Skip to main content
SpringerLink
Log in

On the Cryptographic Deniability of the Signal Protocol

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12147))

Included in the following conference series:

Abstract

Offline deniability is the ability to a posteriori deny having participated in a particular communication session. This property has been widely assumed for the Signal messaging application, yet no formal proof has appeared in the literature. In this paper, we present what we believe is the first formal study of the offline deniability of the Signal protocol. Our analysis shows that building a deniability proof for Signal is non-trivial and requires very strong assumptions on the underlying mathematical groups where the protocol is run.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This was claimed informally and without proof in [14]; here, we use this result in essential way in Sect. 9 to show how deniability of 3DH carries to deniability of the whole Signal protocol.

  2. 2.

    For showing the failure of (proofs of) deniability, assuming a key registration step makes our negative result stronger as it implies that even if we allow key registration we do not know how to simulate, and in some cases simulation is actually impossible.

  3. 3.

    It is not necessary to model this hash as a random oracle, as long as we assume that computing \(g^{ay}\) is hard when \(A=g^a\) is sampled uniformly at random and \(Y=g^y\) is sampled according to the procedure used by Bob.

  4. 4.

    One could use a Gap-DDH Assumption, which states that the CDH Assumption holds even in the presence of an oracle that decides the DDH. Then such oracle could be provided to the simulator to detect the query. Yet this simulator would not be a legitimate deniability simulator unless the oracle could be implemented in real-life.

References

  1. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. IACR Cryptology ePrint Archive 2018, 1037 (2018)

    Google Scholar 

  2. Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_17

    Chapter  Google Scholar 

  3. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  4. Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society WPES 2004, pp. 77–84. ACM, New York (2004)

    Google Scholar 

  5. Boyd, C., Mao, W., Paterson, K.G.: Key agreement using statically keyed authenticators. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 248–262. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_18

    Chapter  Google Scholar 

  6. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28

    Chapter  Google Scholar 

  7. Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_10

    Chapter  Google Scholar 

  8. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22

    Chapter  Google Scholar 

  9. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS P), pp. 451–466, April 2017

    Google Scholar 

  10. Cremers, C., Feltz, M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. Cryptology ePrint Archive, Report 2011/300 (2011). https://eprint.iacr.org/2011/300

  11. Dent, A.W., Galbraith, S.D.: Hidden pairings and trapdoor DDH groups. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 436–451. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_31

    Chapter  Google Scholar 

  12. Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. J. Cryptol. 22(4), 572–615 (2009). https://doi.org/10.1007/s00145-009-9044-3

    Article  MathSciNet  MATH  Google Scholar 

  13. Di Raimondo, M., Gennaro, R., Krawczyk, H.: Secure off-the-record messaging. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society WPES 2005, pp. 81–89. ACM, New York (2005)

    Google Scholar 

  14. Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Proceedings of the 13th ACM Conference on Computer and Communications Security CCS 2006, pp. 400–409. ACM, New York (2006)

    Google Scholar 

  15. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (2006)

    Article  MathSciNet  Google Scholar 

  16. Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_10

    Chapter  MATH  Google Scholar 

  17. Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing STOC 1998, pp. 409–418. ACM, New York (1998)

    Google Scholar 

  18. Fischlin, M., Mazaheri, S.: Notions of deniable message authentication. In: Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society WPES 2015, pp. 55–64. ACM, New York (2015)

    Google Scholar 

  19. Goldwasser, S., Micali, S.: Probabilistic encryption. JCSS 28(2), 270–299 (1984)

    MathSciNet  MATH  Google Scholar 

  20. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    Article  MathSciNet  Google Scholar 

  21. Harkins, D., Carrel, D.: The internet key exchange (IKE). RFC 2409, RFC Editor, November 1998

    Google Scholar 

  22. Harkins, D., Carrel, D.: The internet key exchange (IKE) (1998)

    Google Scholar 

  23. Katz, J.: Efficient and non-malleable proofs of plaintext knowledge and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 211–228. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_13

