Proceedings on Privacy Enhancing Technologies ; 2018 (1):21–66 Nik Unger and Ian Goldberg Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging Abstract: A deniable authenticated key exchange 1 Introduction (DAKE) protocol establishes a secure channel without producing cryptographic evidence of communication. A In recent decades, our society has become heavily de- DAKE offers strong deniability if transcripts provide no pendent on electronic communication. The Internet has evidence even if long-term key material is compromised become the platform upon which our most critical dis- (offline deniability) and no outsider can obtain evidence course is conducted. Protecting the security and privacy even when interactively colluding with an insider (on- of this communication has never been more important. line deniability). Unfortunately, existing strongly deni- At the same time, revelations of widespread surveillance able DAKEs have not been adopted by secure messaging of the Internet and interference in security technologies tools due to security and deployability weaknesses. has led to increased public interest in the security and In this work, we propose three new strongly deniable privacy of their communications. Most Americans want key exchange protocols—DAKEZ, ZDH, and XZDH— to maintain control over their information online, while that are designed to be used in modern secure messaging few have confidence that they can do so [74]. applications while eliminating the weaknesses of previ- In response to these developments, we have seen an ous approaches. DAKEZ offers strong deniability in syn- explosion of new secure messaging protocols, compo- chronous network environments, while ZDH and XZDH nents, and applications in recent years [94]. While this can be used to construct asynchronous secure messag- proliferation has led to many options, each providing ing systems with offline and partial online deniability. a selection of security and privacy protections, indus- DAKEZ and XZDH provide forward secrecy against ac- try adoption by WhatsApp [80], Google Allo [81], and tive adversaries, and all three protocols can provide for- Facebook Messenger [82] have led to a de facto stan- ward secrecy against future quantum adversaries while dardization on the Signal protocol [79] as a means to remaining classically secure if attacks against quantum- secure communications. One of the most important pri- resistant cryptosystems are found. vacy properties of secure messaging protocols, as first We seek to reduce barriers to adoption by describing our identified in the Off-The-Record Messaging (OTR) pro- protocols from a practitioner’s perspective, including tocol [19] and later reinforced by Signal, is deniability complete algebraic specifications, cryptographic primi- (sometimes also called repudiation). A deniable secure tive recommendations, and prototype implementations. messaging protocol allows users to plausibly deny ex- We evaluate concrete instantiations of our DAKEs and changing messages using the protocol in the sense that show that they are the most efficient strongly deniable the protocol produces no convincing cryptographic ev- schemes; with all of our classical security guarantees, idence of an exchange. This property gained renewed our exchanges require only 1 ms of CPU time on a typ- interest recently after DKIM signatures were used to ical desktop computer and at most 464 bytes of data confirm the authenticity of emails leaked from the Clin- transmission. Our constructions are nearly as efficient ton presidential campaign in the United States [72]. as key exchanges with weaker deniability, such as the Unfortunately, popular secure messaging protocols ones used by the popular OTR and Signal protocols. like OTR and Signal do not provide strong deniability. A protocol is strongly deniable if transcripts provide no Keywords: Key exchange, deniability, secure messaging evidence even if long-term key material is compromised DOI 10.1515/popets-2018-0003 (offline deniability) and no outsider can obtain evidence Received 2017-05-31; revised 2017-09-15; accepted 2017-09-16. even if an insider interactively colludes with them (on- line deniability). The limited deniability of current se- cure messaging tools creates severe privacy weaknesses. Nik Unger: School of Computer Science, University of Wa- A protocol lacking unrestricted offline deniability per- terloo, [email protected] Ian Goldberg: School of Computer Science, University of mits production of irrefutable transcripts that could be Waterloo, [email protected] generated only by one of a few potential entities. A pro- tocol without online deniability allows a participant to Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging 22 generate irrefutable cryptographic