--- res: bibo_abstract: - "Messaging platforms like Signal are widely deployed and provide strong security in an asynchronous setting. It is a challenging problem to construct a protocol with similar security guarantees that can efficiently scale to large groups. A major bottleneck are the frequent key rotations users need to perform to achieve post compromise forward security.\r\n\r\nIn current proposals – most notably in TreeKEM (which is part of the IETF’s Messaging Layer Security (MLS) protocol draft) – for users in a group of size n to rotate their keys, they must each craft a message of size log(n) to be broadcast to the group using an (untrusted) delivery server.\r\n\r\nIn larger groups, having users sequentially rotate their keys requires too much bandwidth (or takes too long), so variants allowing any T≤n users to simultaneously rotate their keys in just 2 communication rounds have been suggested (e.g. “Propose and Commit” by MLS). Unfortunately, 2-round concurrent updates are either damaging or expensive (or both); i.e. they either result in future operations being more costly (e.g. via “blanking” or “tainting”) or are costly themselves requiring Ω(T) communication for each user [Bienstock et al., TCC’20].\r\n\r\nIn this paper we propose CoCoA; a new scheme that allows for T concurrent updates that are neither damaging nor costly. That is, they add no cost to future operations yet they only require Ω(log2(n)) communication per user. To circumvent the [Bienstock et al.] lower bound, CoCoA increases the number of rounds needed to complete all updates from 2 up to (at most) log(n); though typically fewer rounds are needed.\r\n\r\nThe key insight of our protocol is the following: in the (non-concurrent version of) TreeKEM, a delivery server which gets T concurrent update requests will approve one and reject the remaining T−1. In contrast, our server attempts to apply all of them. If more than one user requests to rotate the same key during a round, the server arbitrarily picks a winner. Surprisingly, we prove that regardless of how the server chooses the winners, all previously compromised users will recover after at most log(n) such update rounds.\r\n\r\nTo keep the communication complexity low, CoCoA is a server-aided CGKA. That is, the delivery server no longer blindly forwards packets, but instead actively computes individualized packets tailored to each user. As the server is untrusted, this change requires us to develop new mechanisms ensuring robustness of the protocol.@eng" bibo_authorlist: - foaf_Person: foaf_givenName: Joël foaf_name: Alwen, Joël foaf_surname: Alwen - foaf_Person: foaf_givenName: Benedikt foaf_name: Auerbach, Benedikt foaf_surname: Auerbach foaf_workInfoHomepage: http://www.librecat.org/personId=D33D2B18-E445-11E9-ABB7-15F4E5697425 orcid: 0000-0002-7553-6606 - foaf_Person: foaf_givenName: Miguel foaf_name: Cueto Noval, Miguel foaf_surname: Cueto Noval foaf_workInfoHomepage: http://www.librecat.org/personId=ffc563a3-f6e0-11ea-865d-e3cce03d17cc orcid: 0000-0002-2505-4246 - foaf_Person: foaf_givenName: Karen foaf_name: Klein, Karen foaf_surname: Klein foaf_workInfoHomepage: http://www.librecat.org/personId=3E83A2F8-F248-11E8-B48F-1D18A9856A87 - foaf_Person: foaf_givenName: Guillermo foaf_name: Pascual Perez, Guillermo foaf_surname: Pascual Perez foaf_workInfoHomepage: http://www.librecat.org/personId=2D7ABD02-F248-11E8-B48F-1D18A9856A87 orcid: 0000-0001-8630-415X - foaf_Person: foaf_givenName: Krzysztof Z foaf_name: Pietrzak, Krzysztof Z foaf_surname: Pietrzak foaf_workInfoHomepage: http://www.librecat.org/personId=3E04A7AA-F248-11E8-B48F-1D18A9856A87 orcid: 0000-0002-9139-1654 - foaf_Person: foaf_givenName: Michael foaf_name: Walter, Michael foaf_surname: Walter bibo_doi: 10.1007/978-3-031-07085-3_28 bibo_volume: 13276 dct_date: 2022^xs_gYear dct_identifier: - UT:000832305300028 dct_isPartOf: - http://id.crossref.org/issn/0302-9743 - http://id.crossref.org/issn/1611-3349 - http://id.crossref.org/issn/9783031070846 dct_language: eng dct_publisher: Springer Nature@ dct_title: 'CoCoA: Concurrent continuous group key agreement@' ...