On the Worst-Case Inefficiency of CGKA

Alexander Bienstock; Yevgeniy Dodis; Sanjam Garg; Garrison Grogan; Mohammad Hajiabadi; Paul Rösler

doi:10.1007/978-3-031-22365-5_8

On the Worst-Case Inefficiency of CGKA

Alexander Bienstock, Yevgeniy Dodis, Sanjam Garg, Garrison Grogan, Mohammad Hajiabadi, Paul Rösler

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Continuous Group Key Agreement (CGKA) is the basis of modern Secure Group Messaging (SGM) protocols. At a high level, a CGKA protocol enables a group of users to continuously compute a shared (evolving) secret while members of the group add new members, remove other existing members, and perform state updates. The state updates allow CGKA to offer desirable security features such as forward secrecy and post-compromise security. CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers. 1.Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA’s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, then, some other special user securely communicates to these n users a shared key. Next, we show that CKE with communication cost o(n) by the special user cannot be realized in a black-box manner from public-key encryption, thus implying the same for CGKA, where n is the corresponding number of group members.2.Can we realize one CGKA protocol that works as well as possible in all cases? Here again, we present negative evidence showing that no such protocol based on black-box use of public-key encryption exists. Specifically, we show two distributions over sequences of group operations such that no CGKA protocol obtains optimal communication costs on both sequences.

Original language	English (US)
Title of host publication	Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings
Editors	Eike Kiltz, Vinod Vaikuntanathan
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	213-243
Number of pages	31
ISBN (Print)	9783031223648
DOIs	https://doi.org/10.1007/978-3-031-22365-5_8
State	Published - 2022
Event	20th Theory of Cryptography Conference, TCC 2022 - Chicago, United States Duration: Nov 7 2022 → Nov 10 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13748 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th Theory of Cryptography Conference, TCC 2022
Country/Territory	United States
City	Chicago
Period	11/7/22 → 11/10/22

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-031-22365-5_8

Cite this

Bienstock, A., Dodis, Y., Garg, S., Grogan, G., Hajiabadi, M., & Rösler, P. (2022). On the Worst-Case Inefficiency of CGKA. In E. Kiltz, & V. Vaikuntanathan (Eds.), Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings (pp. 213-243). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13748 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-22365-5_8

Bienstock, Alexander ; Dodis, Yevgeniy ; Garg, Sanjam et al. / On the Worst-Case Inefficiency of CGKA. Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings. editor / Eike Kiltz ; Vinod Vaikuntanathan. Springer Science and Business Media Deutschland GmbH, 2022. pp. 213-243 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{9a950d6da1fd47b4b5f2f2a0060e591c,

title = "On the Worst-Case Inefficiency of CGKA",

abstract = "Continuous Group Key Agreement (CGKA) is the basis of modern Secure Group Messaging (SGM) protocols. At a high level, a CGKA protocol enables a group of users to continuously compute a shared (evolving) secret while members of the group add new members, remove other existing members, and perform state updates. The state updates allow CGKA to offer desirable security features such as forward secrecy and post-compromise security. CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers. 1.Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA{\textquoteright}s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, then, some other special user securely communicates to these n users a shared key. Next, we show that CKE with communication cost o(n) by the special user cannot be realized in a black-box manner from public-key encryption, thus implying the same for CGKA, where n is the corresponding number of group members.2.Can we realize one CGKA protocol that works as well as possible in all cases? Here again, we present negative evidence showing that no such protocol based on black-box use of public-key encryption exists. Specifically, we show two distributions over sequences of group operations such that no CGKA protocol obtains optimal communication costs on both sequences.",

author = "Alexander Bienstock and Yevgeniy Dodis and Sanjam Garg and Garrison Grogan and Mohammad Hajiabadi and Paul R{\"o}sler",

note = "Funding Information: CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers. 1. Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA{\textquoteright}s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, The full version [10] of this article is available in the IACR eprint archive as article 2022/1237. Y. Dodis—Partially supported by gifts from VMware Labs and Algorand Foundation, and NSF grants 1815546 and 2055578. S. Garg—This research is supported in part by DARPA under Agreement No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF CNS Award 1936826, and research grants by the Sloan Foundation, and Visa Inc. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA. M. Hajiabadi—Work supported by an NSERC Discovery Grant RGPIN/03270-2022. Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 20th Theory of Cryptography Conference, TCC 2022 ; Conference date: 07-11-2022 Through 10-11-2022",

year = "2022",

doi = "10.1007/978-3-031-22365-5_8",

language = "English (US)",

isbn = "9783031223648",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "213--243",

editor = "Eike Kiltz and Vinod Vaikuntanathan",

booktitle = "Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings",

address = "Germany",

}

Bienstock, A, Dodis, Y, Garg, S, Grogan, G, Hajiabadi, M & Rösler, P 2022, On the Worst-Case Inefficiency of CGKA. in E Kiltz & V Vaikuntanathan (eds), Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13748 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 213-243, 20th Theory of Cryptography Conference, TCC 2022, Chicago, United States, 11/7/22. https://doi.org/10.1007/978-3-031-22365-5_8

On the Worst-Case Inefficiency of CGKA. / Bienstock, Alexander; Dodis, Yevgeniy; Garg, Sanjam et al.
Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings. ed. / Eike Kiltz; Vinod Vaikuntanathan. Springer Science and Business Media Deutschland GmbH, 2022. p. 213-243 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13748 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - On the Worst-Case Inefficiency of CGKA

AU - Bienstock, Alexander

AU - Dodis, Yevgeniy

AU - Garg, Sanjam

AU - Grogan, Garrison

AU - Hajiabadi, Mohammad

AU - Rösler, Paul

N1 - Funding Information: CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers. 1. Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA’s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, The full version [10] of this article is available in the IACR eprint archive as article 2022/1237. Y. Dodis—Partially supported by gifts from VMware Labs and Algorand Foundation, and NSF grants 1815546 and 2055578. S. Garg—This research is supported in part by DARPA under Agreement No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF CNS Award 1936826, and research grants by the Sloan Foundation, and Visa Inc. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA. M. Hajiabadi—Work supported by an NSERC Discovery Grant RGPIN/03270-2022. Publisher Copyright: © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

PY - 2022

Y1 - 2022

N2 - Continuous Group Key Agreement (CGKA) is the basis of modern Secure Group Messaging (SGM) protocols. At a high level, a CGKA protocol enables a group of users to continuously compute a shared (evolving) secret while members of the group add new members, remove other existing members, and perform state updates. The state updates allow CGKA to offer desirable security features such as forward secrecy and post-compromise security. CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers. 1.Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA’s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, then, some other special user securely communicates to these n users a shared key. Next, we show that CKE with communication cost o(n) by the special user cannot be realized in a black-box manner from public-key encryption, thus implying the same for CGKA, where n is the corresponding number of group members.2.Can we realize one CGKA protocol that works as well as possible in all cases? Here again, we present negative evidence showing that no such protocol based on black-box use of public-key encryption exists. Specifically, we show two distributions over sequences of group operations such that no CGKA protocol obtains optimal communication costs on both sequences.

AB - Continuous Group Key Agreement (CGKA) is the basis of modern Secure Group Messaging (SGM) protocols. At a high level, a CGKA protocol enables a group of users to continuously compute a shared (evolving) secret while members of the group add new members, remove other existing members, and perform state updates. The state updates allow CGKA to offer desirable security features such as forward secrecy and post-compromise security. CGKA is regarded as a practical primitive in the real-world. Indeed, there is an IETF Messaging Layer Security (MLS) working group devoted to developing a standard for SGM protocols, including the CGKA protocol at their core. Though known CGKA protocols seem to perform relatively well when considering natural sequences of performed group operations, there are no formal guarantees on their efficiency, other than the O(n) bound which can be achieved by trivial protocols, where n is the number of group numbers. In this context, we ask the following questions and provide negative answers. 1.Can we have CGKA protocols that are efficient in the worst case? We start by answering this basic question in the negative. First, we show that a natural primitive that we call Compact Key Exchange (CKE) is at the core of CGKA, and thus tightly captures CGKA’s worst-case communication cost. Intuitively, CKE requires that: first, n users non-interactively generate key pairs and broadcast their public keys, then, some other special user securely communicates to these n users a shared key. Next, we show that CKE with communication cost o(n) by the special user cannot be realized in a black-box manner from public-key encryption, thus implying the same for CGKA, where n is the corresponding number of group members.2.Can we realize one CGKA protocol that works as well as possible in all cases? Here again, we present negative evidence showing that no such protocol based on black-box use of public-key encryption exists. Specifically, we show two distributions over sequences of group operations such that no CGKA protocol obtains optimal communication costs on both sequences.

UR - http://www.scopus.com/inward/record.url?scp=85146679227&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85146679227&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-22365-5_8

DO - 10.1007/978-3-031-22365-5_8

M3 - Conference contribution

AN - SCOPUS:85146679227

SN - 9783031223648

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 213

EP - 243

BT - Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings

A2 - Kiltz, Eike

A2 - Vaikuntanathan, Vinod

PB - Springer Science and Business Media Deutschland GmbH

T2 - 20th Theory of Cryptography Conference, TCC 2022

Y2 - 7 November 2022 through 10 November 2022

ER -

Bienstock A, Dodis Y, Garg S, Grogan G, Hajiabadi M, Rösler P. On the Worst-Case Inefficiency of CGKA. In Kiltz E, Vaikuntanathan V, editors, Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 213-243. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-22365-5_8