proof of a conversa- key exchanges; Section 11 discusses key compromise im- tion with the aid of an interactive third party [42]. personation attacks in the context of strongly deniable For illustrative purposes, Appendix A describes key exchanges; and Section 12 concludes. how a malicious Signal or OTR participant can use a third-party service to reserve the capability, on a per- 2 Related Work session basis, to produce non-repudiable conversation transcripts. Appendix A also describes another attack An authenticated key exchange (AKE) is a protocol that in which an authority coerces an honest OTR or Signal allows two parties—an initiator and a responder—to user into participating in a malicious protocol that pro- securely derive a shared secret and authenticate each duces proof of message authorship in real time without other. Bellare and Rogaway first formalized the defi- compromising the user’s long-term secret key. In gen- nition of AKEs in 1993 [10]. Shortly afterward, several eral, this attack works by forcing the user to interac- AKEs claimed to offer deniability informally [20, 66, 67]. tively authenticate ephemeral decryption keys privately Each of these DAKEs lacks some aspect of strong deni- generated by the authority. ability. In a mostly independent line of research, denia- The primary component that provides deniability in bility was widely studied in the context of authentica- secure messaging protocols is a deniable authenticated tion [43, 44, 62, 101]. key exchange (DAKE) [37]. In this work, we present With the release of the Off-the-Record Messaging three new DAKEs—DAKEZ, ZDH, and XZDH—that protocol in 2004, deniability was recognized as a desir- are designed to patch this weakness in modern secure able feature for secure messaging [19]. Since then, a vari- messaging environments while overcoming barriers to ety of DAKEs have been published [37, 42, 61, 75, 87, 93, adoption. Our schemes can act as drop-in replacements 97, 99]. Walfish [95] was the first to introduce a DAKE, for the DAKEs in protocols like OTR and Signal in order Φdre, that simultaneously provides strong deniability, to efficiently provide strong deniability without sacrific- (weak) forward secrecy [14], security against active at- ing any existing security properties. Our definitions also tackers, and operation without trusted authorities. This explicitly include the option to add quantum resistance. work was later reiterated in a publication by Dodis et Our other contributions in this work include: al. [42]. In 2015, we introduced two DAKEs designed for 1. concrete instantiations of our protocols and their secure messaging—RSDAKE and Spawn—with compa- constituent primitives to simplify development, in- rable security proofs [93]. Notably, Spawn was the first cluding explicitly defined zero-knowledge proofs; DAKE with (partial) online deniability that can be used 2. definition and construction of dual-receiver encryp- in non-interactive applications. tion with associated data, a natural extension of The most popular secure messaging protocols in dual-receiver encryption, and its security properties; practice, OTR [3] and Signal [79], use DAKEs with 3. a concrete performance comparison between efficient weaker deniability. OTR’s variant of the SIGMA DAKE implementations of our DAKEs and existing key ex- offers no online deniability, and requires fragments of changes used by secure messaging applications; and legitimate exchanges to forge transcripts offline. Signal originally used 3DH [78], an implicit DAKE with unre- 4. a discussion of the relationship between online deni- stricted offline deniability (i.e., anyone can forge tran- ability and key compromise impersonation attacks— scripts using only public keys), but lacking online deni- a rarely mentioned and important topic—and tech- ability. Signal recently switched to a DAKE known as niques for messaging tools to mitigate these attacks. “Extended Triple Diffie-Hellman” (X3DH) [75] that im- The remainder of this paper is structured as fol- proves forward secrecy but regresses to the deniability lows: Section 2 surveys related work on deniability and properties of OTR’s DAKE. Consequently, real-world key exchanges; Section 3 defines the security properties deployments of “deniable” secure messaging protocols and features of our DAKEs, and outlines our approach still lack strong deniability. for achieving these properties; Section 4 establishes no- While RSDAKE and Spawn represent the state of tation and introduces constructions for cryptographic the art in terms of deniability for secure messaging pro- primitives; Section 5 defines DAKEZ; Section 6 defines tocols, they lack some key properties that prevent their ZDH; Section 7 defines XZDH; Section 8 covers practi- adoption