A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs. We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of N members, a commit message costs O(N) to upload and O(1) to download, for a total bandwidth cost of O(N). In contrast, TreeKEM costs (log N) in both directions, for a total cost (N log N). Our protocol relies on generic primitives, and is therefore readily post-quantum. We go one step further and propose post-quantum primitives that are tailored to \Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as N = 2^10, commit messages can be computed and processed in less than 100 ms

How to Hide MetaData in MLS-Like Secure Group Messaging: Simple, Modular, and Post-Quantum

Secure group messaging (SGM) protocols allow large groups of users to communicate in a secure and asynchronous manner. In recent years, continuous group key agreements (CGKAs) have provided a powerful abstraction to reason on the security properties we expect from SGM protocols. While robust techniques have been developed to protect the contents of conversations in this context, it is in general more challenging to protect metadata (e.g. the identity and social relationships of group members), since their knowledge is often needed by the server in order to ensure the proper function of the SGM protocol. In this work, we provide a simple and generic wrapper protocol that upgrades non-metadata-hiding CGKAs into metadata-hiding CGKAs. Our key insight is to leverage the existence of a unique continuously evolving group secret key shared among the group members. We use this key to perform a group membership authentication protocol that convinces the server in an \textit{anonymous} manner that a user is a legitimate group member. Our technique only uses a standard signature scheme, and thus, the wrapper protocol can be instantiated from a wide range of assumptions, including post-quantum ones. It is also very efficient, as it increases the bandwidth cost of the underlying CGKA operations by at most a factor of two. To formally prove the security of our protocol, we use the universal composability (UC) framework and model a new ideal functionality ${\mathcal{F}_{\text{CGKA}}^{\sf mh}}$ capturing the correctness and security guarantee of metadata-hiding CGKA. To capture the above intuition of a ``wrapper\u27\u27 protocol, we also define a restricted ideal functionality $\mathcal{F}_{\text{CGKA}}^{\sf ctxt}$, which roughly captures a non-metadata-hiding CGKA. We then show that our wrapper protocol UC-realizes ${\mathcal{F}_{\text{CGKA}}^{\sf mh}}$ in the $\mathcal{F}_{\text{CGKA}}^{\sf ctxt}$-hybrid model, which in particular formalizes the intuition that any non-metadata-hiding CGKA can be modularly bootstrapped into metadata-hiding CGKA

Tight reduction for generic construction of certificateless signature and its instantiation from DDH assumption

Certificateless signature was proposed by Al-Riyami and Paterson to eliminate the certificate management in the public-key infrastructures and solve the key escrow problem in the identity-based signature. In 2007, Hu et al. proposed a generic construction of certificateless signature. They construct certificateless signature scheme from any standard identity-based signature and signature scheme.However, their security reduction is loose; the security of the constructed scheme depends on the number of users. In this paper, we give the tight reduction for their construction and instantiate a tightly-secure certificateless signature scheme without pairing from DDH assumption. Best of our knowledge, this scheme is the first tightly-secure certificateless signature scheme

An Efficient and Generic Construction for Signal\u27s Handshake (X3DH): Post-Quantum, State Leakage Secure, and Deniable

The Signal protocol is a secure instant messaging protocol that underlies the security of numerous applications such as WhatsApp, Skype, Facebook Messenger among many others. The Signal protocol consists of two sub-protocols known as the X3DH protocol and the double ratchet protocol, where the latter has recently gained much attention. For instance, Alwen, Coretti, and Dodis (Eurocrypt\u2719) provided a concrete security model along with a generic construction based on simple building blocks that are instantiable from versatile assumptions, including post-quantum ones. In contrast, as far as we are aware, works focusing on the X3DH protocol seem limited. In this work, we cast the X3DH protocol as a specific type of authenticated key exchange (AKE) protocol, which we call a Signal-conforming AKE protocol, and formally define its security model based on the vast prior works on AKE protocols. We then provide the first efficient generic construction of a Signal-conforming AKE protocol based on standard cryptographic primitives such as key encapsulation mechanisms (KEM) and signature schemes. Specifically, this results in the first post-quantum secure replacement of the X3DH protocol on well-established assumptions. Similar to the X3DH protocol, our Signal-conforming AKE protocol offers a strong (or stronger) flavor of security, where the exchanged key remains secure even when all the non-trivial combinations of the long-term secrets and session-specific secrets are compromised. Moreover, our protocol has a weak flavor of deniability and we further show how to progressively strengthen it using ring signatures and/or non-interactive zero-knowledge proof systems. Finally, we provide a full-fledged, generic C implementation of our (weakly deniable) protocol. We instantiate it with several Round 3 candidates (finalists and alternates) to the NIST post-quantum standardization process and compare the resulting bandwidth and computation performances. Our implementation is publicly available

Identity-Based Matchmaking Encryption, Revisited: Strong Security and Practical Constructions from Standard Classical and Post-Quantum Assumptions

