Abstrakt: |
To mitigate state exposure threats to long-lived instant messaging sessions, ratcheting was introduced, which is used in practice in protocols like Signal. However, existing ratcheting protocols generally come with a high cost. Recently, Caforio et al. proposed pragmatic constructions, which compose a weakly secure 'light' protocol and a strongly secure 'heavy' protocol, in order to achieve so-called ratcheting on-demand. The light protocol they proposed has still a high complexity. In this paper, we propose the lightest possible protocol we could imagine, which essentially encrypts and then hashes the secret key. We prove it secure in the standard model by introducing a new security notion, which relates symmetric encryption with key updates by hashing. Our protocol composes well with the generic transformation techniques by Caforio et al. to offer high security and performance at the same time. In a second step, we propose another protocol based on a newly defined integrated primitive, extending standard one-time authenticated encryption with an additional output block used as a secret key for the next message. We instantiate this primitive firstly from any authenticated encryption with associated data, and then we propose an efficient instantiation using advanced encryption standard (AES) encryption to update the key and AES-Galois/Counter mode of operation to encrypt and decrypt messages. [ABSTRACT FROM AUTHOR] |