 Okay, thank you. So I'm Lior. This is joint work with Gil Segev and I'm gonna talk about out-of-bin authentication and group messaging So we heard in the last couple of talks about and to an encryption in Messaging applications And note that by now with a pair of users has already established a shared secret key Then very roughly speaking at least for the most part And to an encryption is kind of figured out at least in its most basic form So a key challenge is that of detecting many the middle attacks when trying to set up secure end-to-end channels, right? What was referred to as a initialized? Part of the protocol in previous talks So what do we mean by that? Let's consider a concrete example Let's say I said Bob wanted to chat for the first time over what's up in an encrypted manner So what I first have to do is we have to run some kick-chains protocol For example, they can run the Diffie-Helman protocol But unfortunately, it is very well known that the Diffie-Helman protocol becomes completely insecure We're facing many the middle attacks when a many the middle attacker can simply change the value sent by the users with values of her own choice More generally speaking It's not hard to see that it is impossible to detect such many the middle attacks in any key exchange protocol If we don't have any kind of setup such as a trusted PKI And as it turns out it is impractical to assume a trusted PKI in messaging applications Due to their very ad hoc nature. So users have multiple devices. They replace the devices update the contacts, etc Fortunately, what is practical to assume and what is indeed assumed by most metering applications nowadays is that the users have the ability To out of bend authenticate one short value. So what do we mean by that? This is again the Diffie-Helman execution from before after completing the execution The execution the users can compare one short value that is displayed on both of their devices So for example, this can be done if they're not physically together by having Alice record a voice message of herself Reading the value that she sees out loud Send it over to Bob and then Bob can verify that the voice message that he received is indeed consistent with what he sees on his device and Assuming that Bob indeed recognizes Alice's voice these forms a sort of a low bandwidth authenticated channel from Alice to Bob So it is low bandwidth because Alice would only read so many digits out loud And it is authenticated based on the assumption that it is harder to forge Alice's voice than a text message at least in an online setting So indeed this kind of Model or a physical assumption or approach is used today not only by what's up by by most messaging applications that provide and to an encryption And it was also considered for a while within the cryptographic communities So in 84 with Eston Shamir introduced the interlock protocol, which also assumed that the users recognize each other's voice So this already back then shed some important initial light on the potential and benefit such model or physical assumptions to tasks such as the one that we are considering and Indeed some 20 years later. This was formalized by this model was formalized by Vaudena in the computational setting and by an or a talent in the statistical setting considering bounded and unbounded adversaries respectively So let's talk about a bit about the user-to-user setting and to formalize the setting It is helpful to think of an equivalent problem to that of detecting men in the middle attacks and kick change Which is detecting many the middle attacks in message authentication So what is this problem again? We have Alice Bob and the men in the middle now Alice wishes to send some message M over to Bob who receives some Possibly tempered with message and hat and Bob wishes to detect with probability at least one minus epsilon whenever M hat is not M So why this equivalence to? Detecting many the middle attacks in key exchange So within the one direction if the users have already shared a secret key then Alice can just go ahead and make the message And in the other direction, it's not hard to see that if the users have some Message authentication protocol, which is resilient to men in the middle attacks Then they can run any key exchange protocol and just and then just go ahead and apply the message authentication to the transcript of the protocol So okay, so what we did now was just to rephrase the problem But it is still the case that such a message authentication protocol cannot exist without any further assumptions And this is where the user's ability to Out of Bend authenticate one short value comes into the picture and it is modeled as an out of Bend Authenticated value Authenticated channel over which Alice can authenticate one short L bit value to Bob and now we require that Bob will detect with probability At least one minus epsilon whenever M hat is not M and now this might be a possible thing to ask for Okay, so this begs the question of how low Bend with easy channel or how small is L So in the case of what's up or signal Alice 240 bits in the case of telegram It's 288 bits and more generally speaking Pasineen Vodane gave in 06 a Laura bound showing that L has to be at least log 1 over epsilon Right so intuitively if you want to say 80 bits of security Alice has to out of an authenticate at least 80 bits