Version 2.0, December 2019Modern secure messaging protocols such as Signal [1] can offer strong security guarantees, in particular Post- Compromise Security (PCS) [2]. The core PCS mechanism in these protocols is designed for pairwise communication, making it inefficient for large groups. To address this, recently proposed designs for secure group messaging, ART [3], IETF’s MLS Draft-07 [4]/TreeKEM [5], use group keys derived from tree structures to efficiently achieve PCS in large groups. In this work we explore the healing behaviors of the pairwise and group-key based approaches. We show that both approaches have inherent limitations to what they can heal, and that without additional mechanisms, both ART and TreeKEM/MLS Draft-07 offer significantly weaker PCS guarantees than those offered by groups based on pairwise PCS channels: for example, we show that if new users can be created dynamically, ART, TreeKEM, and MLS Draft-07 never fully heal authentication. The core underlying problem is that the scope of the healing in ART and MLS is limited to a single group. We lay out the design space of this complex healing problem to identify mechanisms that narrow the gap between the pairwise and group-key approaches, and provide stronger healing for both. Optimizing security and minimizing overhead leads us to a promising solution based on (i) global updates and (ii) post-compromise secure signatures. We provide a security definition for post-compromise secure signatures and an instantiation. Notably, our solution can also be used to improve the healing properties of pairwise protocols such as Signal towards new users who did not previously receive a message of a compromised user.This work was supported by Microsoft Research through its PhD Scholarship Programm
