 Hi everyone! My name is Paul Roisler and the paper that I present today is joint work together with Alexandra Bienstock and Jefgy Nydotis. The title of our paper is on the price of concurrency in group-rejecting protocols. Before I turn to concurrency and I explain what the price in this setting means, I will first give you an idea of what group-rejecting is. Group-rejecting protocols have the following core functionality. They enable members of a group to jointly establish group keys. With these group keys these users can then, for example, protect their conversations in group chats and instant messaging. As instant messaging is the core deployment scenario for group-rejecting protocols, we consider the following threat. Adversaries are able to expose the local secrets that users use to compute and establish their group keys. Thereby these adversaries of course also obtain the group keys for a while until, for example, these group members can recover from these exposures. Exposures are realistic mainly because on the one hand group chats and instant messaging often take a very long time and on the other hand users use their mobile devices for communicating in such chats. Thereby the accessibility of these adversaries to these secrets is potentially increased. Now these group members can recover from such exposures as soon as the adversary has no access to these secrets anymore. In the following way these group members can sample new secrets and with these new secrets they can derive public values that they can then share in the group and as soon as every group member who has been exposed recovered via such a sharing of new public values these group members should be able to compute a group secure group key again. Now as you can see here if these users recover in a sequential schedule this takes a very long time potentially even linear in the number of group members. On the one hand it can be very realistic in groups that if there is no scheduling algorithm that these users concurrently initiate their recovery. On the other hand if they can do so and if the protocol is able to process such in simultaneously initiated recoveries then also the time that is used for effective recovery is significantly decreased. So we think that a main target of such group ratcheting protocols should be on the one hand reaching post-compromise security meaning reaching recovery from such exposures and this very quickly ideally and also the shares that these users distribute in order to recover from these exposures should be minimal in order to keep the communication overhead small and finally as I already mentioned it would be helpful and desirable if these recovery can recoveries can be handed concurrently. I already mentioned the problems if protocols do not achieve these goals on the one hand the recovery takes a very long time and on the other hand if only recoveries in a sequential schedules a schedule can be processed then this needs some kind of a coordination mechanism and this often requires consensus protocols which are either either inapplicable or very inefficient for decentralized networks. Okay after sketching the ideas and goals of our work I will next give you an idea of why previous protocols were not able to both achieve post-compromise security and do this for concurrently initiated recovery attempts. After giving you an idea or an overview of a previous work I will look at onto our lower bound result. This result tells you that there is a minimal communication overhead that is necessary for users to concurrently recover from exposures. After looking at this lower bound I will introduce our construction of group budgeting that achieves a communication overhead that is very close to our lower bound and thereby we provide an upper bound that is almost optimal. I will close the talk with questions that we leave open for future work. Okay so let's look at what previous constructions for group budgeting did. Their main approach bases on dynamic group key exchange protocols which have a long history in the literature mainly from the 80s to the early 2000s. The main idea behind this is that users who have been exposed can be considered as unwanted identities who are members of a group. So in order to recover I for example could be an exposed user who has an unwanted identity and what I would do is I would remove my previous or current identity and then after the adversary ends the access to my device I would generate a fresh identity and add this identity to the group. It turns out that mainly tree-based dynamic group key exchange protocols fit well especially for the settings in instant messaging where we have asynchronous communication and where we want to reduce the communication overhead. So due to the tree-based structure we have essentially logarithmic overhead in the number of group members for recovering. And also what is very helpful is that these removes and addings of users in these tree-based protocols can be conducted non-interactively. So the main idea is that all the members of a group are structured and represented by the leaves in a tree. So all these users have secrets and public values and all the secrets and public values that these users have in their own leaf and on the path to the common root are stored on the devices of each member. So the joint group key who is then stored in all local states of the members can be considered and essentially is the joint group key. Now as you see here as I mentioned I store all the secrets that are on the path from my own leaf to the root. The main contributions of early works on group ratcheting are that they observe that this merging of adding and removing or vice versa adding of removing and adding can be used to realize group ratcheting. Another main contribution is that these works specifically by Karthik Bhagavan and Richard Barnes and Eric Raskola observed that you can generalize the idea of Diffie-Hellman trees to key encapsulation mechanism trees. So abstractly coming from this Diffie-Hellman specific way to the abstract public key encryption idea. Now I will give you an idea how these constructions work. If for example Charlie wants to recover from an exposure Charlie simply samples a new value XC prime and from this XC prime Charlie generates a new key pair for the only leaf. Charlie then also obtains and deterministically derives another secret as a seed for the parent of this leaf node of Charlie. Then from this new seed XC prime D Charlie generates a key pair for this parent node and Charlie continues to do this for all the remaining parents on the path from the leaf to the root. In order to let the other users know the nodes on their own paths Charlie will encrypt to the respective siblings on that path on to these respective public keys of these siblings. So essentially for letting Dave know the common parent with Charlie the seed that is then used for on the one hand to generate the new key pair of the parent of Charlie and Dave but also to generate the root key pair. Charlie simply encrypts this XC prime D to the public key of Dave. After doing this recovery all the secrets that Charlie previously knew are now updated and thereby the adversary when only exposing the secrets of Charlie does not have any or does not know any current secrets in this tree anymore. There are many more works that enhanced these ideas of updating these secrets in these trees for example increasing or enhancing the forward secrecy guarantees or keeping a balanced tree structure or even providing security against active adversaries. The main problem of all these ideas and strategies is that they do not achieve these goals that we are looking for namely concurrency for recovery. The main goal that I want or the main problem that I want to mention here is that if Charlie and Dave at the same time try to recover from exposures of their old secrets they would encrypt these newly generated secrets to the public keys of an old state. So these public keys remain to old secret keys and these users want to recover from these potentially old exposed secret keys but the problem is that they don't know of new public keys of the respective partner yet so what they would still do is they would encrypt the new secrets to the old secret keys and thereby they would not recover from these exposures effectively. So what you would essentially need is potentially multi-party non-interactive key exchange for which we do not have any efficient constructions yet. Okay so what you see here is that all of these protocols indeed achieve post-compromise security with very little overhead namely logarithmic in the number of group members but they all do not really achieve concurrency. There are some ways to circumvent the problems of concurrency but mostly all these circumventions do not achieve either good overhead so little overhead or do not achieve post-compromise security. For example the MLS draft the current version version 9 achieves concurrency and post-compromise security but in this case it degrades from a tree kind of to a linear structure and thereby a linear overhead and the number of group members is achieved which is not desirable. Similarly another approach to handle concurrency is to keep a tree structure but in this case post-compromise security similar to the way that I just sketched is not achieved. Okay there are other attempts and ways to achieve messaging and group-ratcheting for the purpose of establishing a group conversations. A group conversation for example WhatsApp simply uses forward secure deterministic hash chains to update the secrets in a group and thereby they achieve a minimal overhead of only constant in the number of group members and they can also handle concurrency but what they cannot do is they cannot achieve post-compromise security. Another approach is by Signal and this approach has very recently been analyzed formally and this approach is simply using the pairwise channels between each pair of group members and thereby on the one hand achieving post-compromise security as these pairwise channels are secure or post-compromise secure and also achieving concurrency as these pairwise channels are independent of each other but since every group message has then to be encrypted for n different pairwise channels the overhead is of course linear which we don't want to have. So the question that we ask in this work is is there a better way to achieve both post- compromise security and concurrency with a significantly better overhead than linear in the number of group members. Okay I will answer this question first with our minimal lower bound for the overhead. Okay so for analyzing the communication overhead in our work we introduce and develop a symbolic model. A symbolic model means that all the entities in this model use variables that are just abstract symbols so these symbols do not have any bit representation nor an algebraic structure so what algorithms can do with these variables are following fixed transition rules. So in our model we define these transition rules, transition rules I will give you some examples in a second and what we also model in our symbolic model is that group rotating protocols can only communicate in a round-based fashion but within this round-based session they can of course also be invoked concurrently and thereby what we analyze essentially is concurrency in this round-based execution model. Okay so group rotating constructions can use the following fixed set of building blocks. By fixing the set of building blocks we reduce our consideration to the relevant building blocks and essentially exclude exotic building blocks such as multi-linear maps, multi-party non-interactive key exchange or obfuscation or something similar which is neither efficient nor really realistic. So these building blocks are dual pseudo-random functions so for example you can derive from random coins, further random coins or you can derive from symmetric key, further symmetric