Okay, so a major goal in this model as we can see is to get a best possible trade-off between L and epsilon right because we want the best possible security But we want to incur as little effort as possible on the side of the users Okay, so in this user to user setting previous works have established a complete characterization of this trade-off So we already mentioned the lower bound of Pasineen Vodane And indeed the year prior to that Vodane gave a matching protocol So in the computational setting these two results that can together show that in order to get security epsilon log log 1 over epsilon out of Ben authenticated bits are both necessary and sufficient And it's a statistical setting in our towel show that you have to work twice as hard so they gave Protocol and the matching lower bound joining the to get security epsilon against unbounded adversaries One has to out of Ben authenticate to log 1 over epsilon bits and this is also sufficient Okay, so the focus of this work is the group setting So where is the user to user setting we mentioned that there is a complete characterization of the trade-off? And we also saw that there are practical protocols in deployment by a mess and complications nowadays This is far from being the case in the group setting and in particular the protocols enabled by today's machine Applications are far from being practical Okay, so in this light our contributions are two-fold First we put forth the framework for modeling out of Ben authentication in the group setting This includes both the model of communication and notions of security and I'll give more details about them both later on but just to give you a sense right now Let's have so let's suppose that this is our group assume for simplicity that it consists of a group administrator and the K additional users So the users communicate to among themselves over some insecure channel over the which the adversary has complete control and in addition Edition the group administrator has the ability to out of Ben authenticate one short value, which is then visible to a lot of users Based on our conversations with people in the industry we gather that this is consistent with the current messaging platforms For example by having the group administrator administrator record a voice message of herself reading a short value That she sees out loud send it over to the group and then each group member can verify that indeed this voice message is consistent with what this is on his device Okay, so within this framework we provide tight bounds for out of Ben authentication in the group setting So let's consider groups of size K plus one right we have K receivers or additional users with the group administrator We have a group of size K plus one So we show that in the computational setting you don't have to work Quite as hard if you consider larger groups So we give a protocol and the matching lower bound showing that in order to get security epsilon Log one over epsilon plus look a out of Ben authenticated beats are both necessary and sufficient In the statistical setting however, we show that you have to work much harder So we give a lower bound showing that the number of out of Ben authenticated beats has to be linearly dependent on the size of the group right namely One has to out of an authenticate at least K plus one times log one over epsilon minus K beats in order to get security epsilon And we also provide the matching protocol in which K plus one times log one over epsilon plus log K beats are out of Ben authenticated and know that these two Terms indeed match within an additive term, which is something like K times log K But whenever K is much smaller than the one over epsilon, which is your typical case in messaging applications This becomes a much lower order term And it is worth mentioning that our computation is secure protocol is quite efficient and practically relevant It substantially improves upon the currently deployed protocols So just to give you a sense if you consider a group of say size 33 and you want 80 bits of security Then using the currently enabled protocols you have to out of Ben authenticate over 2700 bits where we is using our protocols you can do with just 85 bits Okay, so the talk outline will be the following I'll Give some more detail about the communication model and notions of security. I'll introduce the naive protocol currently enabled and Then I'll give some detail about our results One day of time to cover them all so I'll talk about our computation is secure protocol and as time permits I will say a few words about our statistical amount Okay, so the communication model we already saw this picture that's As we said before we can talk about message authentication. So let's replace the devices with S for sender and R1 to our cave receivers So as we said or a users communicate among themselves or any an insecure channel and the adversary is assumed to have complete control of its channel So she can read messages change them delay them insert new one, etc And in addition s has the ability to out of Ben authenticate one short value over an out of Ben channel So this channel is assumed to be authenticated but not secret So the adversary can read messages Delete them delay them etc. But she cannot modify them or insert new ones in an undetectable manner So within this model we can define correctness and