synchronous/usenix-2026-nested
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Jake Ginesin
2025-10-25 03:54:21 -04:00
commit da9a2906c3
43 changed files with 19617 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
diagrams/ake-server.tex Normal file
View File

@@ -0,0 +1,120 @@
\begin{figure}[h!]
\centering
%\footnotesize % Apply footnotesize to all text
\setmsckeyword{}
\drawframe{no} % uncomment to not draw a frame
\begin{msc}[
/msc/title top distance=0cm,
/msc/first level height=.1cm,
/msc/last level height=0.7cm, % Slightly reduced
/msc/head height=0cm,
/msc/instance width=0cm,
/msc/head top distance=0.5cm,
/msc/foot distance=-0.0cm,
/msc/instance width=0cm,
/msc/every label/.append style = { % extra style for all labels
/tikz/fill = white, % paint a white rectangle
/tikz/draw = none, % no border
/tikz/inner sep = 1pt % a little padding
},
/msc/condition height=0.1cm, % Reduced condition height
]{}
%%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
\setlength{\instwidth}{0\mscunit} % to remove default box below agents
\setlength{\instdist}{2.21cm} % default value between agents
%%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
\declinst{A}{ % Alice
\begin{tabular}[c]{c}
Alice (Initiator) \\
\end{tabular}
}{}
\declinst{Server}{ % Alice
\begin{tabular}[c]{c}
Server \\
\end{tabular}
}{}
\declinst{B}{ % Bob
\begin{tabular}[c]{c}
Bob (Responder)
\end{tabular}
}{}
\nextlevel[0.25]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{(pk\textsubscript{A}, sk\textsubscript{A}) = DH\_Gen()} \\
\textsf{(spk\textsubscript{A}, ssk\textsubscript{A}) = SignGen()} \\
\textsf{sig\_pk\textsubscript{A} = Sign(spk\textsubscript{A}, pk\textsubscript{A})}
\end{tabular}
}{A}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
\textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
\textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
\end{tabular}
}{B}
\nextlevel[3]
\condition{{{\footnotesize out-of-band verification of \textsf{spk\textsubscript{A}, spk\textsubscript{B}}}}}{B,A,Server}
%\nextlevel[2.5]
%\mess{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}{A}{B}
\nextlevel[2.5]
\mess{\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}{B}{Server}
\nextlevel[1.25]
\mess{\footnotesize Request pre-keys}{A}{Server}
\nextlevel[1.25]
\mess{\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}{Server}{A}
\nextlevel[0.75]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckSign(spk\textsubscript{B}, pk\textsubscript{B}, sig\_pk\textsubscript{B})} \\
\textsf{key = DH(sk\textsubscript{A}, pk\textsubscript{B})}
\end{tabular}
}{A}
\nextlevel[3.15]
% \mess{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}{A}{B}
% \mess{\footnotesize\raisebox{-0.5ex}\colorbox{white}{\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}}{A}{B}
\mess{%
\smash{\raisebox{-0.05ex}{\makebox[0pt]{%
\colorbox{white}{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}%
}}}
}{A}{B}
\nextlevel[0.5]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckSign(spk\textsubscript{A}, pk\textsubscript{A}, sig\_pk\textsubscript{A})} \\
\textsf{key = DH(sk\textsubscript{B}, pk\textsubscript{A})}
\end{tabular}
}{B}
\nextlevel[1]
\end{msc}
\caption{An example workflow of asynchronous authenticated key exchange. Bob, the responder, uploads his pre-key material ({\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}) to the server. Alice, the initiator, fetches Bob's key material from the central server at her leasure, and initiates the authenticated key exchange and \textsf{DH} key agreement}
\end{figure}

