1. On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees 2018 CCS SecureMessaging
    Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner
    [View PDF on people.cispa.io]
    [Show BibTex Citation]

    author = {Cohn-Gordon, Katriel and Cremers, Cas and Garratt, Luke and Millican, Jon and Milner, Kevin},
    title = {On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees},
    booktitle = {Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
    series = {CCS '18},
    year = {2018},
    isbn = {978-1-4503-5693-0},
    location = {Toronto, Canada},
    pages = {1802--1819},
    numpages = {18},
    url = {http://doi.acm.org/10.1145/3243734.3243747},
    doi = {10.1145/3243734.3243747},
    acmid = {3243747},
    publisher = {ACM},
    address = {New York, NY, USA},
    keywords = {art, computational proof, end-to-end encryption, group messaging, security protocols, tree diffie-hellman, verification},

In the past few years secure messaging has become mainstream, with over a billion active users of end-to-end encryption protocols such as Signal. The Signal Protocol provides a strong property called post-compromise security to its users. However, it turns out that many of its implementations provide, without notification, a weaker property for group messaging: an adversary who compromises a single group member can read and inject messages indefinitely. We show for the first time that post-compromise security can be achieved in realistic, asynchronous group messaging systems. We present a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time. ART scales to groups containing thousands of members, while still providing provable security guarantees. It has seen significant interest from industry, and forms the basis for two draft IETF RFCs and a chartered working group. Our results show that strong security guarantees for group messaging are practically achievable in a modern setting.