Security Model and Safe Predicate. To analyze the security of CoCoA, we essentially use the security model from [23], which allows the adversary to act partially actively and fully adaptively: in this model, the adversary can adaptively decide which users perform which operations, and can actively control the delivery server; however it can not issue messages on behalf of the users. In [23] this is enforced by assuming authenticated channels. Since in CoCoA the signing of protocol messages is more involved, parent hash plays an important role also for security against partially active adversaries, and the server no longer just relays messages, we make the use of signatures explicit in this work. As we restrict our analysis to partially active adversaries, the adversary does not get access to signing keys via corruptions. While this might look artificial, it has importance in practice as discussed in the introduction, and we still obtain meaningful results in the vein of [23]. Nevertheless, we consider the analysis of CoCoA’s security against fully active adversaries an important question for future work. Except for explicit signatures, the differences in the setting of concurrent CGKA to the one of [23] are that 1) users process concurrent messages, 2) no messages are ever rejected by the server, and 3) the server is allowed to send arbitrary (potentially malformed) messages. Regarding 2), it is however possible that messages get lost and even that a user does not process an update they generated. Whether a user IDi’s update message (and which one) is contained in a round message Mi, is represented by a counter ci. Finally, regarding 3), while our security notion is strictly stronger than the one from [23] (where the server could only forward existing messages), the security of protocols such as TreeKEM and TTKEM can trivially be upgraded to our notion: This is true since round messages in these protocols only consist of signed messages and the adversary does not learn any party’s signing key. In our protocols, in contrast, the server is assumed to perform some computation on users’ messages, hence it makes sense to consider a stronger model where this computation is not trusted.
Appears in 1 contract
Security Model and Safe Predicate. To analyze the security of CoCoA, we essentially use the security model from [2325], which allows the adversary to act partially actively and fully adaptively: in this model, the adversary can adaptively decide which users perform which operations, and can actively control the delivery server; however it can not issue messages on behalf of the users. In [2325] this is enforced by assuming authenticated authen- ticated channels. Since in CoCoA the signing of protocol messages is more involvedin- volved, parent hash plays an important role also for security against partially active adversaries, and the server no longer just relays messages, we make the use of signatures explicit in this work. As we restrict our analysis to partially active adversaries, the adversary does not get access to signing keys via corruptionscorrup- tions. While this might look artificial, it has importance in practice as discussed in the introduction, and we still obtain meaningful results in the vein of [2325]. Nevertheless, we consider the analysis of CoCoA’s security against fully active adversaries an important question for future work. Except for explicit signatures, the differences in the setting of concurrent CGKA to the one of [2325] are that 1) users process concurrent messages, 2) no messages are ever rejected by the server, and 3) the server is allowed to send arbitrary (potentially malformed) messages. Regarding 2), it is however possible that messages get lost and even that a user does not process an update they generated. Whether a user IDi’s update message (and which one) is contained in a round message Mi, is represented by a counter ci. Finally, regarding 3), while our security notion is strictly stronger than the one from [2325] (where the server could only forward existing messages), the security of protocols such as TreeKEM and TTKEM can trivially be upgraded to our notion: This is true since round messages in these protocols only consist of signed messages and the adversary does not learn any party’s signing key. In our protocols, in contrast, the server is assumed to perform some computation on users’ messages, hence it makes sense to consider a stronger model where this computation is not trusted.
Appears in 1 contract