From f36c601a82bccf9ea3288ad9e6bfc5537fd35ec3705cc21f44a9608b29f6743d Mon Sep 17 00:00:00 2001 From: Nadim Kobeissi Date: Fri, 27 Jun 2025 17:09:10 +0200 Subject: [PATCH] Slides 2.3: Finish! + move the PQ stuff to Topic 2.7 --- slides/2-3.tex | 140 +++++++++++++++++++++++------ slides/2-7.tex | 17 ++++ slides/images/pq3_apple.png | 3 + slides/images/treekem.pdf | 3 - slides/images/treekem_a.png | 3 + slides/images/treekem_b.png | 3 + slides/images/treekem_update_1.pdf | 3 - slides/images/treekem_update_2.pdf | 3 - slides/images/treekem_update_3.pdf | 3 - website/index.html | 10 ++- 10 files changed, 147 insertions(+), 41 deletions(-) create mode 100644 slides/images/pq3_apple.png delete mode 100644 slides/images/treekem.pdf create mode 100644 slides/images/treekem_a.png create mode 100644 slides/images/treekem_b.png delete mode 100644 slides/images/treekem_update_1.pdf delete mode 100644 slides/images/treekem_update_2.pdf delete mode 100644 slides/images/treekem_update_3.pdf diff --git a/slides/2-3.tex b/slides/2-3.tex index d7bd530..ff8e9e9 100644 --- a/slides/2-3.tex +++ b/slides/2-3.tex @@ -16,12 +16,6 @@ \titlepage \end{frame} -\begin{frame}{Slides not complete and may contain errors} - \begin{itemize} - \item This slide deck is not finished, may contain errors, and is missing important material. Do not rely on it yet. - \end{itemize} -\end{frame} - \section{The Dark Ages} \begin{frame}{The Dark Ages} @@ -1797,7 +1791,7 @@ \end{alertblock} \end{frame} -\section{Group Secure Messaging (WORK IN PROGRESS)} +\section{Group Secure Messaging} \begin{frame}{The Group Messaging Problem} \begin{columns}[c] @@ -1929,33 +1923,127 @@ \end{columns} \end{frame} -\begin{frame}{TreeKEM} - \bigimagewithcaption{treekem.pdf}{Source: Joy of Cryptography} +\begin{frame}{Quick note: HPKE} + \begin{columns}[c] + \begin{column}{0.5\textwidth} + \textbf{Hybrid Public Key Encryption (RFC 9180)\footnote{\url{https://www.rfc-editor.org/rfc/rfc9180.html}}} + \begin{itemize} + \item Combines asymmetric + symmetric crypto + \item Encrypts to public key, no interaction needed + \item Used in TLS 1.3, MLS, and more + \end{itemize} + \textbf{Two-step process:} + \begin{enumerate} + \item \textbf{Encapsulation}: Generate shared secret + \item \textbf{Seal}: Encrypt data with that secret + \end{enumerate} + \end{column} + \begin{column}{0.5\textwidth} + \textbf{Simple Example:} + \begin{exampleblock}{Sender (Alice)} + \ttfamily\scriptsize + // Bob's public key: pk\_bob\\ + (enc, ctx) = HPKE.Setup(pk\_bob)\\ + ciphertext = ctx.Seal("Hello Bob!")\\ + // Send: (enc, ciphertext) + \end{exampleblock} + \begin{exampleblock}{Receiver (Bob)} + \ttfamily\scriptsize + // Bob's private key: sk\_bob\\ + ctx = HPKE.Setup(enc, sk\_bob)\\ + plaintext = ctx.Open(ciphertext)\\ + // plaintext = "Hello Bob!" + \end{exampleblock} + \textbf{Key benefit:} One-shot encryption without prior key exchange! + \end{column} + \end{columns} +\end{frame} + +\begin{frame}{TreeKEM: use a tree to manage group AKE} + \begin{columns}[c] + \begin{column}{0.5\textwidth} + \textbf{Tree of Subgroups:} + \begin{itemize} + \item Each node = subgroup with secret (e.g., $s_{abc}$) + \item Corresponding public key (e.g., $\texttt{pk}_{abc}$) + \item Example: $s_{abcde}$ is the group key + \end{itemize} + \textbf{Member Knowledge:} + \begin{itemize} + \item Member $b$ knows: $s_{ab}$, $s_{abc}$, $s_{abcde}$ + \item Only secrets on path to root + \item Cannot compute sibling secrets + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \textbf{Updating Keys (Commit):} + \begin{itemize} + \item Member $b$ updates its path: + \begin{itemize} + \item $s_{ab} \rightarrow s'_{ab}$ + \item $s_{abc} \rightarrow s'_{abc}$ + \item $s_{abcde} \rightarrow s'_{abcde}$ + \end{itemize} + \item Encrypt to siblings: + \begin{itemize} + \item $\func{hpke}{\texttt{pk}_c, s'_{abc}}$ + \item $\func{hpke}{\texttt{pk}_{de}, s'_{abcde}}$ + \end{itemize} + \end{itemize} + \begin{alertblock}{Efficiency Win} + For $n$ members: Only $\log(n)$ encryptions!