International Association
for Cryptologic Research

Message franking is an indispensable abuse mitigation tool for end-to-end encrypted (E2EE) messaging platforms. With it, users who receive harmful content can securely report that content to platform moderators. However, while real-world deployments of reporting require the disclosure of multiple messages, existing treatments of message franking only consider the report of a single message. As a result, there is a gap between the security goals achieved by constructions and those needed in practice. Our work introduces transcript franking, a new type of protocol that allows reporting subsets of conversations such that moderators can cryptographically verify message causality and contents. We define syntax, semantics, and security for transcript franking in two-party and group messaging. We then present efficient constructions for transcript franking and prove their security. Looking toward deployment considerations, we provide detailed discussion of how real-world messaging systems can incorporate our protocols.

The increasing harms caused by hate, harassment, and other forms of abuse online have motivated major platforms to explore hierarchical governance. The idea is to allow communities to have designated members take on moderation and leadership duties; meanwhile, members can still escalate issues to the platform. But these promising approaches have only been explored in plaintext settings where community content is public to the platform. It is unclear how one can realize hierarchical governance in the huge and increasing number of online communities that utilize end-to-end encrypted (E2EE) messaging for privacy. This talk will argue for the importance of adapting hierarchical governance to E2EE platforms, share some of our recent work towards privacy-preserving hierarchical governance, and discuss ongoing challenges in this space.

Deployment of end-to-end encryption (E2EE) has improved the confidentiality and the integrity of data in various contexts, including messaging, cloud storage, and other web applications. E2EE protocols, such as messaging and file storage, have been studied extensively, instilling confidence in their security. Consequently, there has been a meteoric rise in the adoption of these tools, and E2EE is now a core component of complex systems that impact billions of users. As these applications evolve into intricate, feature-rich ecosystems, our understanding of their security becomes increasingly opaque, and whether the strong security guarantees of the underlying E2EE protocols extend to the broader systems is unclear. As such, a new line of work has analyzed the security of various deployed E2EE applications, finding numerous attacks and proposing mitigations. The purpose of this talk is to bring attention to an emerging threat model for E2EE applications, and motivate future work within the cryptography community. At a high-level, our threat model considers an adversary that simply sends chosen payloads to a victim client, and subsequently observes the encrypted application state. We refer to attacks in this setting as injection attacks. The core of our presentation will consist of an overview of this threat model, highlighting a common root cause of injection attacks. Then, we will present concrete vulnerabilities uncovered in real-world systems across two application domains: backups of messaging applications (based on a recent paper that we will present at S&P ‘24), and password managers (based on ongoing work, which will be made public after we finish the disclosure process). Lastly, we conclude with some general takeaways and directions for future work.