Abstract
End-to-end encryption (E2EE) is widely used in instant messaging applications to protect data privacy. Forward secrecy (FS) and post-compromised security (PCS) are two essential features that aim to protect security when the session keys are compromised. Among E2EE applications, Signal is known for being the first one that guarantees FS and PCS concurrently by implementing the extended triple Diffie-Hellman (X3DH) protocol and double ratchet protocol. However, the original X3DH and double ratchet protocols cannot resist quantum attacks and require post-quantum implementation. While a post-quantum double ratchet protocol has been proposed, the issues of post-quantum X3DH protocols persist. Some post-quantum X3DH protocols are claimed to be anonymous and deniable. However, their anonymity only protects the communication content, not the identity key that can be distinguished. Additionally, their identity certificates must be delivered through a trusted channel during authentication. If these certificates are considered evidence, their deniability will be broken. To address these problems, we propose a solution that leverages ephemeral keys to hide the identity keys for enhancing anonymity. The identity is automatically authenticated without the trusted channel to exclude evidence for deniability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Batra, B.: News communication through whatsapp. Int. J. Inf. Futur. Res. 3(10), 3725–3733 (2016)
Bos, J., et al.: Crystals-kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)
Brendel, J., Fiedler, R., GĂ¼nther, F., Janson, C., Stebila, D.: Post-quantum asynchronous deniable key exchange and the signal handshake. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022, pp. 3–34. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_1
Brendel, J., Fischlin, M., GĂ¼nther, F., Janson, C., Stebila, D.: Towards post-quantum security for signal’s X3DH handshake. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 404–430. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_16
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive (2022)
Chen, K., Chen, J.: Anonymous end to end encryption group messaging protocol based on asynchronous ratchet tree. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 588–605. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_33
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020)
Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1802–1819 (2018)
Ding, J., Gao, X., Takagi, T., Wang, Y.: One sample ring-LWE with rounding and its application to key exchange. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 323–343. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_16
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive (2012)
Dobson, S., Galbraith, S.D.: Post-quantum signal key agreement with SIDH. Cryptology ePrint Archive (2021)
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Hashimoto, K., Katsumata, S., Kwiatkowski, K., Prest, T.: An efficient and generic construction for signal’s handshake (X3DH): post-quantum, state leakage secure, and deniable. J. Cryptol. 35(3), 1–78 (2022)
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Padlipsky, M.A., Snow, D.W., Karger, P.A.: Limitations of end-to-end encryption in secure computer networks. Technical report, Mitre Corp, Bedford, MA (1978)
Signal. Signal protocol: Technical documentation. https://whispersystems.org/docs/. Accessed 25 June 2022
Stephens-Davidowitz, N.: Discrete gaussian sampling reduces to CVP and SVP. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1748–1764. SIAM (2016)
Unger, N., Goldberg, I.: Deniable key exchanges for secure messaging. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1211–1223 (2015)
Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_24
Acknowledgement
This work is partially supported by JSPS KAKENHI Grant Number JP21H03443 and JP21K11751, and SECOM Science and Technology Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A The Full Proof for the HSM Security and PFS of B-X3DH
A The Full Proof for the HSM Security and PFS of B-X3DH
This section gives the full proof of the HSM security and PFS of B-X3DH.
Theorem 5
Let F be a secure PRF and Sign be a secure signature scheme. Assume that there are at most \( \mu \) parties and that each party has at most \( \gamma \) sessions. The QPT adversary \(\mathcal {A}\) can break the HSM and PFS security of \( \prod _{B-X3DH } \) with the following negligible advantage:
Proof
Let \( \mathcal {A} \) play the \(Game_{HSM}^\mathcal {A}\) with challenger \( \mathcal {C} \). We now prove that the advantage \(Adv_{\prod _{B-X3DH }}^{HSM}(\mathcal {A})\) is negligible. Let \( W_i \) be the event that \(b=b'\) in game \(G_i\). Assume in each game, \( \mathcal {A} \) always issues a Test oracle.
