How to Hide MetaData in Secure Group Messaging

Undescribed Horrific Abuse, One Victim & Survivor of Many gmkarl at
Mon Nov 21 06:27:41 PST 2022

I thought I’d post something that wasn’t spam and went off to look for
recent papers. Maybe I’ll do this again or something.

How to Hide MetaData in MLS-Like Secure Group Messaging: Simple,
Modular, and Post-Quantum

Secure group messaging (SGM) protocols allow large groups of users to
communicate in a secure and asynchronous manner. In recent years,
continuous group key agreements (CGKAs) have provided a powerful
abstraction to reason on the security properties we expect from SGM
protocols. While robust techniques have been developed to protect the
contents of conversations in this context, it is in general more
challenging to protect metadata (e.g. the identity and social
relationships of group members), since their knowledge is often needed
by the server in order to ensure the proper function of the SGM

In this work, we provide a simple and generic wrapper protocol that
upgrades non-metadata-hiding CGKAs into metadata-hiding CGKAs. Our key
insight is to leverage the existence of a unique continuously evolving
group secret key shared among the group members. We use this key to
perform a group membership authentication protocol that convinces the
server in an anonymous manner that a user is a legitimate group
member. Our technique only uses a standard signature scheme, and thus,
the wrapper protocol can be instantiated from a wide range of
assumptions, including post-quantum ones. It is also very efficient,
as it increases the bandwidth cost of the underlying CGKA operations
by at most a factor of two.

To formally prove the security of our protocol, we use the universal
composability (UC) framework and model a new ideal functionality
ℱmhCGKA capturing the correctness and security guarantee of
metadata-hiding CGKA. To capture the above intuition of a "wrapper''
protocol, we also define a restricted ideal functionality ℱctxt CGKA,
which roughly captures a non-metadata-hiding CGKA. We then show that
our wrapper protocol UC-realizes ℱmhCGKA in the ℱctxtCGKA -hybrid
model, which in particular formalizes the intuition that any
non-metadata-hiding CGKA can be modularly bootstrapped into
metadata-hiding CGKA.

More information about the cypherpunks mailing list