keys and we consider key-updateable public key encryption and broadcast encryption. So our modeling of key-updateable public key encryption is essentially as strong and thereby captures hierarchical identity-based encryption. This is relevant as a very recent work on very strong group rotating also uses HIV. We also show that key-updateable public key encryption is necessary to realize two-party two-party rotating in our work that I will present at Azure Crypt this year. So what you see here are the different are the different transition rules that we use for example if you have a message and a public key you can derive a ciphertext from it or if you have a ciphertext with a fitting asymmetric key then you can derive a message from it or if you have an asymmetric key you can derive a fitting public key and you can update your public key to a new public key with key-updateable public key encryption or a secret key to a new secret key. So this is the way that these algorithms are restricted to compute only what we provide them to be able to compute. There are many more rules you can see the full details in our paper and what we want to emphasize here is that all these rules and thereby all these building blocks model everything that previous group rotating constructions already used. So we do not restrict these constructions further than necessary and not even further than what these previous constructions essentially used. Our approach is partially inspired by the very interesting from my perspective very important work by Michandra and Pandrani from EuroCrypt 2004 in which they prove a lower bound on the communication complexity for forward secure multicast encryption and their result shows that if requiring forward security from something that is similar to dynamic group key exchange is required to send logarithmic in the number of group members symbols to the group. So potentially since we consider post-compromise security and they consider forward secrecy our two results may additively apply to group budgeting. Okay so let's look at our proof idea. The proof idea starts as with what I just mentioned so group budgeting protocols are restricted to only use the symbolic building blocks and only follow our transition rules. And these group budgeting constructions are required to compute secure group keys whenever it is required by our definition and I will give you an or an idea of this definition in a second. So first of all secure or group keys are secure by definition if they cannot be derived by adversaries who also only follow the transition rules in our symbolic model. And thereby this means that the adversary can only on the one hand use the symbols that this adversary obtains by exposing the local secrets of users and thereby obtaining these secrets and computing and deriving other values via transition rules. And also the adversary sees all the symbols that are communicated via the public channel via which also the users recover. And the requirement is that as soon as every user who has been exposed once shared new information and afterwards one further user also shared some information then the next group key that is computed is required to be secure again. And in this case the group budgeting protocol has to compute such a key that is not derivable by the transition rules that we define by an adversary. Okay so these are the requirements and our proof statement is as follows. We prove that when establishing such secure group keys under key concurrency meaning that T users or T members simultaneously try to recover from their exporters then every message that these recovering members send is at least or contains at least T minus one symbols. So symbols in this case means distinct secrets or distinct public values that these users for recovering share. Then I will give you some further details on our proof idea for the full details again I refer you to our full paper. So our proof looks at three different rounds and these rounds begin with an exposure of group members in this case four members. So in this round I minus one these four members are exposed and you observe here that neither of these exposed members has any secure and undarrivable secrets in their state anymore. So the adversary can derive all the secrets that these users know. The second round is now or allows now these members who have previously been exposed to recover from this exporter. So what these users now do is since they still do not have any secrets in their state they sample and generate new secrets and from these secrets they can derive via the transition rules further values. Just specifically they can derive new public values that they can then share in the entire group. Essentially what happens here is that all these four users generate and sample distinct own secret values and from these secret values they derive distinct own other symbols. Specifically they all derive and share distinct public values. Observe and I will mention this in a second again that these public values cannot be merged somehow. Even if we allow would allow for non-interactive key exchange then an outsider can even with non-interactive key exchange not merge these public values and this is a key observation here. Now for recovering as I mentioned in the final round the users who sent in this round I help these previous users who want to recover to effectively recover and then all these users can compute a secure joint group key again. Now in this last round what senders can do is they can respond to the public values that have previously been shared in this round and essentially what a user has to do is sending to each public value that has been proposed in the previous round individually. Now as we may have multiple senders in this last round and they cannot coordinate because they are acting simultaneously and essentially concurrently each user who sends in round I has to send the same amount of information. Essentially as we have two senders in this example