Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH

Abstract

End-to-end encryption (E2EE) is widely used in instant messaging applications to protect data privacy. Forward secrecy (FS) and post-compromised security (PCS) are two essential features that aim to protect security when the session keys are compromised. Among E2EE applications, Signal is known for being the first one that guarantees FS and PCS concurrently by implementing the extended triple Diffie-Hellman (X3DH) protocol and double ratchet protocol. However, the original X3DH and double ratchet protocols cannot resist quantum attacks and require post-quantum implementation. While a post-quantum double ratchet protocol has been proposed, the issues of post-quantum X3DH protocols persist. Some post-quantum X3DH protocols are claimed to be anonymous and deniable. However, their anonymity only protects the communication content, not the identity key that can be distinguished. Additionally, their identity certificates must be delivered through a trusted channel during authentication. If these certificates are considered evidence, their deniability will be broken. To address these problems, we propose a solution that leverages ephemeral keys to hide the identity keys for enhancing anonymity. The identity is automatically authenticated without the trusted channel to exclude evidence for deniability.

A The Full Proof for the HSM Security and PFS of B-X3DH

This section gives the full proof of the HSM security and PFS of B-X3DH.

Theorem 5

Let F be a secure PRF and Sign be a secure signature scheme. Assume that there are at most \( \mu \) parties and that each party has at most \( \gamma \) sessions. The QPT adversary \(\mathcal {A}\) can break the HSM and PFS security of \( \prod _{B-X3DH } \) with the following negligible advantage:

$$ \begin{array}{rl} Adv_{\prod _{B-X3DH }}^{HSM}(\mathcal {A})\le \mu \gamma (\varepsilon _{sig}+6\varepsilon _{rlwe})+2\mu \varepsilon _{rlwe}+2\varepsilon _{srlwe} +\varepsilon _{PRF}+\mu (\mu -1)\gamma ^2\varepsilon _{drlwe}. \end{array} $$

Proof

Let \( \mathcal {A} \) play the \(Game_{HSM}^\mathcal {A}\) with challenger \( \mathcal {C} \). We now prove that the advantage \(Adv_{\prod _{B-X3DH }}^{HSM}(\mathcal {A})\) is negligible. Let \( W_i \) be the event that \(b=b'\) in game \(G_i\). Assume in each game, \( \mathcal {A} \) always issues a Test oracle.

Game \(G_0\). Let game \(G_0\) be the original game \(Game_{HSM}^\mathcal {A}\). Then there is:

$$\Pr (W_0)=Adv_{\prod _{B-X3DH }}^{HSM}(\mathcal {A}).$$

Game \( G_1 \). Let game \( G_1 \) be like \( G_0 \) except that an event \(\mathcal {E}_{fail}\) occurs. This event happens when there exist two partner oracles that don’t agree on the same key or don’t authenticate with each other. The aim of \(G_1\) is to exclude the passive error situations when \(\mathcal {A}\) actively queries oracles. \( \mathcal {A} \) can distinguish these two games if and only if \(\mathcal {E}_{fail}\) occurs. Recall Theorem 1, there is:

$$ \begin{array}{rl} &{}|\Pr (W_0)-\Pr (W_1)|\le \Pr (\mathcal {E}_{fail})\\ \le &{}\mu \gamma (\varepsilon _{sig}+6\varepsilon _{rlwe})+2\mu \varepsilon _{rlwe}+2\varepsilon _{srlwe}. \end{array} $$

Game \( G_2 \). Let game \(G_2\) be like \(G_1\) except that \( \mathcal {C} \) tries to randomly select two oracles \(\pi _{i*}^{s*}\) and \(\pi _{j*}^{t*}\) to guess the tested session in Test oracle. Let \(E_{TO}\) be the event that \(\pi _{i*}^{s*}\) and \(\pi _{j*}^{t*}\) are neither tested nor partner oracles. If \( \mathcal {C} \) checks that \(E_{TO}\) occurs, it aborts the game. \( \mathcal {C} \) will successfully guess the tested oracles with the probability at least \( \frac{1}{\mu \gamma }\cdot \frac{1}{(\mu -1)\gamma }\). Thus,

$$ \Pr (W_2)\ge \frac{1}{\mu (\mu -1)\gamma ^2}\Pr (W_1). $$

Game \(G_3\). In this game, the two guessed partner oracles are \(\pi _{i*}^{s*}\) and \(\pi _{j*}^{t*}\). \( \mathcal {C} \) will modify the response of \(\pi _{i*}^{s*}\) for the second flow. In astRLDH, instead of generating the \(dh_{i*}^1,dh_{i*}^2\) from \(Ext({\textbf {g}}_{i*}^1,{\textbf {r}}_j^1),Ext({\textbf {g}}_{i*}^2,{\textbf {r}}_j^2)\) respectively, it derives \(dh_{i*}^1=Ext({\textbf {g}}_{j*}^1,{\textbf {r}}_j^1)\) and \(dh_{i*}^2=Ext({\textbf {g}}_{j*}^2,{\textbf {r}}_j^2)\). This change makes sense. Otherwise, they will not be partners, and \(E_{TO}\) will happen. From the view of \( \mathcal {A} \), \(G_3\) and \(G_2\) are the same. Thus,

