Hello everyone, my name is Kei Taro.We will tell you about an efficient and generic construction for a signal-to-hand shake.Post-contam, state leakage secure, and deniable.This is joint work with Shuichi Katsumata, Chris Kwiartokoski, and Thomas Prest.In this work, we realize the first practical and post-contam signal protocol.This is an outline of our talk.1.Backgrounds2.Signal-confirming AK protocol3.Post-contam SCAK protocol4.Implementation resultsI'd like to start by talking the background, instant messaging, and signal.Recently, a lot of people use instant messaging to communicate to each other.In instant messaging, users send and receive messages as synchronously through the server.For example, when Alice wants to send a message to Bob,she sends the message to the server, and the server stores it.When Bob becomes online, he accesses the server and receives the message to him.In this way, we can send and receive messages even when the communication partner is offline.However, there is a risk that malicious server may read or reveal messages.In fact, it was revealed that the server helped an intelligent agency with collecting messages like this figure.Therefore, to ensure security and privacy of messages, secure instant messaging is widely used.In secure instant messaging, messages are encrypted with a pre-sealed secret key.Hence, the server cannot access the encrypted contents.In this work, we focus on signal.Signal is a widespread secure instant messaging application.To encrypt messages,Signal uses signal protocol based on Diffie-Hellman assumption.Signal protocol is deployed in a lot of messaging applications, such as signal,button up,and facebook messenger.Hence, billions of users use signal protocol in the world.Let's see what signal protocol works.Signal protocol consists of the two phases.First, Alice and Bob establish the shared secret key via X3DH protocol.Then, they start the actual encrypted communication via double-ratchet protocol.When Alice sends the messages, she choose a new secret key shown in red,and encrypt the messages and the key in this way.She sends them to the server.When Bob becomes online, he receives the message from the server and decrypts it with the gray key.Then, he obtains the new red key.When Bob sends the message to Alice, he chooses a new secret key and encrypts them.Thereafter, they will follow the same procedures.The double-ratchet protocol and the X3DH protocol were proposed in 2016.Afterward, Congolden and Aure analyzed the security of the signal protocol.In 2019,Alven and Aure formalized the security models of double-ratchet protocol,and they proposed a genetic construction of double-ratchet protocol.It can be instantiated from post-contam assumptions.Thus, we already have a post-contam double-ratchet protocol.On the other hand, as for X3DH protocol, the security models has not been formalized.In addition, there are no known constructions from other than the Fiehlmann assumption,as well as the reconstruction.Thus, post-contam X3DH is locked.The purpose of this study are two-fold.First, we formalized the security models of X3DH protocol.Second, we designed a genetic construction of the X3DH protocol that can be instantiated from post-contam assumptions.Our main contribution is design and implementation of genetic construction as alternative to X3DH protocol.We have contributions in two aspects, theoretical side and practical side.We first formalized the X3DH protocol as a specific type of authenticated key exchange protocol.We call it signal-conforming AK protocol.Then, we define the functionality and security for SCAK.Then, we propose a genetic construction of post-contam SCAK protocol that satisfies the required properties.It is based on key encapsulation and signature key.Finally, we implement our SCAK protocol using NIST-PQC candidates.Then, we evaluate the computation cost and the communication cost.As a result, we realize the first practical and post-contam signal protocol.I will get into the details.We first talk about first contribution, the formalization of SCAK protocol.I would like to begin with the X3DH protocol.The X3DH protocol is an asynchronous key exchange protocol with the help of the server.We explain the protocol flow.First, Alice generates her long-term key pair small a and t2a and the first message, d2x.She stirs the key pair and x.Then, Alice sends the public key and the first message to the server.We note that in the initialization phase, Alice does not know who will communicate with her in the future.Assume one of the users, Bob wants to exchange a session key with Alice.He first downloads Alice's first message from the server.Then, Bob generates the second message, d2y, and the computer session key in this way.Since part is compute 3DFeeHelman values, this protocol calls X3DH protocol.Afterward, Bob sends his public key and the second message to the server.Finally, Alice downloads the message to her from the server and the computer session key.This figure shows the entire protocol flow of the X3DH protocol.On a closer look at, by viewing the intermediate server as the person in the middle,the X3DH protocol looks like a general authenticated key exchange protocol.Therefore, in this work, we consider the X3DH protocol as a specific type of authenticated key exchange protocol.We call it signal conforming AK protocol.This figure shows the communication model of X3DH protocol and that of AK protocol.By viewing the server as an AK adversary controlling channels, we can consider X3DH protocol as an AK protocol.This brings up a question.Furth functionality and security are required to SCAKE?We first consider functionality.We found that the X3DH protocol has an important functionality.That first messages are independent from communication partners.This is because, in the initialization phase, Alice does not know who