GURKE: Group Unidirectional Ratcheted Key Exchange
Collins D, Rösler P (2025)
Publication Type: Conference contribution
Publication year: 2025
Journal
Publisher: Springer Science and Business Media Deutschland GmbH
Book Volume: 16007 LNCS
Pages Range: 75-108
Conference Proceedings Title: Lecture Notes in Computer Science
Event location: Santa Barbara, CA
ISBN: 9783032019127
DOI: 10.1007/978-3-032-01913-4_3
Abstract
Continuous Group Key Agreement (CGKA) is a primitive with which members of a group can continuously establish shared keys. With every interaction, these members also update their individual, local secrets such that temporary corruptions of these secrets only affect the security of shared keys established shortly before (Forward Security; FS) and after the corruption (Post-Compromise Security; PCS). Due to these interactive updates—possibly enriched by dynamic group membership changes—, CGKA is a very powerful but also very complex primitive. In this work, we limit the power of CGKA to identify and analyze its core components. More concretely, we consider the case that all members of a group are always either senders or receivers. Thus, the interaction is strictly unidirectional from the former to the latter: a group of senders Alice establishes shared keys with a group of receivers Bob. With every shared key, Alice updates her local state to achieve FS and PCS; when receiving an established key, each Bob also updates their local state to achieve FS. This notion naturally lifts the so called Unidirectional Ratcheted Key Exchange concept (Bellare et al., Crypto 2017; Poettering and Rösler, Crypto 2018) to the group setting and, thereby, captures and generalizes Signal’s Sender Key Mechanism, which is the core of WhatsApp and Signal’s group chat protocols. We modularize this concept of Group Unidirectional RKE (GURKE) by considering either single or multiple senders, single or multiple receivers, and static or dynamic membership on each of both sides of the group. To instantiate these new primitives, we develop a building block called Updatable Broadcast KEM (UB-KEM). Using UB-KEM, our GURKE constructions for static groups only use standard Key Encapsulation Mechanisms (KEMs) and induce only a constant communication overhead. Our GURKE constructions for dynamic groups are based on general Non-Interactive Key Exchange (NIKE) and offer a constant communication overhead as long as the set of members is unchanged; only for adding and removing users, a communication overhead logarithmic in the group size is induced. We discuss the benefits of replacing the Sender Key Mechanism in Signal and WhatsApp with our constructions, and demonstrate their practicality with a performance evaluation of our proof of concept UB-KEM implementation.
Authors with CRIS profile
Involved external institutions
How to cite
APA:
Collins, D., & Rösler, P. (2025). GURKE: Group Unidirectional Ratcheted Key Exchange. In Yael Tauman Kalai, Seny F. Kamara (Eds.), Lecture Notes in Computer Science (pp. 75-108). Santa Barbara, CA, US: Springer Science and Business Media Deutschland GmbH.
MLA:
Collins, Daniel, and Paul Rösler. "GURKE: Group Unidirectional Ratcheted Key Exchange." Proceedings of the 45th Annual International Cryptology Conference, CRYPTO 2025, Santa Barbara, CA Ed. Yael Tauman Kalai, Seny F. Kamara, Springer Science and Business Media Deutschland GmbH, 2025. 75-108.
BibTeX: Download