group Key Agreement (CGKA) -- or Group Ratcheting -- lies at the heart of a new generation of scalable End-to-End secure (E2E) cryptographic multi-party applications. One of the most important (and first deployed) CGKAs is ITK which underpins the IETF\u27s upcoming Messaging Layer Security E2E secure group messaging standard. To scale beyond the group sizes possible with earlier E2E protocols, a central focus of CGKA protocol design is to minimize bandwidth requirements (i.e. communication complexity). In this work, we advance both the theory and design of CGKA culminating in an extremely bandwidth efficient CGKA. To that end, we first generalize the standard CGKA communication model by introducing server-aided CGKA (saCGKA) which generalizes CGKA and more accurately models how most E2E protocols are deployed in the wild. Next, we introduce the SAIK protocol; a modification of ITK, designed for real-world use, that leverages the new capabilities available to an saCGKA to greatly reduce its communication (and computational) complexity in practical concrete terms. Further, we introduce an intuitive, yet precise, security model for saCGKA. It improves upon existing security models for CGKA in several ways. It more directly captures the intuitive security goals of CGKA. Yet, formally it also relaxes certain requirements allowing us to take advantage of the saCGKA communication model. Finally, it is significantly simpler making it more tractable to work with and easier to build intuition for. As a result, the security proof of SAIK is also simpler and more modular. Finally, we provide empirical data comparing the (at times, quite dramatically improved) complexity profile of SAIK to state-of-the art CGKAs. For example, in a newly created group with 10K members, to change the group state (e.g. add/remove parties) ITK requires each group member download 1.38MB. However, with SAIK, members download no more than 2.7KB