\\ + Example: 8 members = 3 encryptions + \end{alertblock} + \end{column} + \end{columns} \end{frame} \begin{frame}{TreeKEM} - \bigimagewithcaption{treekem_update_1.pdf}{Source: Joy of Cryptography} + \bigimagewithcaption{treekem_a.png}{Source: Théophile Wallez} \end{frame} \begin{frame}{TreeKEM} - \bigimagewithcaption{treekem_update_2.pdf}{Source: Joy of Cryptography} + \bigimagewithcaption{treekem_b.png}{Source: Théophile Wallez} \end{frame} -\begin{frame}{TreeKEM} - \bigimagewithcaption{treekem_update_3.pdf}{Source: Joy of Cryptography} -\end{frame} - -% MLS critique - -\section{Post-Quantum Secure Messaging} -% PQ3 -% PQX3DH -% https://github.com/signalapp/SparsePostQuantumRatchet/ - -\begin{frame}{Slides not complete and may contain errors} - \begin{itemize} - \item This slide deck is not finished, may contain errors, and is missing important material. Do not rely on it yet. - \end{itemize} +\begin{frame}{MLS: reality check} + \begin{columns}[c] + \begin{column}{0.5\textwidth} + \textbf{The Complexity Problem:} + \begin{itemize} + \item \textbf{Massive specification}: RFC 9420 is 132 pages! + \item \textbf{Implementation nightmare}: + \begin{itemize} + \item Multiple tree operations + \item Complex state management + \item Intricate error handling + \end{itemize} + \item \textbf{Correctness is hard}: + \begin{itemize} + \item Easy to get wrong + \item Subtle security bugs + \item Few complete implementations + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \textbf{Developer Hostility:} + \begin{itemize} + \item \textbf{No standard API}: + \begin{itemize} + \item Each implementation different + \item No drop-in replacement + \item Steep learning curve + \end{itemize} + \item \textbf{Infrastructure requirements}: + \begin{itemize} + \item Need custom delivery service + \item Complex server-side logic + \item State synchronization issues + \end{itemize} + \end{itemize} + \end{column} + \end{columns} \end{frame} \begin{frame}[plain] diff --git a/slides/2-7.tex b/slides/2-7.tex index 6e82427..4aaff24 100644 --- a/slides/2-7.tex +++ b/slides/2-7.tex @@ -22,6 +22,23 @@ \end{itemize} \end{frame} +\section{Post-Quantum Secure Messaging} +% PQ3 +\begin{frame}{Apple iMessage: PQ3} + \bigimagewithcaption{pq3_apple.png}{Source: Apple Security Engineering and Architecture (SEAR)} +\end{frame} + +\begin{frame}{Signal: PQXDH} +\end{frame} + +% https://github.com/signalapp/SparsePostQuantumRatchet/ + +\begin{frame}{Slides not complete and may contain errors} + \begin{itemize} + \item This slide deck is not finished, may contain errors, and is missing important material. Do not rely on it yet. + \end{itemize} +\end{frame} + \begin{frame}[plain] \titlepage \end{frame} diff --git a/slides/images/pq3_apple.png b/slides/images/pq3_apple.png new file mode 100644 index 0000000..85dc039 --- /dev/null +++ b/slides/images/pq3_apple.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:db1bc71b9dafa553bec53aea8d72f06c159aabbe6135a6f67ca0f378f1ebaaf0 +size 716910 diff --git a/slides/images/treekem.pdf b/slides/images/treekem.pdf deleted file mode 100644 index 81f1483..0000000 --- a/slides/images/treekem.pdf +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a23f31abe32b4aba9440b8588d2ad32ad5e5aecd2b47eb266fd0cd2b43362cb2 -size 86531 diff --git a/slides/images/treekem_a.png b/slides/images/treekem_a.png new file mode 100644 index 0000000..7c7e9b9 --- /dev/null +++ b/slides/images/treekem_a.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:68f267ead8a3bcdce4120d9dae83905cd8c600ac2e008227457a54e862f3fa8e +size 251279 diff --git a/slides/images/treekem_b.png b/slides/images/treekem_b.png new file mode 100644 index 0000000..613c130 --- /dev/null +++ b/slides/images/treekem_b.