DKVE: Decentralized Key Validation for End-to-End Encrypted Messaging

πŸ“… 2026-06-24
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This work addresses the vulnerability of public key distribution in end-to-end encrypted systems to man-in-the-middle attacks by proposing a privacy-preserving key verification mechanism grounded in users’ social graphs. The approach leverages mutual contacts to perform oblivious cross-verification of public keys, integrating oblivious pseudorandom functions (OPRF), oblivious key-value stores (OKVS), and sequential probability ratio tests (SPRT) to efficiently detect malicious server behavior while preserving user privacy. Experimental evaluation on real-world social networks demonstrates that the mechanism successfully identifies attacks in over 97% of moderately to strongly connected scenarios. A prototype implementation operates efficiently on commodity hardware and reduces query frequency to key transparency systems by two orders of magnitude.
πŸ“ Abstract
End-to-end encrypted messaging systems depend on authentic public key distribution to prevent man-in-the-middle (MitM) attacks. Current solutions present a stark trade-off: out-of-band (OOB) verification provides strong security but lacks scalability for large contact lists, while key transparency (KT) systems enable automated verification at high storage costs and operational complexity. We propose DKVE, a protocol that validates public keys through privacy-preserving cross-validation within users' social graphs. When obtaining a contact's public key from a key server, clients query mutual contacts to verify they hold the same key, combining Oblivious Pseudorandom Functions (OPRF) and Oblivious Key-Value Stores (OKVS) to preserve privacy of both queries and contact lists. DKVE employs a Sequential Probability Ratio Test (SPRT) to aggregate responses and detect server misbehavior with user-configurable error bounds. We evaluate DKVE through simulations on real social network datasets, demonstrating DKVE can detect MitM attacks with exceeding 97% for strong-to-moderate-tie networks. The remaining 3% of cases require validation through alternative methods such as KT and OOB verification. Our proof-of-concept implementation confirms feasibility for background operation on commodity hardware, in terms of the latency and bandwidth. As DKVE can reduce the frequency of KT queries by two orders of magnitude, it enables fundamental architectural shifts: KT directories can migrate from fast but space-inefficient Merkle trees to space-efficient data structures like RSA accumulators. While DKVE cannot replace existing methods entirely -- suffering from bootstrapping problems and degraded performance on weak-tie networks -- it provides a practical complementary key validation mechanism, making secure messaging more deployable for billion-user systems.
Problem

Research questions and friction points this paper is trying to address.

End-to-End Encryption
Key Validation
Man-in-the-Middle Attack
Scalability
Public Key Authentication
Innovation

Methods, ideas, or system contributions that make the work stand out.

Decentralized Key Validation
Oblivious Pseudorandom Function
Social Graph Cross-Validation
Sequential Probability Ratio Test
Key Transparency
πŸ”Ž Similar Papers
No similar papers found.