Identity-based matchmaking encryption (IB-ME) [Ateniese et al. Crypto 2019] allows users to communicate privately in an anonymous and authenticated manner. After the seminal paper by Ateniese et al., a lot of work has been done on the security and construction of IB-ME. In this work, we revisit the security definitions and construction of IB-ME and provide the following three contributions. -- First, we embark on the task of classifying the existing security notions of IB-ME. We systematically categorize privacy into three core categories (CPA, CCA, and privacy in the case of mismatch) and authenticity into four categories (NMA and CMA both against insiders and outsiders). In particular, we reconsider privacy when the sender\u27s identity is mismatched during decryption, considered as ``enhanced privacy\u27\u27~[Francati et al., INDOCRYPT 2021], and provide a new simple security game, called mismatch security, that captures the essence of it. This structured framework not only facilitates more precise comparisons between different IB-ME schemes, but also serves as a valuable tool for evaluating the security of newly proposed schemes. -- Second, we propose a highly efficient and strongly secure IB-ME scheme from the bilinear Diffie-Hellman assumption in the random oracle model. The scheme is based on the Ateniese et al. scheme, but we introduce several techniques to improve its security and efficiency. Especially, we found that the Fujisaki-Okamoto transformation enhances not only privacy but also authenticity. As a result, we obtain a scheme that offers a more compact decryption key and ciphertext than the Ateniese et al. scheme, while achieving CCA and CMA, and mismatch security. -- Third, we propose a new generic construction of IB-ME from anonymous identity-based encryption, identity-based signature, and reusable extractors. Our construction not only achieves CCA, CMA, and mismatch security, but is also the most efficient among existing generic constructions. Through this construction, we obtain various IB-ME schemes from both classical and post-quantum assumptions. For example, we obtain a more efficient scheme from the symmetric external Diffie-Hellman assumption in the standard model, and a practical scheme from lattices in the quantum random oracle model whose secret keys and ciphertexts are less than 5 kilobytes. Moreover, our generic construction produces the first pairing-free IB-ME scheme in the standard model and the first tightly secure lattice-based IB-ME scheme in the quantum random oracle model

The draft genome of Kipferlia bialata reveals reductive genome evolution in fornicate parasites

The fornicata (fornicates) is a eukaryotic group known to consist of free-living and parasitic organisms. Genome datasets of two model fornicate parasites Giardia intestinalis and Spironucleus salmonicida are well annotated, so far. The nuclear genomes of G. intestinalis assemblages and S. salmonicida are small in terms of the genome size and simple in genome structure. However, an ancestral genomic structure and gene contents, from which genomes of the fornicate parasites have evolved, remains to be clarified. In order to understand genome evolution in fornicates, here, we present the draft genome sequence of a free-living fornicate, Kipferlia bialata, the divergence of which is earlier than those of the fornicate parasites, and compare it to the genomes of G. intestinalis and S. salmonicida. Our data show that the number of protein genes and introns in K. bialata genome are the most abundant in the genomes of three fornicates, reflecting an ancestral state of fornicate genome evolution. Evasion mechanisms of host immunity found in G. intestinalis and S. salmonicida are absent in the K. bialata genome, suggesting that the two parasites acquired the complex membrane surface proteins on the line leading to the common ancestor of G. intestinalis and S. salmonicida after the divergence from K. bialata. Furthermore, the mitochondrion related organelles (MROs) of K. bialata possess more complex suites of metabolic pathways than those in Giardia and in Spironucleus. In sum, our results unveil the process of reductive evolution which shaped the current genomes in two model fornicate parasites G. intestinalis and S. salmonicida

Research and development of a laparoscopic surgical device for ligating endless organs based on a flexible structure

While laparoscopic surgery has become increasingly widely used, many laparoscopic procedures are time-consuming and difficult to accomplish compared to open surgery. One such procedure is the ligation of endless organs. In this paper, the development and prototyping of a laparoscopic instrument that could significantly increase the efficiency of laparoscopic ligation is outlined. The mechanism is based on a snake-like flexible structure which is actuated by control wires. A simple simulation was carried out by both experienced surgical staff as well as non-surgical persons to confirm the effectiveness of the proposed mechanism

Apicoplast phylogeny reveals the position of Plasmodium vivax basal to the Asian primate malaria parasite clade

The malaria parasite species, Plasmodium vivax infects not only humans, but also African apes. Human specific P. vivax has evolved from a single ancestor that originated from a parasite of African apes. Although previous studies have proposed phylogenetic trees positioning P. vivax (the common ancestor of human and African ape P. vivax) within the assemblages of Asian primate parasites, its position has not yet been robustly confirmed. We determined nearly complete apicoplast genome sequences from seven Asian primate parasites, Plasmodium cynomolgi (strains Ceylonensis and Berok), P. knowlesi P. fragile, P. fieldi, P. simiovale, P. hylobati, P. inui, and an African primate parasite, P. gonderi, that infects African guenon. Phylogenetic relationships of the Plasmodium species were analyzed using newly and previously determined apicoplast genome sequences. Multigene maximum likelihood analysis of 30 protein coding genes did not position P. vivax within the Asian primate parasite clade but positioned it basal to the clade, after the branching of an African guenon parasite, P. gonderi. The result does not contradict with the emerging notion that P. vivax phylogenetically originated from Africa. The result is also supported by phylogenetic analyses performed using massive nuclear genome data of seven primate Plasmodium species