will use her first message in the future.This functionality is needed to realize a synchronous communication.We define this functionality as receiver-overviousness.We second consider the security.The double-ratchet protocol considers the stronger security, such that it is secure against state leakage.So, SCAKE protocol also needs the same level of security.The state is the ephemeral information that Alice starts until she will receive the second message.Even if the state is exposed to the adversary, we want the session key to be secure.We call this property, state leakage secure.We have prepared the required functionality and security for SCAKE.Next, we will talk about our generic construction of post-contam SCAKE protocol.We first turn our eye to the existing post-contam AK protocol.There are three types of constructions, but all are insufficient for SCAKE protocol.The first construction is based on the fulfillment type assumption.It is a receiver-overvious, but it relies on the gap-seaside assumption, and its security level is unclear.Also, it is not secure against state leakage.The second construction is based on signature and routine encapsulation.It can be instantiated for a very established post-contam assumption,and it is a receiver-overvious, but it is not secure against state leakage.The third construction is based on only key encapsulation.This is not a receiver-overvious.In this work, we propose a new generic construction that satisfies all necessary requirements.We will explain the technical overview of our generic construction.To construct proposed protocol, we rely on two existing generic constructions.In SCAKE construction, the session key is exchanged by a femoral key,and parties are authenticated by the signature.Hence, it is called SCAKE construction.In CAM-CAM-CAM construction, parties are authenticated by CAM instead of signature.Hence, it is called CAM-CAM-CAM construction.Both constructions have their drawbacks.SCAKE construction is not secure against state leakage,because an adversary can compute the session key from the export state.It includes the femoral CAM-decapaculation key.CAM-CAM-CAM construction is not a receiver-overvious,because the first message depends on the both public key.On the other hand, both constructions have an advantage.SCAKE construction is a receiver-overvious,because the first message is independent of peers.CAM-CAM-CAM construction is state leakage secure,because an adversary cannot decrypt CA from the export state only.It brings up to the next question.Can we make the best of both worlds?Again, let's look at the two constructions.In SCA-CAM construction,segnature is used to explicitly authenticate the signer itself.Therefore, no information about the peer is required.The CAM key is independent of each party.This implies the receiver-overviousness.In CAM-CAM-CAM construction,CAM is used to authenticate the receiver.Therefore, Alice needs to do the both public key.On the other hand, the session key is derived from the multiple CAM session key.This leads to state leakage security.Now, we explain our construction.As in both constructions,we adapt the intermediate CAM.To authenticate Alice, Bob learns CAM.It leads to state leakage securityas in CAM-CAM-CAM.To authenticate both,Bob generates his signature.It leads the receiver-overviousnessas in CAM-CAM construction.This slide shows the protocol flowof our construction in detail.Our construction can be calledboth CAM-CAM construction.We can check that our protocol satisfiesboth required properties.First, because the first message is independentfrom the receiver's public key,our protocol has the receiver-overviousness.Second,our protocol is state leakage secure.This is because the adversarycannot decrypt CAfrom the exposed state DKT.In this way,we can make the best of both worlds.In summary,we propose the generic constructionof signal-conforming AK protocolbased on CAMs and signatures.It satisfies the required properties,receiver-overviousness,and state leakage security.In addition,it can be instantiatedfrom well-established post-contam assumptions.We won't go into details,but we also propose a deniableSDK protocolusing ring signatures and NIGKs.In this work,we focus on the initial key exchangeprotocol of signal protocoland propose the post-contam one.Combining itwith the post-contam double-reject protocolproposed by Arwen et al.we obtain the first post-contamsignal protocol.finally,we will report the implementation results.This is the third contribution.To instantiate our SCAK protocol,we use post-contam CAMsand signature schemessaving it for the NIST PQC standardization.We pair CAMs and signature schemespresponding to the same security level.As a result,we obtain 128different instantiation of post-contam SCAK.We evaluatecomputation costand communication costfor all of them.This slide shows the results.The upper figure shows the communication costand the lower one shows the computation cost.We confirm thatall instantiation works in practical.What we found is that the two schemessuch as GDCM plus favor lightprovide a good balance between communicationand computation cost.Also,we observe thatwe can realize SCAKwith various characteristicsby changing underlying assumption.For example,Rainbow-based SCAK providessmaller message size.In conclusion,we show thatdesign and implementationof generic constructionof signal-conforming AK protocol.Our contribution is three-fourth.First,we formalizethe X3D protocolas a specific type of AKcourt SCAK protocoland provides a formal security model.Second,we propose a generic constructionof Post-Contem SCAKfrom Chem and Signature scheme.finally,we implement our SCAK protocolwith NIST-TKC candidateand evaluatesthe computationand communication cost.As a result,we realizethe first practicaland Post-Contem signal protocol.Thank you for your kind attention.