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a924b135c984113379d366135f990e5406c3a959b27288c202b55acee0efc824 +size 125545 diff --git a/slides/images/treekem_update_1.pdf b/slides/images/treekem_update_1.pdf deleted file mode 100644 index bd2cc39..0000000 --- a/slides/images/treekem_update_1.pdf +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d9532422e9266c7b4f84d4070b1a262376f759e7020a93c2fbf8e70f74602283 -size 93454 diff --git a/slides/images/treekem_update_2.pdf b/slides/images/treekem_update_2.pdf deleted file mode 100644 index e606613..0000000 --- a/slides/images/treekem_update_2.pdf +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7c677fc2e8fe2a46499a00cc4cdd9d2080af07a171ef3229077fc188cbbe08df -size 87928 diff --git a/slides/images/treekem_update_3.pdf b/slides/images/treekem_update_3.pdf deleted file mode 100644 index 9c42ba8..0000000 --- a/slides/images/treekem_update_3.pdf +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8cbafc8dbf677f1a52127c3160a2826dee8620351af299e179f9de807daceaee -size 97185 diff --git a/website/index.html b/website/index.html index 494d00a..44b57eb 100755 --- a/website/index.html +++ b/website/index.html @@ -210,6 +210,7 @@
  • Ange Albertini, Thai Duong, Shay Gueron, Stefan Kölbl, Atul Luykx, and Sophie Schmieg, How to Abuse and Fix Authenticated Encryption Without Key Commitment, USENIX Security Symposium, 2022.
  • Michael Luby and Charles Rackoff, How To Construct Pseudorandom Permutations From Pseudorandom Functions, Society for Industrial and Applied Mathematics, 1988.
  • Nick Sullivan, Killing RC4: The Long Goodbye, Cloudflare Blog, 2014.
    • +
  • Apple Security Engineering and Architecture (SEAR), iMessage with PQ3: The new state of the art in quantum-secure messaging at scale, Apple Security Research, 2024.
  • David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin and Paul Zimmermann, Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, ACM CCS, 2015.
  • Cas Cremers, Niklas Medinger and Aurora Naska, Impossibility Results for Post-Compromise Security in Real-World Communication Systems, IEEE Symposium on Security and Privacy, 2025.
  • Chris Alexander and Ian Goldberg, Improved User Authentication in Off-The-Record Messaging, Workshop on Privacy in the Electronic Society, 2007.
    • @@ -225,6 +226,7 @@
  • Cas Cremers and Dennis Jackson, Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman, IEEE CSF, 2019.
  • Project Everest Team, Project Everest: Perspectives from Developing Industrial-Grade High-Assurance Software, Microsoft Research, 2025.
  • Matthew McPherrin, Reflections on a Year of Sunlight, Let's Encrypt Blog, 2025.
    • +
  • Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp and Christopher Wood, RFC 9810: Hybrid Public Key Encryption, RFC Editor, 2022.
  • Daniel J. Bernstein and Tanja Lange, SafeCurves: choosing safe curves for elliptic-curve cryptography, SafeCurves, 2017.
  • Joël Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin and Stefano Tessaro, Scrypt Is Maximally Memory-Hard, IACR Eurocrypt, 2017.
  • Hugo Krawczyk, SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols, IACR Crypto, 2003.
    • @@ -525,10 +527,8 @@
  • Martin R. Albrecht, Benjamin Dowling and Daniel Jones, Formal Analysis of Multi-Device Group Messaging in WhatsApp, IACR Eurocrypt, 2025.
  • Paul Rösler, Christian Mainka and Jörg Schwenk, More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema, IEEE European Symposium on Security and Privacy, 2018.
  • David Balbás, Daniel Collins and Phillip Gajland, WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs, IACR Asiacrypt, 2023.
    • -
  • Felix Linker, Ralf Sasse and David Basin, A Formal Analysis of Apple’s iMessage PQ3 Protocol, USENIX Security Symposium, 2025.
    • +
  • Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp and Christopher Wood, RFC 9810: Hybrid Public Key Encryption, RFC Editor, 2022.
  • Théophile Wallez, A Verification Framework for Secure Group Messaging, PSL Université Paris, 2025.
    • -
  • Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging, USENIX Security Symposium, 2024.
    • -
  • Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol, IACR Eurocrypt, 2025.
    • @@ -594,6 +594,10 @@
    Optional Readings