Abstract
Offline deniability is the ability to a posteriori deny having participated in a particular communication session. This property has been widely assumed for the Signal messaging application, yet no formal proof has appeared in the literature. In this paper, we present what we believe is the first formal study of the offline deniability of the Signal protocol. Our analysis shows that building a deniability proof for Signal is non-trivial and requires very strong assumptions on the underlying mathematical groups where the protocol is run.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
For showing the failure of (proofs of) deniability, assuming a key registration step makes our negative result stronger as it implies that even if we allow key registration we do not know how to simulate, and in some cases simulation is actually impossible.
- 3.
It is not necessary to model this hash as a random oracle, as long as we assume that computing \(g^{ay}\) is hard when \(A=g^a\) is sampled uniformly at random and \(Y=g^y\) is sampled according to the procedure used by Bob.
- 4.
One could use a Gap-DDH Assumption, which states that the CDH Assumption holds even in the presence of an oracle that decides the DDH. Then such oracle could be provided to the simulator to detect the query. Yet this simulator would not be a legitimate deniability simulator unless the oracle could be implemented in real-life.
References
Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. IACR Cryptology ePrint Archive 2018, 1037 (2018)
Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_17
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society WPES 2004, pp. 77–84. ACM, New York (2004)
Boyd, C., Mao, W., Paterson, K.G.: Key agreement using statically keyed authenticators. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 248–262. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_18
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_10
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS P), pp. 451–466, April 2017
Cremers, C., Feltz, M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. Cryptology ePrint Archive, Report 2011/300 (2011). https://eprint.iacr.org/2011/300
Dent, A.W., Galbraith, S.D.: Hidden pairings and trapdoor DDH groups. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 436–451. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_31
Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. J. Cryptol. 22(4), 572–615 (2009). https://doi.org/10.1007/s00145-009-9044-3
Di Raimondo, M., Gennaro, R., Krawczyk, H.: Secure off-the-record messaging. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society WPES 2005, pp. 81–89. ACM, New York (2005)
Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Proceedings of the 13th ACM Conference on Computer and Communications Security CCS 2006, pp. 400–409. ACM, New York (2006)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (2006)
Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_10
Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing STOC 1998, pp. 409–418. ACM, New York (1998)
Fischlin, M., Mazaheri, S.: Notions of deniable message authentication. In: Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society WPES 2015, pp. 55–64. ACM, New York (2015)
Goldwasser, S., Micali, S.: Probabilistic encryption. JCSS 28(2), 270–299 (1984)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Harkins, D., Carrel, D.: The internet key exchange (IKE). RFC 2409, RFC Editor, November 1998
Harkins, D., Carrel, D.: The internet key exchange (IKE) (1998)
Katz, J.: Efficient and non-malleable proofs of plaintext knowledge and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 211–228. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_13
Kaufman, C.: Internet key exchange (IKEv2) protocol. RFC 4306, RFC Editor, December 2005
Krawczyk, H.: Skeme: a versatile secure key exchange mechanism for internet. In: Proceedings of Internet Society Symposium on Network and Distributed Systems Security, pp. 114–127, February 1996
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)
Mao, W., Paterson, K.: On the plausible deniability feature of internet protocols. Manuscript (2002)
Marlinspike, M.: Simplifying OTR deniability (2013). https://signal.org/blog/simplifying-otr-deniability/
Marlinspike, M., Perrin, T.: The x3dh key agreement protocol, Rev. 1, November 2016
Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing implicit authentication. In: Workshop on Selected Area in Cryptography (SAC 1995), pp. 22–32 (1995)
Naor, M.: Deniable ring authentication. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 481–498. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_31
Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_19
Perrin, T., Marlinspike, M.: The double ratchet algorithm, Rev. 1, November 2016
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725
Seurin, Y.: New constructions and applications of trapdoor DDH groups. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 443–460. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_27
Shoup, V.: On formal models for secure key exchange. Technical report RZ 3120, IBM, April 1999
Signal technical information. https://signal.org/docs/
Unger, N., Goldberg, I.: Deniable key exchanges for secure messaging. In: Proceedings on 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1211–1223 (2015)
Unger, N., Goldberg, I.: Improved strongly deniable authenticated key exchanges for secure messaging. Proc. Priv. Enhancing Technol. 2018(1), 21–66 (2018)
Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H.: On the deniability of signal communications. Cryptology ePrint Archive (2020). https://eprint.iacr.org/
Walfish, S.: Enhanced security models for network protocols. Ph.D thesis (2008)
Yao, A.C., Zhao, Y.: Deniable internet key exchange. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 329–348. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_20
Yao, A.C., Zhao, Y., OAKE: a new family of implicitly authenticated diffie-hellman protocols. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security CCS 2013, pp. 1113–1128. ACM, New York (2013)
Acknowledgment
The authors thank the anonymous reviewer whose excellent comments greatly improved the presentation of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H. (2020). On the Cryptographic Deniability of the Signal Protocol. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12147. Springer, Cham. https://doi.org/10.1007/978-3-030-57878-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-57878-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57877-0
Online ISBN: 978-3-030-57878-7
eBook Packages: Computer ScienceComputer Science (R0)