Abstract
Extensive efforts are currently put into securing messaging platforms, where a key challenge is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and recent attacks indicate that the security of group messaging is still quite fragile. We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other’s voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO ’05) and Naor et al. (CRYPTO ’06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it. Within our framework we establish tight bounds on the tradeoff between the adversary’s success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff. In particular, considering groups that consist of an administrator and k additional users, for statistically-secure protocols we show that at least (formula presented) bits must be out-of-band authenticated, whereas for computationally-secure ones log (formula presented) bits suffice, where ϵ is the adversary’s success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).
Original language | English |
---|---|
Title of host publication | Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings |
Editors | Alexandra Boldyreva, Hovav Shacham |
Publisher | Springer Verlag |
Pages | 63-89 |
Number of pages | 27 |
ISBN (Print) | 9783319968834 |
DOIs | |
State | Published - 2018 |
Event | 38th Annual International Cryptology Conference, CRYPTO 2018 - Santa Barbara, United States Duration: 19 Aug 2018 → 23 Aug 2018 |
Publication series
Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|
Volume | 10991 LNCS |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 38th Annual International Cryptology Conference, CRYPTO 2018 |
---|---|
Country/Territory | United States |
City | Santa Barbara |
Period | 19/08/18 → 23/08/18 |
Bibliographical note
Publisher Copyright:© International Association for Cryptologic Research 2018.