here each of these two senders has to send potentially even four values to the public keys from the last round. This is a very very high-level idea that I just sketch here for the full details that are potentially a little bit more complex. Please have a look into our paper. Now what you see here is of course the sender if helping his himself when recovering also in the last round so if a sender sends both in rounds I minus one and I the sender does not need to send to him or herself in round I again but to all remaining members and therefore what we see here is that I mentioned it already this user cannot merge these public values from the last round but what I wanted to say is that every member has to send T messages to the T recoveries from the last round and as we have potentially T concurrency so in every step in every round T senders we have T squared messages per round which which is an overhead of T per round per sender. OK so this is a very high-level idea of our lower bound let's look now onto our construction for the upper bound. Our construction basis on the idea of having a tree-based tree structure from the beginning of this talk that also other group-ratcheting protocols use. OK so now let's look at these four users what they do is for example if Charlie and Dave are exposed in this case then of course their paths are known or all the secrets that are linked to the nodes on the path from the leaf to the root are known to the adversary so these two users would need to update all the secrets on these paths. What these users however is effectively do is they only update the leaves their own leaves so in round i-1 if they know they have been exposed or if they want to recover in case they think they could have been exposed is they simply generate a new key pair and this is everything they do in this round i-1. Now in the final round the senders in this case Alice and Dave first repeat the step that also happens in round i-1 namely they generate new key pairs but then they also help the senders from the previous round to update the nodes on their paths from the leaf to the root which is they generate key pairs for the joint parent of Charlie and Dave and the joint group key. Now this works as follows as I mentioned this already they sample secret values XC prime D prime and they derive from these values both a secret key for the parent of Charlie and Dave and from this value again a seed value with which the root key pair is generated. Now in order to distribute all relevant information first of all Alice and Dave for sending this information to Charlie and Dave they encrypt to the new public keys of the new key pairs from round i-1 of Charlie and Dave this newly generated seed XC prime D prime with which these both users can derive all the secrets on their path from their leaves to the root. This has a size of ti-1 which is in our example here too. Now also all remaining users would need to know the secrets that they would need to have in order to derive all the secrets and public values from their siblings to the paths of the updated paths of Charlie and Dave. So in this case the common parent of Alice and Bob would need to obtain the information necessary to obtain the joint group key and this can be reduced to degree one notes in Steiner trees. So you can look at this if you want to know the details in our paper. Essentially the overhead or the communication complexity that is induced for encrypting information and distributing information to all siblings to the paths of the previously updating members from round i-1 is ti-1 times log of n over ti-1. Okay so summing these two results up gives us the following communication complexity t plus t times log n over t for t concurrency. So this generalizes or becomes specifically precise to the one concurrency case with log n and for the n concurrency case that can also be handled by for example the signal approach that I mentioned at the beginning of this talk to o of n. Okay so again this has only been a very high level sketch of our idea please look for the full details into our paper. Now we can observe here now that after we identify the problem that neither of previous protocols both achieved post-compromise security concurrency and a small overhead. With our lower bound we see and prove that there is actually a minimal communication complexity namely for t concurrency the overhead is t and with our upper bound we kind of confirm this lower bound or at least give a matching upper bound which is t times 1 plus log n over t. So this upper bound has only a logarithmic additional factor. So open questions that remain after our work is how to close the gap which is this logarithmic factor between our upper bound and our lower bound. Also we only consider a round-based execution schedule and therefore we do not really consider full asynchronous which future work can also solve. Another question that we do not entirely solve is which role noninteractive key exchange so not multi-party noninteractive key exchange but two-party noninteractive key exchange plays in this scenario. We assume that it doesn't really play a role and we give kind of arguments for this but this keeps an open question for future work. Also what one can consider is a delay for achieving post-compromise security which can potentially reduce the necessary overhead. Also we do not consider forward secrecy in our lower bound so potentially the lower bound is even higher if both forward secrecy and post-compromise security are required. And finally of course our results are applicable to the MLS draft as we solve this concurrency problem and issue much more efficient than the current version although of course our current idea and our construction has some drawbacks compared to the current idea of the MLS draft. Okay so the full details and the formal proofs for our work are available of course on E-Print and you can always contact me via email or via Twitter. Thank you very much for your attention.