$$\Pr (W_3)=\Pr (W_2).$$

Game \(G_4^{(t,l)}\). They are a set of games, in which assume \( \mathcal {A} \) can access HSM to get \({\textbf {g}}_{i*}^1\) and \( {\textbf {g}}_{j*}^1 \) (We ignore the others because they have been included in the above condition). \( \mathcal {C} \) will replace \(IK_{i*}^{s*}\) or \({\textbf {b}}_{i*}^{2}\) with a random value \({\textbf {z}}_0\xleftarrow {\$}\mathbb {R}_q\) according to the choice of \( \mathcal {A} \). \((t,l)\in [3]\times [3]\) where t stands for the not revealed keys of \(P_{i*}\) and l for the \(P_{j*}\). 1 to 3 indicate the lsk, rnd, esk by sequence. Let

$${\textbf {g}}_{j*}^1:=(IK_{i*}^{s*}+{\textbf {b}}_{i*}^2)(lsk+rnd+esk)+2{\textbf {e}}$$

Because \( \mathcal {A} \) cannot reveal all of the secrets (lsk, rnd, esk) of one party, we just consider \((IK_{i*}^{s*}+{\textbf {b}}_{i*}^2)\). If \(t\in [2]\), \(IK_{i*}^{s*}\) is replaced with \({\textbf {z}}_0\), \({\textbf {b}}_{i*}^2\) otherwise. Let the result be \({\textbf {g}}'\). Then, the distinguishing between \(G_4^{(t,l)}\) and \(G_3\) is to distinguish \({\textbf {g}}_{j*}^1\) and \({\textbf {g}}'\), which forms the game of dRLWE assumption.

Assume \(\mathcal {B}'\) is to distinguish \(G_3\) and \(G_4^{(t,l)}\), there exists an adversary \( \mathcal {B} \) who can make use of the output of \( \mathcal {B}' \) to break dRLWE. \( \mathcal {B} \) receives \({\textbf {z}}_0\) from the dRLWE challenger and does the replacement as mentioned before. If \({\textbf {z}}_0\) is in the form of RLWE, the game played by \( \mathcal {B}' \) is the same as \(G_3\). According to the output of \( \mathcal {B}' \), \( \mathcal {B} \) can decide if \({\textbf {z}}_0\) is random or not and break dRLWE. Then,

$$|\Pr (W_4)-\Pr (W_3)|\le \varepsilon _{drlwe}.$$

Game \(G_5\). It is the same as \(G_4^{(t,l)}\), except that \({\textbf {g}}'\) is replaced with a random \({\textbf {z}}_1\xleftarrow {\$}\mathbb {R}_q\). From the view of \(\mathcal {A}\), \(G_5\) and \(G_4^{(t,l)}\) are the same. Thus,

$$\Pr (W_5)=\Pr (W_4).$$

Game \(G_6\). It is the same as \(G_5\), except that \( \mathcal {C} \) replace \(dh_{i*}^1=dh_{j*}^1=Ext({\textbf {z}}_1,{\textbf {r}}_1)\) with a random value \({\textbf {z}}_2\xleftarrow {\$}\{0,1\}^n\). Because \(Ext({\textbf {z}}_1,{\textbf {r}}_1)\) is a deterministic algorithm, and \({\textbf {z}}_1\) is random, it means that the output of \(Ext({\textbf {z}}_1,{\textbf {r}}_1)\) can be regarded as a random vector. Thus, from the point of view of \( \mathcal {A} \):

$$\Pr (W_6)=\Pr (W_5).$$

Game \(G_7\). It is the same as \(G_6\), except that \( \mathcal {C} \) derives \(k,k_1,k_2\xleftarrow {\$}\mathcal {K}\) instead of \(k,k_1,k_2\leftarrow F_{dh_1,dh_2}(sid)\). Because the ciphertext is generated from semantic secure encryption \(\prod _S\), the difference between \(G_6\) and \(G_7\) is to compare the secure PRF F from random, which forms the \(Game_{PRF}^\mathcal {A}\). Thus, from the point of view of \( \mathcal {A} \):

$$|\Pr (W_7)-\Pr (W_6)|\le \varepsilon _{PRF}.$$

Above all, we have:

$$ \begin{array}{rl} Adv_{\prod _{B-X3DH }}^{HSM}(\mathcal {A})\le \mu \gamma (\varepsilon _{sig}+6\varepsilon _{rlwe})+2\mu \varepsilon _{rlwe}+2\varepsilon _{srlwe} +\varepsilon _{PRF}+\mu (\mu -1)\gamma ^2\varepsilon _{drlwe}. \end{array} $$