security. So let's be a bit more formal now Let's give s some input message M Which is the message to be authenticated and at the end of the protocol each receiver output some message Let's denote the output of our eye by M hat I and The correctness requirement states that in an honest execution all receivers must output the correct message M Right, let's say with probability one. So we had perfect correctness As for security or unforgeability We require that the probability that there exists some receiver our eye that outputs a fraudulent message, right? Meaning M hat I which is not M the correct message M Nor is it the unique bottom symbol implying rejection is bounded by some predetermined parameter epsilon And as in the user to user setting we consider two flavors of security So we have a computational flavor in the statistical flavor considering bounded and unbounded adversaries respectively and Another technical difference is that in the computational setting we allow the forgery probability to be bounded by epsilon plus some negligible function of the security parameter Okay, so let's talk about the protocol currently enabled So, you know what the most naive thing you can do if you have a user to user protocol You can just have s independently invoke it with each receiver Right. So how does this look like we have s and r1 through RK again First s invokes a user to user protocol pi with r1 Then it does so with r2 and so forth until it does so with RK But the problem with this of course is that now s has to out of an authenticate quite a long Value right namely as to add to out of an authenticate at least K times low care of her epsilon beats Where the K inside the epsilon simply comes to enable a union bound of our receivers So the forgery probability may be bounded by epsilon And just just to give you a sense so we talked about the 33 users example if you consider even larger group of let's say Roughly a thousand users now s has to out of an authenticate more than 90,000 beats in order to get 80 bits of security Right. So both of these examples seem rather impractical But unfortunately, this is what you can do with today's messaging a platform Okay, so this leads us to our protocol Our protocol is based on a generalization of the nays user to user protocol while addressing some non-trivial technicalities and vulnerabilities that arise from trying to generalize it to the group setting So I won't have the time to get into them, but I'll just go ahead and display our protocol So let's consider just two receivers for simplicity of presentation here and the protocol proceeds as follows So the receivers first sample each an LB a random string and Each of them sends a commitment to the string to all other users in the protocol now Obviously a commitment scheme might be interactive, but I'll just refer to Commitment schemes as messages for now and will bear in mind that everything I say readily extends to interactive commitments as well In response as Sends M along with a commitment to M and a random LB string of his own RS At which point the receivers decommit to reveal the random values as decommit to reveal RS And finally as out of been authenticates to the XOR of RS R1 and R2 and each receiver accepts the message M That he received as a second message of the protocol If and only if this out of band value is indeed consistent with what he expects to see given the insecure communication Okay, so here's a theorem if the Commitment scheme used in our protocol is statistically binding and concurrent non-malleable And then for any K and L it holds that the epsilon of this protocol is K times 2 to the minus L Right or in other words for any efficient adversary the forgery probability is bounded by K times 2 to the minus L Plus some next double function of the security parameter So how do we go about proving this theorem? So we focus individually on each receiver and we prove that the Probability that this receiver outputs a fraudulent message is bounded by 2 to the minus L plus some negligible function of the security parameter And then the theorem follows by taking a unit bound over all receivers and to prove that We consider all possible synchronization Determine in the middle mountain might impose on it on an execution of the protocol relative to our eye And I'll talk about just one of them today because I won't have time to go talk about more But this captures the juice of the proof And then we reduce a successful attack in each of these synchronization seems to be in contradiction of the one of the security properties of the underlying commitment scheme Okay, so let's consider just one example Let's say the adversary wants to make our one out with a fraudulent message and it does so using the following timing So first our one Commits to a random string little R1 Then S receives commitments to our one hat and R2 hat which might be the same as the real R1 or R2 They might be different Then S sends M and the commitment to M and RS Followed by R1 receiving the commitment to R2 tilde along with MSM Hats and the commitment to M hat and RS hat again This R2 tilde and RS hat might be the same or different than other values sent during the execution of the protocol Okay, so that's for simplicity here non uniformly fix the worst case R1 R1 hat and R2 hat Right meaning the values that correspond to the maximal forgery probability