85
diagrams/ake.tex Normal file
View File

@@ -0,0 +1,85 @@
\begin{figure}[h!]
\centering
%\footnotesize % Apply footnotesize to all text
\setmsckeyword{}
\drawframe{no} % uncomment to not draw a frame
\begin{msc}[
/msc/title top distance=0cm,
/msc/first level height=.1cm,
/msc/last level height=0.7cm, % Slightly reduced
/msc/head height=0cm,
/msc/instance width=0cm,
/msc/head top distance=0.5cm,
/msc/foot distance=-0.0cm,
/msc/instance width=0cm,
/msc/condition height=0.1cm % Reduced condition height
]{}
%%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
\setlength{\instwidth}{0\mscunit} % to remove default box below agents
\setlength{\instdist}{4.5cm} % default value between agents
%%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
\declinst{A}{ % Alice
\begin{tabular}[c]{c}
Alice \\
\end{tabular}
}{}
\declinst{B}{ % Bob
\begin{tabular}[c]{c}
Bob
\end{tabular}
}{}
\nextlevel[0.25]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{(pk\textsubscript{A}, sk\textsubscript{A}) = DH\_Gen()} \\
\textsf{(spk\textsubscript{A}, ssk\textsubscript{A}) = SignGen()} \\
\textsf{sig\_pk\textsubscript{A} = Sign(spk\textsubscript{A}, pk\textsubscript{A})}
\end{tabular}
}{A}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
\textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
\textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
\end{tabular}
}{B}
\nextlevel[3]
\condition{{{\footnotesize out-of-band verification of \textsf{spk\textsubscript{A}, spk\textsubscript{B}}}}}{B,A}
\nextlevel[2.5]
\mess{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}{A}{B}
\nextlevel[1.25]
\mess{\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}{B}{A}
\nextlevel[0.75]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckSign(spk\textsubscript{B}, pk\textsubscript{B}, sig\_pk\textsubscript{B})} \\
\textsf{key = DH(sk\textsubscript{A}, pk\textsubscript{B})}
\end{tabular}
}{A}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckSign(spk\textsubscript{A}, pk\textsubscript{A}, sig\_pk\textsubscript{A})} \\
\textsf{key = DH(sk\textsubscript{B}, pk\textsubscript{A})}
\end{tabular}
}{B}
\nextlevel[1]
\end{msc}
\end{figure}

30
diagrams/fail-cases.tex Normal file
View File

@@ -0,0 +1,30 @@
\begin{table}[h]
\footnotesize
\centering
\begin{tabularx}{\columnwidth}{l!{\color{black!70}\vrule width 0.4pt\hspace{0.5em}}cccccc}
\toprule
\textbf{Compromise Scenario} & \textbf{P2} & \textbf{P3} & \textbf{P4} & \textbf{P5} & \textbf{P6} & \textbf{P7} \\
& \textit{Secr.} & \textit{Auth.} & \textit{Deni.} & \textit{PFS} & \textit{PCS} & \textit{S-Deni.} \\
\midrule
\multicolumn{7}{l}{\textit{Megolm}} \\
C1: Fan-out ratchet key & \ding{55} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
C2: Fan-out public signing key & \ding{51} & \ding{51} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C3: Fan-out private signing key & \ding{51} & \ding{51}$^*$ & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C4: Complete fan-out session & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C5: P2P identity keys (mutual) & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
C6: P2P chain key & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C7: P2P pre-key + identity & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
\midrule
\multicolumn{7}{l}{\textit{Sender Keys}} \\
C1: Fan-out ratchet key & \ding{55} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
C2: Fan-out public signing key & \ding{51} & \ding{51} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C3: Fan-out private signing key & \ding{51} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C4: Complete fan-out session & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C5: P2P identity keys (mutual) & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
C6: P2P chain key & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
C7: P2P pre-key + identity & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
\bottomrule
\end{tabularx}
\caption{Security property preservation under compromise scenarios. \ding{51} = property maintained, \ding{55} = property violated. $^*$Megolm maintains authentication in C3 due to MAC verification, unlike Sender Keys which relies solely on signatures. P2: Message Secrecy, P3: Authentication, P4: Deniability, P5: Perfect Forward Secrecy, P6: Post-Compromise Security, P7: Strong Deniability. ``P1: Reachability'' remains all true for all cases, and ``P2: Mutual Deniability'' remains false for all cases, thus both properties are not included in the table.}
\label{tab:failure-comparison}
\end{table}

331
diagrams/megolm.tex Normal file
View File

@@ -0,0 +1,331 @@
\newcommand{\ts}[1]{\textsubscript{#1}}
% \newcommand{\sf}[1]{\textsf{#1}}
\begin{figure*}[h!]
\centering
%\footnotesize % Apply footnotesize to all text
\setmsckeyword{}
\drawframe{no} % uncomment to not draw a frame
\begin{msc}[
/msc/title top distance=0cm,
/msc/first level height=.1cm,
/msc/last level height=0.7cm, % Slightly reduced
/msc/head height=0cm,
/msc/instance width=0cm,
/msc/head top distance=0.5cm,
/msc/foot distance=-0.0cm,
/msc/instance width=0cm,
/msc/every label/.append style = { % extra style for all labels
/tikz/fill = white, % paint a white rectangle
/tikz/draw = none, % no border
/tikz/inner sep = 1pt % a little padding
},
/msc/condition height=0.1cm, % Reduced condition height
]{}
%%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
\setlength{\instwidth}{0\mscunit} % to remove default box below agents
\setlength{\instdist}{6cm} % default value between agents
%%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
\declinst{A}{ % Alice
\begin{tabular}[c]{c}
Alice (Initiator) \\
\end{tabular}
}{}
\declinst{Server}{ % Alice
\begin{tabular}[c]{c}
Server \\
\end{tabular}
}{}
\declinst{B}{ % Bob
\begin{tabular}[c]{c}
Bob (Responder)
\end{tabular}
}{}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\text{// Begin P2P-layer operations} \\
\textsf{(opk\ts{A}, osk\ts{A}) = X25519\_Gen()} \\
\textsf{eph\_pk\ts{A}, eph\_sk\ts{A} = X25519\_Gen()} \\
\textsf{sig\_eph\_pk\ts{A} = Sign(opk\ts{A}, eph\_pk\ts{A})} \\
\end{tabular}
}{A}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{(opk\ts{B}, osk\ts{B}) = X25519\_Gen()} \\
\textsf{eph\_pk\ts{B}, eph\_sk\ts{B} = X25519\_Gen()} \\
\textsf{sig\_eph\_pk\ts{B} = Sign(opk\ts{B}, eph\_pk\ts{B})} \\
\end{tabular}
}{B}
% \action*{
% \footnotesize
% \begin{tabular}{@{}l@{}}
% \textsf{(opk\textsubscript{A}, osk\textsubscript{A}) = X25519\_Gen()} \\
% \end{tabular}
% }{B}
\nextlevel[4.4]
\condition{{{\footnotesize out-of-band mutual verification of \textsf{opk\textsubscript{A}, opk\textsubscript{B}}}}}{B,A,Server}
\nextlevel[2.3]
\mess{
\footnotesize
\textsf{
opk\ts{B}, sig\_eph\_pk\ts{B}
}
}{B}{Server}
\nextlevel[1]
\mess{
\footnotesize
Alice requests Bob's pre-keys
}{A}{Server}
\nextlevel[1.5]
\mess{
\footnotesize
\textsf{
opk\ts{B}, eph\_pk\ts{B}, sig\_eph\_pk\ts{B}
}
}{Server}{A}
\nextlevel[1]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{If CheckSign(opk\ts{B}, eph\_pk\ts{B}, sig\_eph\_pk\ts{B}):} \\
\textsf{key1 = DH(osk\ts{A}, opk\ts{B})} \\
\textsf{key2 = DH(eph\_sk\ts{A}, eph\_pk\ts{B})} \\
\textsf{key3 = DH(eph\_sk\ts{A}, opk\ts{B})} \\
\textsf{master\ts{A} = Concat(key1, key2, key3)} \\
\textsf{r1\ts{A}, c1\ts{A} = HKDF(master\ts{A})} \\
\textsf{(t1\_pk\ts{A}, t1\_sk\ts{A}) = DH\_Gen()} \\
\end{tabular}
}{A}
\nextlevel[6.5]
\mess{
\footnotesize
\textsf{
opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}
}
}{A}{Server}
\mess{
\footnotesize
\textsf{
opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}
}
}{Server}{B}
\nextlevel[1]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\text{// Begin fan-out layer operations} \\
% \textit{generates} \textsf{m1}, \textsf{symkey\ts{A0}} \\
\textit{generates} \textsf{symkey\ts{A0}} \\
\textsf{ssk\_pk\ts{A}, ssk\_sk\ts{A} = SignGen()} \\
\textsf{session\ts{A} = Encrypt(r1\ts{A}, Concat(ssk\_pk\ts{A}, symkey\ts{A0}))} \\
\textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
% Hash(symkey\textsubscript{A0})
% }\\
% \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
% \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
\end{tabular}
}{A}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{If CheckSign(opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}):} \\
\textsf{key1 = DH(osk\ts{B}, opk\ts{A})} \\
\textsf{key2 = DH(eph\_sk\ts{B}, eph\_pk\ts{A})} \\
\textsf{key3 = DH(eph\_sk\ts{B}, opk\ts{A})} \\
\textsf{master\ts{B} = Concat(key1, key2, key3)} \\
\textsf{r1\ts{B}, c1\ts{B} = HKDF(master\ts{B})} \\
\textsf{(t1\_pk\ts{B}, t1\_sk\ts{B}) = DH\_Gen()} \\
\end{tabular}
}{B}
\nextlevel[6.5]
\mess{
\footnotesize
\textsf{
session\ts{A}, session\_mac\ts{A}
}
}{A}{Server}
\mess{
\footnotesize
\textsf{
session\ts{A}, session\_mac\ts{A}
}
}{Server}{B}
\nextlevel[1]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckMac(r1\ts{B}, session\ts{A}, session\_mac\ts{A}):} \\
\textsf{ssk\_pk\ts{A}, symkey\ts{A0} = Decrypt(r1\ts{A}, session\ts{A})} \\
% \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
% Hash(symkey\textsubscript{A0})
% }\\
% \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
% \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
\end{tabular}
}{B}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textit{generates} \textsf{m1} \\
% \textit{generates} \textsf{symkey\ts{A0}} \\
% \textsf{ssk\_pk\ts{A}, ssk\_sk\ts{A} = SignGen()} \\
% \textsf{session\ts{A} = Encrypt(r1\ts{A}, Concat(ssk\_pk\ts{A}, symkey\ts{A0}))} \\
% \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
\textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
Hash(symkey\textsubscript{A0})
}\\
\textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
\textsf{x1\_sig = Sign(ssk\_sk\ts{A}, x1)}
\end{tabular}
}{A}
\nextlevel[4]
\mess{
\footnotesize
\textsf{
x1, x1\_sig
}
}{A}{Server}
\mess{
\footnotesize
server-side fan-out:
\textsf{
x1, x1\_sig
}
}{Server}{B}
\nextlevel[1]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckSign(ssk\_pk\ts{A}, x1, x1\_sig):} \\
\textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
Hash(symkey\textsubscript{A0})
}\\
\textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
\end{tabular}
}{B}
\nextlevel[2]
% \condition{{\footnotesize Secure channel establishment via AKE}}{B,A}
% \nextlevel[2.25]
% \mess{
% \footnotesize
% \textsf{
% pk\textsubscript{A}, symkey\textsubscript{A0}
% }
% }{A}{B}
% \nextlevel[0.6]
% \action*{
% \footnotesize
% \begin{tabular}{@{}l@{}}
% \textit{generates} \textsf{m1} \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
% Hash(symkey\textsubscript{A0})
% }\\
% % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
% % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
% \end{tabular}
% }{A}
% \nextlevel[4.4]
% \mess{
% \footnotesize
% (server-side fan-out)
% \textsf{
% x1, x1\_sig
% }
% }{A}{B}
% \nextlevel[0.6]
% \action*{
% \footnotesize
% \begin{tabular}{@{}l@{}}
% \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
% \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)}
% % \textit{generates} \textsf{m1} \\
% % \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
% % Hash(symkey\textsubscript{A0})
% % }\\
% % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
% % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
% \end{tabular}
% }{B}
% \action*{
% \footnotesize
% \begin{tabular}{@{}l@{}}
% \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
% \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
% % \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
% % \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
% % \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
% \end{tabular}
% }{B}
\end{msc}
\caption{
An example instantiation of the nested ratchet protocol using 3DH as the pairwise ratcheting channel. In this example, Alice, the initiator, asynchronously establishes a shared secret with Bob, the responder, via 3DH. Alice then transmits her fan-out layer session, including her ratchet key \textsf{symkey\ts{A0}} and session public key \textsf{ssk\_pk\ts{A}}, using the established secure 3DH channel. Alice follows this by sending Bob her first message, encrypted and signed using her session, and fanned out by the server to all receivers, including Bob. We note the above handshake may be equivalently condensed into just a 3-way handshake; however, for the sake of example, we make explicit the transmission of the 3DH material, session material, and message material. Specified notation for cryptographic primitives, as well as their respective descriptions, are elaborated upon in Table \ref{tab:symbols}.
}
\label{fig:megolm}
\end{figure*}