    Chapter  Google Scholar 

  24. Kaufman, C.: Internet key exchange (IKEv2) protocol. RFC 4306, RFC Editor, December 2005

    Google Scholar 

  25. Krawczyk, H.: Skeme: a versatile secure key exchange mechanism for internet. In: Proceedings of Internet Society Symposium on Network and Distributed Systems Security, pp. 114–127, February 1996

    Google Scholar 

  26. Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33

    Chapter  Google Scholar 

  27. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)

    Article  MathSciNet  Google Scholar 

  28. Mao, W., Paterson, K.: On the plausible deniability feature of internet protocols. Manuscript (2002)

    Google Scholar 

  29. Marlinspike, M.: Simplifying OTR deniability (2013). https://signal.org/blog/simplifying-otr-deniability/

  30. Marlinspike, M., Perrin, T.: The x3dh key agreement protocol, Rev. 1, November 2016

    Google Scholar 

  31. Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing implicit authentication. In: Workshop on Selected Area in Cryptography (SAC 1995), pp. 22–32 (1995)

    Google Scholar 

  32. Naor, M.: Deniable ring authentication. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 481–498. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_31

    Chapter  Google Scholar 

  33. Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_19

    Chapter  Google Scholar 

  34. Perrin, T., Marlinspike, M.: The double ratchet algorithm, Rev. 1, November 2016

    Google Scholar 

  35. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725

    Article  MathSciNet  MATH  Google Scholar 

  36. Seurin, Y.: New constructions and applications of trapdoor DDH groups. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 443–460. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_27

    Chapter  Google Scholar 

  37. Shoup, V.: On formal models for secure key exchange. Technical report RZ 3120, IBM, April 1999

    Google Scholar 

  38. Signal technical information. https://signal.org/docs/

  39. Unger, N., Goldberg, I.: Deniable key exchanges for secure messaging. In: Proceedings on 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1211–1223 (2015)

    Google Scholar 

  40. Unger, N., Goldberg, I.: Improved strongly deniable authenticated key exchanges for secure messaging. Proc. Priv. Enhancing Technol. 2018(1), 21–66 (2018)

    Article  Google Scholar 

  41. Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H.: On the deniability of signal communications. Cryptology ePrint Archive (2020). https://eprint.iacr.org/

  42. Walfish, S.: Enhanced security models for network protocols. Ph.D thesis (2008)

    Google Scholar 

  43. Yao, A.C., Zhao, Y.: Deniable internet key exchange. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 329–348. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_20

    Chapter  Google Scholar 

  44. Yao, A.C., Zhao, Y., OAKE: a new family of implicitly authenticated diffie-hellman protocols. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security CCS 2013, pp. 1113–1128. ACM, New York (2013)

    Google Scholar 

Download references

Acknowledgment

The authors thank the anonymous reviewer whose excellent comments greatly improved the presentation of this paper.

Author information

Authors and Affiliations

  1. Center for Algorithms and Interactive Scientific Software, The City College of New York, New York City, USA

    Nihal Vatandas, Rosario Gennaro & Bertrand Ithurburn

  2. Algorand Foundation, New York City, USA

    Hugo Krawczyk

Authors
  1. Nihal Vatandas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rosario Gennaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bertrand Ithurburn
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hugo Krawczyk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nihal Vatandas .

Editor information

Editors and Affiliations

  1. Department of Mathematics, University of Padua, Padua, Italy

    Mauro Conti

  2. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  3. Dipt di Informatica Sistemi e Produ, Università di Roma “Tor Vergata”, Rome, Roma, Italy

    Emiliano Casalicchio

  4. Sapienza University of Rome, Rome, Italy

    Angelo Spognardi

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H. (2020). On the Cryptographic Deniability of the Signal Protocol. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12147. Springer, Cham. https://doi.org/10.1007/978-3-030-57878-7_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-57878-7_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-57877-0

  • Online ISBN: 978-3-030-57878-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation