synchronous/usenix-2026-nested
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Jake Ginesin
2025-10-25 03:54:21 -04:00
commit da9a2906c3
43 changed files with 19617 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
refs.bib Normal file
View File

@@ -0,0 +1,271 @@
@misc{rfc8446,
series = {Request for Comments},
number = 8446,
howpublished = {RFC 8446},
publisher = {RFC Editor},
doi = {10.17487/RFC8446},
url = {https://www.rfc-editor.org/info/rfc8446},
author = {Eric Rescorla},
title = {{The Transport Layer Security (TLS) Protocol Version 1.3}},
pagetotal = 160,
year = 2018,
month = aug,
abstract = {This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.},
}
@article{auth, title={Authentication and authenticated key exchanges}, volume={2}, ISSN={1573-7586}, DOI={10.1007/BF00124891}, abstractNote={We discuss two-party mutual authentication protocols providing authenticated key exchange, focusing on those using asymmetric techniques. A simple, efficient protocol referred to as the station-to-station (STS) protocol is introduced, examined in detail, and considered in relation to existing protocols. The definition of a secure protocol is considered, and desirable characteristics of secure protocols are discussed.}, number={2}, journal={Designs, Codes and Cryptography}, author={Diffie, Whitfield and Van Oorschot, Paul C. and Wiener, Michael J.}, year={1992}, month=jun, pages={107125}, language={en} }
@misc{rfc9369,
series = {Request for Comments},
number = 9369,
howpublished = {RFC 9369},
publisher = {RFC Editor},
doi = {10.17487/RFC9369},
url = {https://www.rfc-editor.org/info/rfc9369},
author = {Martin Duke},
title = {{QUIC Version 2}},
pagetotal = 14,
year = 2023,
month = may,
abstract = {This document specifies QUIC version 2, which is identical to QUIC version 1 except for some trivial details. Its purpose is to combat various ossification vectors and exercise the version negotiation framework. It also serves as a template for the minimum changes in any future version of QUIC. Note that "version 2" is an informal name for this proposal that indicates it is the second version of QUIC to be published as a Standards Track document. The protocol specified here uses a version number other than 2 in the wire image, in order to minimize ossification risks.},
}
@inproceedings{Donenfeld_2017, address={San Diego, CA}, title={WireGuard: Next Generation Kernel Network Tunnel}, ISBN={978-1-891562-46-4}, url={https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/wireguard-next-generation-kernel-network-tunnel/}, DOI={10.14722/ndss.2017.23160}, abstractNote={WireGuard is a secure network tunnel, operating at layer 3, implemented as a kernel virtual network interface for Linux, which aims to replace both IPsec for most use cases, as well as popular user space and/or TLS-based solutions like OpenVPN, while being more secure, more performant, and easier to use. The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address. It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys—Curve25519 points—are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLSs cookie mechanisms to add encryption and authentication. The overall design allows for allocating no resources in response to received packets, and from a systems perspective, there are multiple interesting Linux implementation techniques for queues and parallelism. Finally, WireGuard can be simply implemented for Linux in less than 4,000 lines of code, making it easily audited and verified.}, booktitle={Proceedings 2017 Network and Distributed System Security Symposium}, publisher={Internet Society}, author={Donenfeld, Jason A.}, year={2017}, language={en} }
@manual{openvpn,
title = {OpenVPN: An Open Source VPN},
author = {James Yonan},
year = {2002},
url = {https://openvpn.net/},
note = {Version 2.6.0 and later. Accessed: 2025-08-08}
}
@article{Dingledine_Mathewson_Syverson_2004, address={Fort Belvoir, VA}, title={Tor: The Second-Generation Onion Router:}, url={https://apps.dtic.mil/sti/citations/tr/ADA465464}, DOI={10.21236/ADA465464}, abstractNote={We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, and a practical design for location-hidden services via rendezvous points. Tor works on the real-world Internet, requires no special privileges or kernel modifications, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efficiency. We briefly describe our experiences with an international network of more than 30 nodes. We close with a list of open problems in anonymous communication.}, institution={Defense Technical Information Center}, author={Dingledine, Roger and Mathewson, Nick and Syverson, Paul}, year={2004}, month=jan, language={en} }
@article{Marlinspike_Perrin_X3DH,
title={The X3DH Key Agreement Protocol},
author={Marlinspike, Moxie and Perrin, Trevor},
year = {2016},
language={en},
url = {https://signal.org/docs/specifications/x3dh/x3dh.pdf}
}
@article{Moxie_DoubleRatchet, title={The Double Ratchet Algorithm},
author={Perrin, Trevor and Moxie Marlinspike},
language={en},
year = {2016},
url = {https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf}}
@article{Moxie_Sesame, title={The Sesame Algorithm: Session Management for Asynchronous Message Encryption},
author={Marlinspike, Moxie and Perrin, Trevor},
language={en},
year = {2016},
url = {https://signal.org/docs/specifications/sesame/sesame.pdf}
}
@article{Kret_Schmidt_PQXDH, title={The PQXDH Key Agreement Protocol},
author={Kret, Ehren and Schmidt, Rolfe},
language={en},
year = {2024},
url = {https://signal.org/docs/specifications/pqxdh/pqxdh.pdf}
}
@article{Bhargavan_PQXDH, title={Formal verification of the PQXDH Post-Quantum key agreement protocol for end-to-end secure messaging}, abstractNote={The Signal Messenger recently introduced a new asynchronous key agreement protocol called PQXDH (PostQuantum Extended Diffie-Hellman) that seeks to provide post-quantum forward secrecy, in addition to the authentication and confidentiality guarantees already provided by the previous X3DH (Extended Diffie-Hellman) protocol. More precisely, PQXDH seeks to protect the confidentiality of messages against harvest-now-decrypt-later attacks. In this work, we formally specify the PQXDH protocol and analyze its security using two formal verification tools, PROVERIF and CRYPTOVERIF. In particular, we ask whether PQXDH preserves the guarantees of X3DH, whether it provides post-quantum forward secrecy, and whether it can be securely deployed alongside X3DH. Our analysis identifies several flaws and potential vulnerabilities in the PQXDH specification, although these vulnerabilities are not exploitable in the Signal application, thanks to specific implementation choices which we describe in this paper. To prove the security of the current implementation, our analysis notably highlighted the need for an additional binding property of the KEM, which we formally define and prove for Kyber.}, author={Bhargavan, Karthikeyan and Jacomme, Charlie and Kiefer, Franziskus and Schmidt, Rolfe}, language={en} }
@article{Cremers_SIGNAL, title={A Formal Security Analysis of the Signal Messaging Protocol}, abstractNote={The Signal protocol is a cryptographic messaging protocol that provides end-to-end encryption for instant messaging in WhatsApp, Wire, and Facebook Messenger among many others, serving well over 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a novel technique called ratcheting in which session keys are updated with every message sent.}, author={Cohn-Gordon, Katriel and Cremers, Cas and Dowling, Benjamin and Garratt, Luke and Stebila, Douglas}, language={en} }
@inbook{Alwen_DOUBLERATCHET, address={Cham}, series={Lecture Notes in Computer Science}, title={The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol}, volume={11476}, ISBN={978-3-030-17652-5}, DOI={10.1007/978-3-030-17653-2_5}, abstractNote={Signal is a famous secure messaging protocol used by billions of people, by virtue of many secure text messaging applications including Signal itself, WhatsApp, Facebook Messenger, Skype, and Google Allo. At its core it uses the concept of “double ratcheting,” where every message is encrypted and authenticated using a fresh symmetric key; it has many attractive properties, such as forward security, post-compromise security, and “immediate (no-delay) decryption,” which had never been achieved in combination by prior messaging protocols.}, booktitle={Advances in Cryptology EUROCRYPT 2019}, publisher={Springer International Publishing}, author={Alwen, Joël and Coretti, Sandro and Dodis, Yevgeniy}, editor={Ishai, Yuval and Rijmen, Vincent}, year={2019}, pages={129158}, collection={Lecture Notes in Computer Science}, language={en} }
@inbook{VatandasDeny, address={Cham}, series={Lecture Notes in Computer Science}, title={On the Cryptographic Deniability of the Signal Protocol}, volume={12147}, ISBN={978-3-030-57877-0}, DOI={10.1007/978-3-030-57878-7_10}, booktitle={Applied Cryptography and Network Security}, publisher={Springer International Publishing}, author={Vatandas, Nihal and Gennaro, Rosario and Ithurburn, Bertrand and Krawczyk, Hugo}, editor={Conti, Mauro and Zhou, Jianying and Casalicchio, Emiliano and Spognardi, Angelo}, year={2020}, pages={188209}, collection={Lecture Notes in Computer Science}, language={en} }
@article{Bhargavan_DY, title={DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code}, abstractNote={We present DY?, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F? programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY? is built as a library of F? modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F?. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.}, author={Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and Küsters, Ralf and Schmitz, Guido and Würtele, Tim}, language={en} }
@article{Albrecht_2025, title={Formal Analysis of Multi-Device Group Messaging in WhatsApp}, abstractNote={WhatsApp provides end-to-end encrypted messaging to over two billion users. However, due to a lack of public documentation and source code, the specific security guarantees it provides are unclear. Seeking to rectify this situation, we combine the limited public documentation with information we gather through reverse-engineering its implementation to provide a formal description of the subset of WhatsApp that provides multi-device group messaging. We utilise this description to state and prove the security guarantees that this subset of WhatsApp provides. Our analysis is performed within a variant of the Device-Oriented Group Messaging model, which we extend to support device revocation. We discuss how to interpret these results, including the security WhatsApp provides as well as its limitations.}, author={Albrecht, Martin R and Dowling, Benjamin and Jones, Daniel}, language={en} }
@misc{rfc9420,
series = {Request for Comments},
number = 9420,
howpublished = {RFC 9420},
publisher = {RFC Editor},
doi = {10.17487/RFC9420},
url = {https://www.rfc-editor.org/info/rfc9420},
author = {Richard Barnes and Benjamin Beurdouche and Raphael Robert and Jon Millican and Emad Omara and Katriel Cohn-Gordon},
title = {{The Messaging Layer Security (MLS) Protocol}},
pagetotal = 132,
year = 2023,
month = jul,
abstract = {Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.},
}
@article{Wallez_TreeSync, title={TreeSync: Authenticated Group Management for Messaging Layer Security}, abstractNote={Messaging Layer Security (MLS), currently undergoing standardization at the IETF, is an asynchronous group messaging protocol that aims to be efficient for large dynamic groups, while providing strong guarantees like forward secrecy (FS) and post-compromise security (PCS). While prior work on MLS has extensively studied its group key establishment component (called TreeKEM), many flaws in early designs of MLS have stemmed from its group integrity and authentication mechanisms that are not as well-understood. In this work, we identify and formalize TreeSync: a sub-protocol of MLS that specifies the shared group state, defines group management operations, and ensures consistency, integrity, and authentication for the group state across all members. We present a precise, executable, machine-checked formal specification of TreeSync, and show how it can be composed with other components to implement the full MLS protocol. Our specification is written in F and serves as a reference implementation of MLS; it passes the RFC test vectors and is interoperable with other MLS implementations. Using the DY symbolic protocol analysis framework, we formalize and prove the integrity and authentication guarantees of TreeSync, under minimal security assumptions on the rest of MLS. Our analysis identifies a new attack and we propose several changes that have been incorporated in the latest MLS draft. Ours is the first testable, machine-checked, formal specification for MLS, and should be of interest to both developers and researchers interested in this upcoming standard.}, author={Wallez, Théophile and Beurdouche, Benjamin and Bhargavan, Karthikeyan}, language={en} }
@article{Wallez_TreeKEM, title={TreeKEM: A Modular Machine-Checked Symbolic Security Analysis of Group Key Agreement in Messaging Layer Security}, abstractNote={The Messaging Layer Security (MLS) protocol standard proposes a novel tree-based protocol that enables efficient end-to-end encrypted messaging over large groups with thousands of members. Its functionality can be divided into three components: TreeSync for authenticating and synchronizing group state, TreeKEM for the core group key agreement, and TreeDEM for group message encryption. While previous works have analyzed the security of abstract models of TreeKEM, they do not account for the precise low-level details of the protocol standard. This work presents the first machine-checked security proof for TreeKEM. Our proof is in the symbolic Dolev-Yao model and applies to a bit-level precise, executable, interoperable specification of the protocol. Furthermore, our security theorem for TreeKEM composes naturally with a previous result for TreeSync to provide a strong modular security guarantee for the published MLS standard.}, author={Wallez, Theophile and Protzenko, Jonathan and Bhargavan, Karthikeyan}, language={en} }
@techreport{WhatsAppSecurity2024,
title = {WhatsApp Encryption Overview: Technical White Paper},
author = {WhatsApp},
institution = {Meta (WhatsApp)},
year = {2024},
month = aug,
day = {19},
number = {Version 8},
type = {Technical White Paper},
url = {https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf},
note = {Updated August 19, 2024}
}
@techreport{MetaMessengerE2EE2023,
title = {Messenger End-to-End Encryption Overview},
author = {Jon Millican and Reed Riley and Meta Platforms},
institution = {Meta Platforms (Facebook Engineering)},
year = {2023},
month = dec,
day = {6},
number = {Version 1M},
type = {Technical White Paper},
url = {https://engineering.fb.com/wp-content/uploads/2023/12/MessengerEnd-to-EndEncryptionOverview\_12-6-2023.pdf},
note = {Published December 6, 2023 — describes core Signal-Protocol-based E2EE implementation for Messenger and Instagram Direct}
}
@misc{SignalSenderKeysRust,
title = {sender\_keys.rs — Sender Keys Implementation (Rust)},
author = {{Signal Foundation}},
howpublished = {\url{https://github.com/signalapp/libsignal/blob/main/rust/protocol/src/sender\_keys.rs}},
year = {2025},
note = {Reference implementation of the Sender Keys protocol in libsignals Rust codebase}
}
@online{Jefferys2020SessionProtocol,
author = {Kee Jefferys},
title = {Session Protocol: Technical implementation details},
year = {2020},
month = dec,
day = {15},
url = {https://getsession.org/blog/session-protocol-technical-information},
note = {Accessed: 2025-08-08},
howpublished = {Blog post on getSession.org}
}
@article{Albrecht_Dowling_Jones, title={Device-Oriented Group Messaging: A Formal Cryptographic Analysis of Matrix Core}, abstractNote={Focusing on its cryptographic core, we provide the first formal description of the Matrix secure group messaging protocol. Observing that no existing secure messaging model in the literature captures the relationships (and shared state) between users, their devices and the groups they are a part of, we introduce the Device-Oriented Group Messaging model to capture these key characteristics of the Matrix protocol. Utilising our new formalism, we determine that Matrix achieves the basic security notions of confidentiality and authentication, provided it introduces authenticated group membership. On the other hand, while the state sharing functionality in Matrix conflicts with advanced security notions in the literature forward and post-compromise security it enables features such as history sharing and account recovery, provoking broader questions about how such security notions should be conceptualised.}, author={Albrecht, Martin R and Dowling, Benjamin and Jones, Daniel}, language={en} }
@inbook{Balbas_SK, address={Singapore}, series={Lecture Notes in Computer Science}, title={WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs}, volume={14442}, ISBN={978-981-99-8732-0}, url={https://link.springer.com/10.1007/978-981-99-8733-7_10}, DOI={10.1007/978-981-99-8733-7_10}, abstractNote={In addressing these questions, we first introduce a novel security model to suit protocols like Sender Keys, deviating from conventional group key agreement-based abstractions. Our framework allows for a natural integration of two-party messaging within group messaging sessions that may be of independent interest. Leveraging this framework, we conduct the first formal analysis of the Sender Keys protocol, and prove it satisfies a weak notion of security. Towards improving security, we propose a series of efficient modifications to Sender Keys without imposing significant performance overhead. We combine these refinements into a new protocol that we call Sender Keys+, which may be of interest both in theory and practice.}, booktitle={Advances in Cryptology ASIACRYPT 2023}, publisher={Springer Nature Singapore}, author={Balbás, David and Collins, Daniel and Gajland, Phillip}, editor={Guo, Jian and Steinfeld, Ron}, year={2023}, pages={307341}, collection={Lecture Notes in Computer Science}, language={en} }
@misc{matrixorg_megolm_doc,
author = {{matrix-org}},
title = {docs/megolm.md},
howpublished = {\url{https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/megolm.md}},
note = {Markdown file in \emph{Olm} repository},
year = {2022},
month = sep,
urldate = {2025-08-08}
}
@misc{matrixorg_olm_repo,
author = {{matrix-org}},
title = {Olm},
howpublished = {\url{https://gitlab.matrix.org/matrix-org/olm}},
note = {GitLab repository implementing Olm and Megolm cryptographic ratchets},
year = {2019},
month = apr,
urldate = {2025-08-08}
}
@article{FiedlerPQXDHdeny, title={A Deniability Analysis of Signals Initial Handshake PQXDH}, volume={2024}, rights={https://creativecommons.org/licenses/by/4.0/}, ISSN={2299-0984}, DOI={10.56553/popets-2024-0148}, abstractNote={Many use messaging apps such as Signal to exercise their right to private communication. To cope with the advent of quantum computing, Signal employs a new initial handshake protocol called PQXDH for post-quantum confidentiality, yet keeps guarantees of authenticity and deniability classical. Compared to its predecessor X3DH, PQXDH includes a KEM encapsulation and a signature on the ephemeral key. In this work we show that PQXDH does not meet the same deniability guarantees as X3DH due to the signature on the ephemeral key. Our analysis relies on plaintext awareness of the KEM, which Signals implementation of PQXDH does not provide. As for X3DH, both parties (initiator and responder) obtain different deniability guarantees due to the asymmetry of the protocol.}, number={4}, journal={Proceedings on Privacy Enhancing Technologies}, author={Fiedler, Rune and Janson, Christian}, year={2024}, month=oct, pages={907928}, language={en} }
@inproceedings{SoK_CAC, title={SoK: Computer-Aided Cryptography}, ISSN={2375-1207}, url={https://ieeexplore.ieee.org/document/9519449/?arnumber=9519449}, DOI={10.1109/SP40001.2021.00008}, abstractNote={Computer-aided cryptography is an active area of research that develops and applies formal, machine-checkable approaches to the design, analysis, and implementation of cryptography. We present a cross-cutting systematization of the computer-aided cryptography literature, focusing on three main areas: (i) design-level security (both symbolic security and computational security), (ii) functional correctness and efficiency, and (iii) implementation-level security (with a focus on digital side-channel resistance). In each area, we first clarify the role of computer-aided cryptography—how it can help and what the caveats are—in addressing current challenges. We next present a taxonomy of state-of-the-art tools, comparing their accuracy, scope, trustworthiness, and usability. Then, we highlight their main achievements, trade-offs, and research challenges. After covering the three main areas, we present two case studies. First, we study efforts in combining tools focused on different areas to consolidate the guarantees they can provide. Second, we distill the lessons learned from the computer-aided cryptography communitys involvement in the TLS 1.3 standardization effort. Finally, we conclude with recommendations to paper authors, tool developers, and standardization bodies moving forward.}, booktitle={2021 IEEE Symposium on Security and Privacy (SP)}, author={Barbosa, Manuel and Barthe, Gilles and Bhargavan, Karthik and Blanchet, Bruno and Cremers, Cas and Liao, Kevin and Parno, Bryan}, year={2021}, month=may, pages={777795} }
@article{ProverifManual, title={ProVerif 2.05: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial}, author={Blanchet, Bruno and Smyth, Ben and Cheval, Vincent and Sylvestre, Marc}, language={en} }
@inbook{Blanchet_2012, address={Berlin, Heidelberg}, series={Lecture Notes in Computer Science}, title={Security Protocol Verification: Symbolic and Computational Models}, volume={7215}, ISBN={978-3-642-28640-7}, url={http://link.springer.com/10.1007/978-3-642-28641-4_2}, DOI={10.1007/978-3-642-28641-4_2}, abstractNote={Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.}, booktitle={Principles of Security and Trust}, publisher={Springer Berlin Heidelberg}, author={Blanchet, Bruno}, editor={Degano, Pierpaolo and Guttman, Joshua D.}, year={2012}, pages={329}, collection={Lecture Notes in Computer Science}, language={en} }
@article{Blanchet_2016, title={Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif}, volume={1}, ISSN={2474-1558, 2474-1566}, DOI={10.1561/3300000004}, abstractNote={ProVerif is an automatic symbolic protocol verifier. It supports a wide range of cryptographic primitives, defined by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses. This survey presents an overview of the research on ProVerif.}, number={12}, journal={Foundations and Trends® in Privacy and Security}, author={Blanchet, Bruno}, year={2016}, pages={1135}, language={en} }
@article{Dolev_1983, title={On the Security of Public Key Protocols}, abstractNote={Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.}, number={2}, journal={IEEE TRANSACTIONS ON INFORMATION THEORY}, author={Dolev, Danny}, year={1983}, language={en} }
@inbook{Celi_Hoyland_Stebila_Wiggers_2022, address={Cham}, series={Lecture Notes in Computer Science}, title={A Tale of Two Models: Formal Verification of KEMTLS via Tamarin}, volume={13556}, ISBN={978-3-031-17142-0}, url={https://link.springer.com/10.1007/978-3-031-17143-7_4}, DOI={10.1007/978-3-031-17143-7_4}, booktitle={Computer Security ESORICS 2022}, publisher={Springer Nature Switzerland}, author={Celi, Sofía and Hoyland, Jonathan and Stebila, Douglas and Wiggers, Thom}, editor={Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi}, year={2022}, pages={6383}, collection={Lecture Notes in Computer Science}, language={en} }
@article{Lafourcade_Mahmoud_Ruhault_Taleb, title={A Tale of Two Worlds, a Formal Story of WireGuard Hybridization}, abstractNote={PQ-WireGuard is a post-quantum variant of WireGuard Virtual Private Network (VPN), where Diffie-Hellman-based key exchange is replaced by post-quantum Key Encapsulation Mechanisms-based key exchange. In this paper, we first conduct a thorough formal analysis of PQ-WireGuards original design, in which we point out and fix a number of weaknesses. This leads us to an improved construction PQWireGuard⋆. Secondly, we propose and formally analyze a new protocol, based on both WireGuard and PQ-WireGuard⋆, named Hybrid-WireGuard, compliant with current best practices for post-quantum transition about hybridization techniques. For our analysis, we use the Sapic+ framework that enables the generation of three state-of-the-art protocol models for the verification tools ProVerif, DeepSec and Tamarin from a single specification, leveraging the strengths of each tool. We formally prove that HybridWireGuard is secure. Eventually, we propose a generic, efficient and usable Rust implementation of our new protocol.}, author={Lafourcade, Pascal and Mahmoud, Dhekra and Ruhault, Sylvain and Taleb, Abdul Rahman}, language={en} }
@article{Unger_Goldberg_2018, title={Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging}, volume={2018}, rights={http://creativecommons.org/licenses/by-nc-nd/3.0}, ISSN={2299-0984}, DOI={10.1515/popets-2018-0003}, abstractNote={A deniable authenticated key exchange (DAKE) protocol establishes a secure channel without producing cryptographic evidence of communication. A DAKE offers strong deniability if transcripts provide no evidence even if long-term key material is compromised (offline deniability) and no outsider can obtain evidence even when interactively colluding with an insider (online deniability). Unfortunately, existing strongly deniable DAKEs have not been adopted by secure messaging tools due to security and deployability weaknesses.}, number={1}, journal={Proceedings on Privacy Enhancing Technologies}, author={Unger, Nik and Goldberg, Ian}, year={2018}, month=jan, pages={2166}, language={en} }
@article{Collins_Colombo_Huguenin-Dumittan_2025, title={Real-World Deniability in Messaging}, volume={2025}, rights={https://creativecommons.org/licenses/by/4.0/}, ISSN={2299-0984}, DOI={10.56553/popets-2025-0018}, abstractNote={This work explores real-world deniability in messaging. We propose a formal model that considers the entire messaging system to analyze deniability in practice. Applying this model to the Signal application and DKIM-protected email, we demonstrate that these systems do not offer practical deniability guarantees. Additionally, we analyze 140 court cases in Switzerland that use conversations on messaging applications as evidence and find that none consider deniability, providing evidence that this property does not have an impact in the legal setting. Based on these technical and legal findings, we assess whether deniability is a desirable property and the challenges and shortcomings of designing a system that is deniable in practice. We posit that systems should either offer real-world deniability or refrain from claiming to achieve it. We discuss how to choose an appropriate threat model for deniability in a given context and how to design communication systems that are deniable in practice. For Signal, we propose and discuss a simple yet effective solution: the application should enable direct modification of locally stored messages in the user interface. This position paper raises several unanswered questions, aiming to further stimulate discussion and research on real-world deniability in messaging.}, number={1}, journal={Proceedings on Privacy Enhancing Technologies}, author={Collins, Daniel and Colombo, Simone and Huguenin-Dumittan, Loïs}, year={2025}, month=jan, pages={320340}, language={en} }
@article{DY, title={DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code}, abstractNote={We present DY?, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F? programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY? is built as a library of F? modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F?. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.}, author={Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and Küsters, Ralf and Schmitz, Guido and Würtele, Tim}, language={en} }
@inproceedings{Gancher_2023, address={San Francisco, CA, USA}, title={Owl: Compositional Verification of Security Protocols via an Information-Flow Type System}, rights={https://doi.org/10.15223/policy-009}, ISBN={978-1-6654-9336-9}, url={https://ieeexplore.ieee.org/document/10179477/}, DOI={10.1109/SP46215.2023.10179477}, abstractNote={Computationally sound protocol verification tools promise to deliver full-strength cryptographic proofs for security protocols. Unfortunately, current tools lack either modularity or automation. We propose a new approach based on a novel use of information flow and refinement types for sound cryptographic proofs. Our framework, OWL, allows type-based modular descriptions of security protocols, wherein disjoint subprotocols can be programmed and automatically proved secure separately. We give a formal security proof for OWL via a core language which supports symmetric and asymmetric primitives, DiffieHellman operations, and hashing via random oracles. We also implement a type checker for OWL and a prototype extraction mechanism to Rust, and evaluate both on 14 case studies, including (simplified forms of) SSH key exchange and Kerberos.}, booktitle={2023 IEEE Symposium on Security and Privacy (SP)}, publisher={IEEE}, author={Gancher, Joshua and Gibson, Sydney and Singh, Pratap and Dharanikota, Samvid and Parno, Bryan}, year={2023}, month=may, pages={11301147}, language={en} }
@inproceedings{Kobeissi_Bhargavan_Blanchet_2017, address={Paris}, title={Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach}, ISBN={978-1-5090-5762-7}, url={https://ieeexplore.ieee.org/document/7961995/}, DOI={10.1109/EuroSP.2017.38}, abstractNote={Many popular web applications incorporate end-toend secure messaging protocols, which seek to ensure that messages sent between users are kept confidential and authenticated, even if the web applications servers are broken into or otherwise compelled into releasing all their data. Protocols that promise such strong security guarantees should be held up to rigorous analysis, since protocol flaws and implementations bugs can easily lead to real-world attacks.}, booktitle={2017 IEEE European Symposium on Security and Privacy}, publisher={IEEE}, author={Kobeissi, Nadim and Bhargavan, Karthikeyan and Blanchet, Bruno}, year={2017}, month=apr, pages={435450}, language={en} }
@article{Blanchet_Jacomme, title={CryptoVerif: a Computationally-Sound Security Protocol Verifier}, abstractNote={This document presents the security protocol verifier CryptoVerif. CryptoVerif does not rely on the symbolic, Dolev-Yao model, but on the computational model. It can verify secrecy, correspondence properties (which include authentication), and indistinguishability properties. It produces proofs presented as sequences of games, like those manually written by cryptographers; these games are formalized in a probabilistic process calculus. CryptoVerif provides a generic method for specifying security properties of the cryptographic primitives. It produces proofs valid for any number of sessions of the protocol, and provides an upper bound on the probability of success of an attack against the protocol as a function of the probability of breaking each primitive and of the number of sessions. CryptoVerif is post-quantum sound: when the used cryptographic assumptions are valid for quantum adversaries, the proofs hold for quantum adversaries. It can work automatically, or the user can guide it with manual proof indications.}, author={Blanchet, Bruno and Jacomme, Charlie}, language={en} }
@inproceedings{pqwg, address={San Francisco, CA, USA}, title={Post-quantum WireGuard}, rights={https://doi.org/10.15223/policy-009}, ISBN={978-1-7281-8934-5}, url={https://ieeexplore.ieee.org/document/9519445/}, DOI={10.1109/SP40001.2021.00030}, abstractNote={In this paper we present PQ-WireGuard, a postquantum variant of the handshake in the WireGuard VPN protocol (NDSS 2017). Unlike most previous work on postquantum security for real-world protocols, this variant does not only consider post-quantum confidentiality (or forward secrecy) but also post-quantum authentication. To achieve this, we replace the Diffie-Hellman-based handshake by a more generic approach only using key-encapsulation mechanisms (KEMs). We establish security of PQ-WireGuard, adapting the security proofs for WireGuard in the symbolic model and in the standard model to our construction. We then instantiate this generic construction with concrete post-quantum secure KEMs, which we carefully select to achieve high security and speed. We demonstrate competitiveness of PQ-WireGuard presenting extensive benchmarking results comparing to widely deployed VPN solutions.}, booktitle={2021 IEEE Symposium on Security and Privacy (SP)}, publisher={IEEE}, author={Hülsing, Andreas and Ning, Kai-Chun and Schwabe, Peter and Weber, Fiona Johanna and Zimmermann, Philip R.}, year={2021}, month=may, pages={304321}, language={en} }
@misc{rfc9180,
series = {Request for Comments},
number = 9180,
howpublished = {RFC 9180},
publisher = {RFC Editor},
doi = {10.17487/RFC9180},
url = {https://www.rfc-editor.org/info/rfc9180},
author = {Richard Barnes and Karthikeyan Bhargavan and Benjamin Lipp and Christopher A. Wood},
title = {{Hybrid Public Key Encryption}},
pagetotal = 107,
year = 2022,
month = feb,
abstract = {This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.},
}
@inproceedings{Schwabe_Stebila_Wiggers_2020, address={Virtual Event USA}, title={Post-Quantum TLS Without Handshake Signatures}, ISBN={978-1-4503-7089-9}, url={https://dl.acm.org/doi/10.1145/3372297.3423350}, DOI={10.1145/3372297.3423350}, abstractNote={We present KEMTLS, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication. Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we obtain multiple benefits. A size-optimized post-quantum instantiation of KEMTLS requires less than half the bandwidth of a size-optimized post-quantum instantiation of TLS 1.3. In a speedoptimized instantiation, KEMTLS reduces the amount of server CPU cycles by almost 90% compared to TLS 1.3, while at the same time reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for signatures from the servers trusted code base.}, booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Schwabe, Peter and Stebila, Douglas and Wiggers, Thom}, year={2020}, month=oct, pages={14611480}, language={en} }
@inbook{Itkis_Reyzin_2001, address={Berlin, Heidelberg}, series={Lecture Notes in Computer Science}, title={Forward-Secure Signatures with Optimal Signing and Verifying}, volume={2139}, ISBN={978-3-540-42456-7}, url={http://link.springer.com/10.1007/3-540-44647-8_20}, DOI={10.1007/3-540-44647-8_20}, abstractNote={We propose the first forward-secure signature scheme for which both signing and verifying are as efficient as for one of the most efficient ordinary signature schemes (Guillou-Quisquater [GQ88]), each requiring just two modular exponentiations with a short exponent. All previously proposed forward-secure signature schemes took significantly longer to sign and verify than ordinary signature schemes.}, booktitle={Advances in Cryptology — CRYPTO 2001}, publisher={Springer Berlin Heidelberg}, author={Itkis, Gene and Reyzin, Leonid}, editor={Kilian, Joe}, year={2001}, pages={332354}, collection={Lecture Notes in Computer Science}, language={en} }
@inproceedings{Chase_Perrin_Zaverucha_2020, address={Virtual Event USA}, title={The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption}, ISBN={978-1-4503-7089-9}, url={https://dl.acm.org/doi/10.1145/3372297.3417887}, DOI={10.1145/3372297.3417887}, abstractNote={In this paper we present a system for maintaining a membership list of users in a group, designed for use in the Signal Messenger secure messaging app. The goal is to support private groups where membership information is readily available to all group members but hidden from the service provider or anyone outside the group. In the proposed solution, a central server stores the group membership in the form of encrypted entries. Members of the group authenticate to the server in a way that reveals only that they correspond to some encrypted entry, then read and write the encrypted entries.}, booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Chase, Melissa and Perrin, Trevor and Zaverucha, Greg}, year={2020}, month=oct, pages={14451459}, language={en} }
@misc{mcmillion2025keytransparencyarchitecture,
author = {McMillion, Brendan},
title = {Key Transparency Architecture},
howpublished = {Internet-Draft, IETF},
month = jul,
year = 2025,
note = {draft-ietf-keytrans-architecture-04, Intended status: Informational},
month = jul,
year = 2025,
}
@inbook{Alwen_Coretti_Jost_Mularczyk_2020, address={Cham}, series={Lecture Notes in Computer Science}, title={Continuous Group Key Agreement with Active Security}, volume={12551}, ISBN={978-3-030-64377-5}, url={https://link.springer.com/10.1007/978-3-030-64378-2_10}, DOI={10.1007/978-3-030-64378-2_10}, abstractNote={A continuous group key agreement (CGKA) protocol allows a long-lived group of parties to agree on a continuous stream of fresh secret key material. The protocol must support constantly changing group membership, make no assumptions about when, if, or for how long members come online, nor rely on any trusted group managers. Due to sessions long life-time, CGKA protocols must simultaneously ensure both post-compromise security and forward secrecy (PCFS). That is, current key material should be secure despite both past and future compromises.}, booktitle={Theory of Cryptography}, publisher={Springer International Publishing}, author={Alwen, Joël and Coretti, Sandro and Jost, Daniel and Mularczyk, Marta}, editor={Pass, Rafael and Pietrzak, Krzysztof}, year={2020}, pages={261290}, collection={Lecture Notes in Computer Science}, language={en} }
@inproceedings{Ruhault_Lafourcade_Mahmoud_2024, address={San Diego, CA, USA}, title={A Unified Symbolic Analysis of WireGuard}, ISBN={978-1-891562-93-8}, url={https://www.ndss-symposium.org/wp-content/uploads/2024-364-paper.pdf}, DOI={10.14722/ndss.2024.24364}, abstractNote={WireGuard [22], [21] is a Virtual Private Network (VPN), presented at NDSS 2017, recently integrated into the Linux Kernel [57] and paid commercial VPNs such as NordVPN, Mullvad and ProtonVPN [56]. It proposes a different approach from other classical VPN such as IPsec [29] or OpenVPN [48] because it does not let users configure cryptographic algorithms. The protocol inside WireGuard is a dedicated extension of IKpsk2 protocol from Noise Framework [49]. Different analyses of WireGuard and IKpsk2 protocols have been proposed, in both the symbolic and the computational model, with or without computer-aided proof assistants. These analyses however consider different adversarial models or refer to incomplete versions of the protocols. In this work, we propose a unified formal model of WireGuard protocol in the symbolic model. Our model uses the automatic cryptographic protocol verifiers SAPIC+, PROVERIF and TAMARIN. We consider a complete protocol execution, including cookie messages used for resistance against denial of service attacks. We model a precise adversary that can read or set static, ephemeral or pre-shared keys, read or set ecdh pre-computations, control key distribution. Eventually, we present our results in a unified and interpretable way, allowing comparisons with previous analyses. Finally thanks to our models, we give necessary and sufficient conditions for security properties to be compromised, we confirm a flaw on the anonymity of the communications and point an implementation choice which considerably weakens its security. We propose a remediation that we prove secure using our models.}, booktitle={Proceedings 2024 Network and Distributed System Security Symposium}, publisher={Internet Society}, author={Ruhault, Sylvain and Lafourcade, Pascal and Mahmoud, Dhekra}, year={2024}, language={en} }
@article{Basin_Cremers_Dreier_Sasse_2022, title={Tamarin: Verification of Large-Scale, Real-World, Cryptographic Protocols}, volume={20}, rights={https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html}, ISSN={1540-7993, 1558-4046}, DOI={10.1109/MSEC.2022.3154689}, abstractNote={Tamarin is a mature, state-of-the-art tool for cryptographic protocol verification. We introduce Tamarin and survey some of the larger, tour-de-force results achieved with it. We also show how Tamarin can formalize a wide range of protocols, adversary models, and properties, and scale to substantial, real-world, verification problems.}, number={3}, journal={IEEE Security \& Privacy}, author={Basin, David and Cremers, Cas and Dreier, Jannik and Sasse, Ralf}, year={2022}, month=may, pages={2432}, language={en} }
@misc{rfc5869,
series = {Request for Comments},
number = 5869,
howpublished = {RFC 5869},
publisher = {RFC Editor},
doi = {10.17487/RFC5869},
url = {https://www.rfc-editor.org/info/rfc5869},
author = {Hugo Krawczyk and Pasi Eronen},
title = {{HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}},
pagetotal = 14,
year = 2010,
month = may,
abstract = {This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.},
}
@techreport{mcMillion2025keytrans,
author = {McMillion, Brendan},
title = {{Key Transparency Architecture}},
institution = {IETF Internet-Draft},
type = {Internet-Draft},
number = {draft-ietf-keytrans-architecture-04},
year = {2025},
month = jul,
day = {7},
note = {Intended status: Informational; Expires 8 January 2026},
url = {https://datatracker.ietf.org/doc/draft-ietf-keytrans-architecture/}
}