[Resource Topic] 2018/493: Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal

Welcome to the resource topic for 2018/493

Title:
Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal

Authors: Lior Rotem, Gil Segev

Abstract:

Extensive efforts are currently put into securing messaging platforms, where a key challenge is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and recent attacks indicate that the security of group messaging is still quite fragile. We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other’s voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO '05) and Naor et al. (CRYPTO '06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it. Within our framework we establish tight bounds on the tradeoff between the adversary’s success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff. In particular, considering groups that consist of an administrator and k additional users, for statistically-secure protocols we show that at least (k+1)\cdot (\log(1/\epsilon) - \Theta(1)) bits must be out-of-band authenticated, whereas for computationally-secure ones \log(1/\epsilon) + \log k bits suffice, where \epsilon is the adversary’s success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).

ePrint: https://eprint.iacr.org/2018/493

Talk: https://www.youtube.com/watch?v=SZyja7UUEZY

Slides: https://crypto.iacr.org/2018/slides/28860.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .