BEGIN:VCALENDAR
VERSION:2.0
PRODID:icalendar-ruby
CALSCALE:GREGORIAN
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:Europe/Vienna
BEGIN:DAYLIGHT
DTSTART:20260329T030000
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
END:DAYLIGHT
BEGIN:STANDARD
DTSTART:20261025T020000
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20260703T151145Z
UID:1785229200@ist.ac.at
DTSTART:20260728T110000
DTEND:20260728T120000
DESCRIPTION:Speaker: Miguel Cueto Noval\nhosted by Carrie Bernecky\nAbstrac
 t: The widespread adoption of apps like Whatsapp and Signal has translated
  into billions of people all around the world communicating on a regular b
 asis by making use of services that offer end-to-end encryption and even p
 rovide security guarantees when a user's device is compromised.This was ma
 de possible by the introduction of the Double Ratchet Algorithm\, which wa
 s designed for a setting where communication takes place between two parti
 es. However\, in practice\, many apps offer the possibility of creating gr
 oups. The protocols they use to secure communication are inefficient for l
 arge group which has the undesirable consequence that the aforementioned a
 pps have established limits on the group size of roughly 1000 users. This 
 has motivated the introduction of the Messaging Layer Security (MLS) stand
 ard by the IETF which is based on a primitive called Continuous Group Key 
 Agreement (CGKA).This primitive allows a group of users to maintain a shar
 ed secret key that is frequently rotated by the group members in order to 
 change group membership\, achieve forward secrecy (FS) and post compromise
  security (PCS). Most protocols are based on binary trees where the nodes 
 are associated to a pair formed by public key and a secret key. Each leaf 
 corresponds to one of the group members and a user knows the secret keys a
 ssociated to nodes along the path from their leaf to the root. When a user
  wants to update their key material they have to change $ \\log(N) $ many 
 keys. This requires uploading $ \\log(N) $ many ciphertexts to communicate
  the new keys to the rest of the group members in a way that respects the 
 tree structure.In this thesis we study how much communication between grou
 p members is required in order to add and remove users from a group as wel
 l as in order to provide PCS when we consider CGKAs built using standard c
 ryptographic primitives like pseudo-random functions and public-key encryp
 tion. Furthermore\, we also consider the case of MLS and provide the first
  lower bound showing that its communication complexity is much worse than 
 previously believed\, i.e.\, it is very far from $ \\log(N) $. Finally\, w
 e also propose a variant of MLS which provably achieves the same security 
 properties with a much lower communication cost.
LOCATION:Moonstone Bldg / Ground floor / Seminar Room C (I24.EG.030c ) and 
 Zoom\, ISTA
ORGANIZER:
SUMMARY:Miguel Cueto Noval: Thesis Defense: Towards Efficient Secure Group 
 Messaging
URL:https://talks-calendar.ista.ac.at/events/6544
END:VEVENT
END:VCALENDAR