25
diagrams/related.tex Normal file
View File

@@ -0,0 +1,25 @@
\newcommand{\extindent}{~\extension}
\begin{table*}[ht!]
\scriptsize
\centering
\rowcolors{2}{gray!10}{white}
\setlength{\tabcolsep}{1pt}
\begin{tabular}{L{2.0cm} X{0.4cm} | C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm}}
\multicolumn{2}{c|}{Work} & Megolm & Sender Keys & Secrecy & Auth & PCS & PFS & Deniability & Symbolic & Computational & Mechanized
\\
\hline
%\hhline{==|======}
$\text{Balbas et al.}$ & \cite{Balbas_SK} & \emptyc & \fullc & \fullc & \fullc & \fullc & \fullc & \emptyc & \emptyc & \fullc & \emptyc \\
%
$\text{Albrecht et al. 2023}$ & \cite{Albrecht_Dowling_Jones} & \fullc & \emptyc & \fullc & \fullc & \emptyc & \emptyc & \emptyc & \emptyc & \fullc & \emptyc \\
%
$\text{Albrecht et al. 2025}$ & \cite{Albrecht_2025} & \emptyc & \fullc & \fullc & \fullc & \fullc & \fullc & \emptyc & \emptyc & \fullc & \emptyc \\
%
$\text{Ours}$ & & \fullc & \fullc & \fullc & \fullc & \fullc & \fullc & \fullc & \fullc & \emptyc & \fullc \\
\end{tabular}\smallskip
\caption{Overview of related works that study nested ratchet protocols,
including Megolm (underpinning Matrix) and Sender Keys (underpinning WhatsApp). We include a comparison with our own work.}
\label{tab:symbolic-tools}
\end{table*}

126
diagrams/session-trans.tex Normal file
View File

@@ -0,0 +1,126 @@
\begin{figure}[h!]
\centering
%\footnotesize % Apply footnotesize to all text
\setmsckeyword{}
\drawframe{no} % uncomment to not draw a frame
\begin{msc}[
/msc/title top distance=0cm,
/msc/first level height=.1cm,
/msc/last level height=0.7cm, % Slightly reduced
/msc/head height=0cm,
/msc/instance width=0cm,
/msc/head top distance=0.5cm,
/msc/foot distance=-0.0cm,
/msc/instance width=0cm,
/msc/every label/.append style = { % extra style for all labels
/tikz/fill = white, % paint a white rectangle
/tikz/draw = none, % no border
/tikz/inner sep = 1pt % a little padding
},
/msc/condition height=0.1cm, % Reduced condition height
]{}
%%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
\setlength{\instwidth}{0\mscunit} % to remove default box below agents
\setlength{\instdist}{4cm} % default value between agents
%%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
\declinst{A}{ % Alice
\begin{tabular}[c]{c}
Alice \\
\end{tabular}
}{}
% \declinst{Server}{ % Alice
% \begin{tabular}[c]{c}
% Server \\
% \end{tabular}
% }{}
\declinst{B}{ % Bob
\begin{tabular}[c]{c}
Bob
\end{tabular}
}{}
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textit{generates} \textsf{symkey\textsubscript{A0}} \\
\textsf{(pk\textsubscript{A}, sk\textsubscript{A}) = DH\_Gen()}
\end{tabular}
}{A}
\nextlevel[2.3]
\condition{{\footnotesize Secure channel establishment via AKE}}{B,A}
\nextlevel[2.25]
\mess{
\footnotesize
\textsf{
pk\textsubscript{A}, symkey\textsubscript{A0}
}
}{A}{B}
\nextlevel[0.6]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textit{generates} \textsf{m1} \\
\textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
Hash(symkey\textsubscript{A0})
}\\
\textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
\textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
\end{tabular}
}{A}
\nextlevel[4.4]
\mess{
\footnotesize
(server-side fan-out)
\textsf{
x1, x1\_sig
}
}{A}{B}
\nextlevel[0.6]
\action*{
\footnotesize
\begin{tabular}{@{}l@{}}
\textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
\textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
\textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)}
% \textit{generates} \textsf{m1} \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
% Hash(symkey\textsubscript{A0})
% }\\
% \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
% \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
\end{tabular}
}{B}
% \action*{
% \footnotesize
% \begin{tabular}{@{}l@{}}
% \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
% \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
% % \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
% % \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
% % \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
% \end{tabular}
% }{B}
\end{msc}
\caption{An example workflow of session transmission from Alice to Bob. Alice transmits her session information, including her session's symmetric key {\footnotesize\textsf{symkey\textsubscript{A0}}} and public signing key {\footnotesize\textsf{pk\textsubscript{A}}}. Alice generates a new message {\footnotesize\textsf{m1}}, hashes her session's symmetric key and uses it to encrypt {\footnotesize\textsf{m1}}, signs the ciphertext with {\footnotesize\textsf{sk\textsubscript{A}}}, then sends the ciphertext and signature to the server for server-side fan-out. The recipient, Bob, checks the signature, hashes his copy of the symmetric key, and decrypts.
}
\end{figure}