Quarantined-TreeKEM: a Continuous Group Key Agreement for MLS, Secure in Presence of Inactive Users

Céline Chevalier; Guirec Lebrun; Ange Martinelli; Abdul Rahman Taleb

Paper 2023/1903

Quarantined-TreeKEM: a Continuous Group Key Agreement for MLS, Secure in Presence of Inactive Users

Céline Chevalier

, École Normale Supérieure - PSL, Université Paris Panthéon-Assas

Guirec Lebrun

, École Normale Supérieure - PSL, ANSSI

Ange Martinelli

, ANSSI

Abdul Rahman Taleb

, ANSSI

Abstract

The recently standardized secure group messaging protocol Messaging Layer Security (MLS) is designed to ensure asynchronous communications within large groups, with an almost-optimal communication cost and the same security level as point-to-point se- cure messaging protocols such as Signal. In particular, the core sub-protocol of MLS, a Continuous Group Key Agreement (CGKA) called TreeKEM, must generate a common group key that respects the fundamental security properties of post-compromise security and forward secrecy which mitigate the effects of user corruption over time. Most research on CGKAs has focused on how to improve these two security properties. However, post-compromise security and forward secrecy require the active participation of respectively all compromised users and all users within the group. Inactive users – who remain offline for long periods – do not update anymore their encryption keys and therefore represent a vulnerability for the entire group. This issue has already been identified in the MLS standard, but no solution, other than expelling these inactive users after some disconnection time, has been found. We propose here a CGKA protocol based on TreeKEM and fully compatible with the MLS standard, that implements a quarantine mechanism for the inactive users in order to mitigate the risk induced by these users during their inactivity period and before they are removed from the group. That mechanism indeed updates the inactive users’ encryption keys on their behalf and secures these keys with a secret sharing scheme. If some of the inactive users eventually reconnect, their quarantine stops and they are able to recover all the messages that were exchanged during their offline period. Our Quarantined-TreeKEM protocol thus increases the security of original TreeKEM, with a very limited – and sometimes negative – communication overhead.

Note: This is the full version of the extended abstract published in the proceedings of ACM CCS'24.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Major revision. ACM CCS'24
DOI: 10.1145/3658644.3690265
Keywords: MLS TreeKEM CGKA Quarantine Forward Secrecy Post-Compromise Security
Contact author(s): celine chevalier @ ens fr
guirec lebrun @ ens fr
ange martinelli @ ssi gouv fr
abdulrahman taleb @ ssi gouv fr
History: 2024-09-23: last of 3 revisions; 2023-12-11: received; See all versions
Short URL: https://ia.cr/2023/1903
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1903,
      author = {Céline Chevalier and Guirec Lebrun and Ange Martinelli and Abdul Rahman Taleb},
      title = {Quarantined-{TreeKEM}: a Continuous Group Key Agreement for {MLS}, Secure in Presence of Inactive Users},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1903},
      year = {2023},
      doi = {10.1145/3658644.3690265},
      url = {https://eprint.iacr.org/2023/1903}
}