by this adversary and Note that the attacker gets a commitment to M and some RS and outputs commitments to R2 tilde and to M hat and RS hat And in order to be a successful adversary two conditions must hold So first this linear relation listed in the slide might might must hold right because in order for R1 to output something Which is not bottom the out-of-band value that S sends must be the same as the one that R1 is expecting to see and In addition M hat has to be different than M right because otherwise this won't be a forgery But the concurrent on my ability of the underlying commitment scheme tells us that the probability that these two conditions indeed hold Simultaneously is bounded by 2 to the minus L plus some an adjustable function of the security parameter Right, so this concludes the reduction for this synchronization And I won't have the time to get to give definitions of a concurrent non-malleable commitments But I will say that from a theoretical point of view a long line of work has taught us that Constant round concurrent non-malleable commitment schemes Exists based on the minimal assumption that when we functions exist and from a more practical point of view just the folklore commitment of hashing the The value and the randomness in the random oracle model Gives us a non-interactive simple scheme, which is sufficient for our needs in our protocol Okay, so I'll have the time to say a few words about About our statistical or bound So We saw this picture before this is an execution of some protocol that we want to attack and let's denote by capital sigma the Random variable Corresponding to the out-of-bent value in a random execution of the protocol that we want to attack Okay, so the sigma is a random variable and as such might have some initial entropy But know that this entropy declines during the execution of the protocol since at the end of the protocol This value is fixed and sent so it has no entropy and The intuition for a lower bound that can be found in an hour tile paper for the user to user setting Tells us that in order for the forgery probability to be bounded by epsilon This decline in entropy must adhere to a very specific structure Right, so namely each party in the group or in the protocol must independently reduce in some sense That will hopefully become clearer in a second At least log one over epsilon bits of entropy from age of sigma If you believe this intuition Then the lower bound follows by summing over all the users in the group Right, so we have that age of sigma is at least k plus one times log one over epsilon And this is obviously a lower bound to the average length of the out-of-bent value as well Okay, so to give some more details about a lower bound that I need to introduce some notation So let's assume that the protocol that we want to attack has t rounds of insecure communication and it follows a very specific structure and I'll describe this structure again just for two receivers, but it readily extends to any number of receivers So let's say that the protocol procedures follows s sends a message x0 to all other users Followed by our one sending x1 to all other users R2 sends x2 to all other users and so forth x3 x4 and x5 until x t minus one And given this notation we can start to understand the age of sigma So we'll introduce a less bit of notation Let's denote by capital M the random variable Corresponding to the input message M to s and by capital X zero through capital X t minus one the random variables Corresponding to the messages sent by the parties during the execution of the protocol and we already know capital C So the main observation is that we can split age of sigma in some sense according to the marginal contribution of each round So whether we invite that we can write that of sigma as age of sigma minus age of sigma Condition on M and X zero plus age of sigma condition on M and X zero right What we did now was just to subtract and add the conditional entropy of sigma condition on the partial transcript up to The first round and including first one and we can do that for each round of insecure communication But this now can be rewritten is the sum over all rounds of the mutual information of sigma and The current message in this round conditioned on the partial transcript of the protocol up to a not including disrupt Right, this is by definition So now what's inside the red rectangles can be thought of as the entropy reduction caused by s to age of sigma Right because s is the one to send X zero and also the x j's inside the sum and flips whatever random coins it has to to determine sigma when the insecure at transcript is fixed and Similarly, what's inside a blue rectangle for every eye can be thought of as the entropy reduction by our eye And now our lower bound is completed using two lemmas So lemma one tells us that the forgery probability that there is a there exists an attack That succeeds with probability at least two to the minus entry reduction by s and similarly for any eye We have an attack that succeeds with probability two to the minus entry reduction by our eye Right, and then the lower bound follows the success probabilities The product of the success probabilities is at least two to the minus age of sigma minus K that I will disregard And the lower bound simply follows by the epsilon unforgeability of the protocol All right. Thank you