An Efficient and Generic Construction for Signal’s Handshake (X3DH): Post-quantum, State Leakage Secure, and Deniable

Hashimoto, Keitaro; Katsumata, Shuichi; Kwiatkowski, Kris; Prest, Thomas

doi:10.1007/s00145-022-09427-1

Cited by 6 publications

(7 citation statements)

References 69 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…KEMs abstract mechanisms that generate and send fresh key material encrypted to another party, from which both parties derive a fresh shared key. Some generic constructions of KEM based key exchanges have been proposed in [21,38], and have for instance been expanded into a full alternative to TLS in [57] or as post-quantum sound variants of the Signal X3DH handshake [41]. These key exchanges were specifically designed to not rely on any DH-like operations, and their security instead relies on assumptions on the corresponding KEM constructions, i.e., IND-CCA.…”

Section: Kem Based Key Exchangesmentioning

confidence: 99%

See 1 more Smart Citation

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

Cremers

Fontaine

Jacomme

2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We provide the first mechanized post-quantum sound security protocol proofs. We achieve this by developing PQ-BC, a computational first-order logic that is sound with respect to quantum attackers, and corresponding mechanization support in the form of the PQ-Squirrel prover.Our work builds on the classical BC logic [7] and its mechanization in the Squirrel [5] prover. Our development of PQ-BC requires making the BC logic sound for a single interactive quantum attacker. We implement the PQ-Squirrel prover by modifying Squirrel, relying on the soundness results of PQ-BC and enforcing a set of syntactic conditions; additionally, we provide new tactics for the logic that extend the tool's scope.Using PQ-Squirrel, we perform several case studies, thereby giving the first mechanical proofs of their computational post-quantum security. These include two generic constructions of KEM based key exchange, two sub-protocols from IKEv1 and IKEv2, and a proposed post-quantum variant of Signal's X3DH protocol. Additionally, we use PQ-Squirrel to prove that several classical Squirrel case studies are already post-quantum sound.

show abstract

Section: Kem Based Key Exchangesmentioning

confidence: 99%

“…• Third, we use our tool to provide the first mechanized proofs of the post-quantum computational security of 11 security protocols as case studies. These include two KEM-based key exchanges [21,38], a post-quantum variant of Signal's X3DH [41], and two protocols from the IKE standards [23,44] confirming claims in [37].…”

Section: Introductionmentioning

confidence: 99%

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

Cremers

Fontaine

Jacomme

2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…In this work, 2 we introduce membership privacy, which hides the participants and also the participant who sends a message, and add membership privacy to the Asynchronous Ratcheting Trees (ART) protocol proposed by Cohn-Gordon et al [7]. 3 Basically, the original key update procedure is not mod- 1 As a remark, although basically group-size hiding is not considered in [18], they insisted that it can be hidden by adding dummy group members. 2 Martiny et al [20] analyzed the sealed sender functionality (See Section 2.2) and showed that it can be broken by identifying the sender.…”

Section: Our Contributionmentioning

confidence: 99%

“…In our work, such a deanonymization attack due to quick responses and due to communication-related value such as IP address are out of the scope, and it is not considered. 3 Cohn-Gordon et al [7] introduced an initiator who setups a group and generates initial secret keys of group members. We remark that the initiator does not know secret keys of group members after key updating.…”

Section: Our Contributionmentioning

confidence: 99%

“…Basically, a key update procedure is crucial for providing FS and PCS. The Signal protocol consists of two subprotocols, X3DH (Extended Triple Diffie-Hellman) and double ratcheting, and Hashimoto et al [3] and Alwen et al [4] proposed a generic construction, respectively. Analyzing the Signal protocol is still an ongoing research area, e.g., [5,6].…”

Section: Introduction 1backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Emura¹,

Kajita²,

Nojima³

et al. 2022

JOWUA

View full text Add to dashboard Cite

A secure messaging protocol, such as the Signal protocol, provides end-to-end encrypted asynchronous communication. This paper focuses on a secure group messaging (SGM) protocol, and proposes a method capable of hiding membership information from the viewpoint of non group members, which we call “membership privacy”. In this work, we add membership privacy to the Asynchronous Ratcheting Trees (ART) protocol (proposed by Cohn-Gordon et al., (ACM CCS 2018)). For hiding membership-related values in the setup phase, we employ a key-private and robust publickey encryption (Abdalla et al., TCC2010/JoC2018). Moreover, we introduce a group common key to encrypt membership information in the key update phase. Our modification achieves asymptotically the same efficiency of the ART protocol in the setup phase. Any additional cost for key update does not depend on the number of group members. Therefore, the proposed protocol can add membership privacy to the ART protocol with a quite small overhead. Specifically, one encryption and decryption of a symmetric-key encryption scheme and one execution of a key-derivation function for each key update are employed. Finally, we discuss how to extend our protocol to provide sender-specific authentication, dynamic groups, group-size hiding, and how to adopt our technique to the Messaging Layer Security (MLS) protocol. We note that, although Chase et al. (ACM CCS 2020) have considered the same notion, their proposal is an extension of Signal so called “Pairwise Signal” where a group message is repeatedly sent over individual Signal channels. Thus their protocol is not scalable.

show abstract

Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH

Chen,

Miyaji,

Wang

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

An Efficient and Generic Construction for Signal’s Handshake (X3DH): Post-quantum, State Leakage Secure, and Deniable

Cited by 6 publications

References 69 publications

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH

Contact Info

Product

Resources

About