Game \(G_0\). Let game \(G_0\) be the original game \(Game_{HSM}^\mathcal {A}\). Then there is:
Game \( G_1 \). Let game \( G_1 \) be like \( G_0 \) except that an event \(\mathcal {E}_{fail}\) occurs. This event happens when there exist two partner oracles that don’t agree on the same key or don’t authenticate with each other. The aim of \(G_1\) is to exclude the passive error situations when \(\mathcal {A}\) actively queries oracles. \( \mathcal {A} \) can distinguish these two games if and only if \(\mathcal {E}_{fail}\) occurs. Recall Theorem 1, there is:
Game \( G_2 \). Let game \(G_2\) be like \(G_1\) except that \( \mathcal {C} \) tries to randomly select two oracles \(\pi _{i*}^{s*}\) and \(\pi _{j*}^{t*}\) to guess the tested session in Test oracle. Let \(E_{TO}\) be the event that \(\pi _{i*}^{s*}\) and \(\pi _{j*}^{t*}\) are neither tested nor partner oracles. If \( \mathcal {C} \) checks that \(E_{TO}\) occurs, it aborts the game. \( \mathcal {C} \) will successfully guess the tested oracles with the probability at least \( \frac{1}{\mu \gamma }\cdot \frac{1}{(\mu -1)\gamma }\). Thus,
Game \(G_3\). In this game, the two guessed partner oracles are \(\pi _{i*}^{s*}\) and \(\pi _{j*}^{t*}\). \( \mathcal {C} \) will modify the response of \(\pi _{i*}^{s*}\) for the second flow. In astRLDH, instead of generating the \(dh_{i*}^1,dh_{i*}^2\) from \(Ext({\textbf {g}}_{i*}^1,{\textbf {r}}_j^1),Ext({\textbf {g}}_{i*}^2,{\textbf {r}}_j^2)\) respectively, it derives \(dh_{i*}^1=Ext({\textbf {g}}_{j*}^1,{\textbf {r}}_j^1)\) and \(dh_{i*}^2=Ext({\textbf {g}}_{j*}^2,{\textbf {r}}_j^2)\). This change makes sense. Otherwise, they will not be partners, and \(E_{TO}\) will happen. From the view of \( \mathcal {A} \), \(G_3\) and \(G_2\) are the same. Thus,
Game \(G_4^{(t,l)}\). They are a set of games, in which assume \( \mathcal {A} \) can access HSM to get \({\textbf {g}}_{i*}^1\) and \( {\textbf {g}}_{j*}^1 \) (We ignore the others because they have been included in the above condition). \( \mathcal {C} \) will replace \(IK_{i*}^{s*}\) or \({\textbf {b}}_{i*}^{2}\) with a random value \({\textbf {z}}_0\xleftarrow {\$}\mathbb {R}_q\) according to the choice of \( \mathcal {A} \). \((t,l)\in [3]\times [3]\) where t stands for the not revealed keys of \(P_{i*}\) and l for the \(P_{j*}\). 1 to 3 indicate the lsk, rnd, esk by sequence. Let
Because \( \mathcal {A} \) cannot reveal all of the secrets (lsk, rnd, esk) of one party, we just consider \((IK_{i*}^{s*}+{\textbf {b}}_{i*}^2)\). If \(t\in [2]\), \(IK_{i*}^{s*}\) is replaced with \({\textbf {z}}_0\), \({\textbf {b}}_{i*}^2\) otherwise. Let the result be \({\textbf {g}}'\). Then, the distinguishing between \(G_4^{(t,l)}\) and \(G_3\) is to distinguish \({\textbf {g}}_{j*}^1\) and \({\textbf {g}}'\), which forms the game of dRLWE assumption.
Assume \(\mathcal {B}'\) is to distinguish \(G_3\) and \(G_4^{(t,l)}\), there exists an adversary \( \mathcal {B} \) who can make use of the output of \( \mathcal {B}' \) to break dRLWE. \( \mathcal {B} \) receives \({\textbf {z}}_0\) from the dRLWE challenger and does the replacement as mentioned before. If \({\textbf {z}}_0\) is in the form of RLWE, the game played by \( \mathcal {B}' \) is the same as \(G_3\). According to the output of \( \mathcal {B}' \), \( \mathcal {B} \) can decide if \({\textbf {z}}_0\) is random or not and break dRLWE. Then,
Game \(G_5\). It is the same as \(G_4^{(t,l)}\), except that \({\textbf {g}}'\) is replaced with a random \({\textbf {z}}_1\xleftarrow {\$}\mathbb {R}_q\). From the view of \(\mathcal {A}\), \(G_5\) and \(G_4^{(t,l)}\) are the same. Thus,
Game \(G_6\). It is the same as \(G_5\), except that \( \mathcal {C} \) replace \(dh_{i*}^1=dh_{j*}^1=Ext({\textbf {z}}_1,{\textbf {r}}_1)\) with a random value \({\textbf {z}}_2\xleftarrow {\$}\{0,1\}^n\). Because \(Ext({\textbf {z}}_1,{\textbf {r}}_1)\) is a deterministic algorithm, and \({\textbf {z}}_1\) is random, it means that the output of \(Ext({\textbf {z}}_1,{\textbf {r}}_1)\) can be regarded as a random vector. Thus, from the point of view of \( \mathcal {A} \):
Game \(G_7\). It is the same as \(G_6\), except that \( \mathcal {C} \) derives \(k,k_1,k_2\xleftarrow {\$}\mathcal {K}\) instead of \(k,k_1,k_2\leftarrow F_{dh_1,dh_2}(sid)\). Because the ciphertext is generated from semantic secure encryption \(\prod _S\), the difference between \(G_6\) and \(G_7\) is to compare the secure PRF F from random, which forms the \(Game_{PRF}^\mathcal {A}\). Thus, from the point of view of \( \mathcal {A} \):
Above all, we have:
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, K., Miyaji, A., Wang, Y. (2023). Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH. In: Yung, M., Chen, C., Meng, W. (eds) Science of Cyber Security . SciSec 2023. Lecture Notes in Computer Science, vol 14299. Springer, Cham. https://doi.org/10.1007/978-3-031-45933-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-45933-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-45932-0
Online ISBN: 978-3-031-45933-7
eBook Packages: Computer ScienceComputer Science (R0)