A deniable authenticated key exchange (DAKE) protocol establishes a secure channel without producing cryptographic evidence of communication. A DAKE offers strong deniability if transcripts provide no evidence even if long-term key material is compromised (offline deniability) and no outsider can obtain evidence even when interactively colluding with an insider (online deniability). Unfortunately, existing strongly deniable DAKEs have not been adopted by secure messaging tools due to security and deployability weaknesses.
In this work, we propose three new strongly deniable key exchange protocols—DAKEZ, ZDH, and XZDH—that are designed to be used in modern secure messaging applications while eliminating the weaknesses of previous approaches. DAKEZ offers strong deniability in synchronous network environments, while ZDH and XZDH can be used to construct asynchronous secure messaging systems with offline and partial online deniability. DAKEZ and XZDH provide forward secrecy against active adversaries, and all three protocols can provide forward secrecy against future quantum adversaries while remaining classically secure if attacks against quantum-resistant cryptosystems are found.
We seek to reduce barriers to adoption by describing our protocols from a practitioner’s perspective, including complete algebraic specifications, cryptographic primitive recommendations, and prototype implementations. We evaluate concrete instantiations of our DAKEs and show that they are the most efficient strongly deniable schemes; with all of our classical security guarantees, our exchanges require only 1 ms of CPU time on a typical desktop computer and at most 464 bytes of data transmission. Our constructions are nearly as efficient as key exchanges with weaker deniability, such as the ones used by the popular OTR and Signal protocols.
 Masayuki Abe, Miyako Ohkubo, and Koutarou Suzuki. 1-out-of-n Signatures from a Variety of Keys. In International Conference on the Theory and Application of Cryptology and Information Security, pages 415–432. Springer, 2002.
 Ben Adida, Susan Hohenberger, and Ronald L Rivest. Ad-Hoc-Group Signatures from Hijacked Keypairs. In in DIMACS Workshop on Theft in E-Commerce, 2005.
 Chris Alexander and Ian Goldberg. Improved User Authentication in Off-The-Record Messaging. In Workshop on Privacy in the Electronic Society, pages 41–47. ACM, 2007.
 Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum Key Exchange—A New Hope. In 25th USENIX Security Symposium (USENIX Security 16), pages 327–343. USENIX Association, 2016.
 Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. Innovative Technology for CPU Based Attestation and Sealing. In 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, volume 13, 2013.
 Adrian Antipa, Daniel Brown, Alfred Menezes, René Struik, and Scott Vanstone. Validation of Elliptic Curve Public Keys. In Public Key Cryptography—PKC 2003, pages 211–223. Springer, 2003.
 Erinn Atwater and Urs Hengartner. Shatter: Using Threshold Cryptography to Protect Single Users with Multiple Devices. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 91–102. ACM, 2016.
 Mihir Bellare and Phillip Rogaway. Entity Authentication and Key Distribution. In Advances in Cryptology–CRYPTO’93, pages 232–249. Springer, 1993.
 Mihir Bellare and Phillip Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the 1st ACM conference on Computer and communications security, pages 62–73. ACM, 1993.
 Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. In Annual International Cryptology Conference, pages 26–45. Springer, 1998.
 Mihir Bellare, Joe Kilian, and Phillip Rogaway. The Security of the Cipher Block Chaining Message Authentication Code. Journal of Computer and System Sciences, 61(3): 362–399, 2000.
 Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. In Advances in Cryptology–EUROCRYPT, pages 139–155. Springer, 2000.
 Adam Bender, Jonathan Katz, and Ruggero Morselli. Ring Signatures: Stronger Definitions, and Constructions without Random Oracles. In Theory of Cryptography, pages 60–79. Springer, 2006.
 Daniel J Bernstein. Curve25519: new Diffie-Hellman speed records. In Public Key Cryptography—PKC 2006, pages 207–228. Springer, 2006.
 Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2): 77–89, 2012.
 Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 416–432. Springer, 2003.
 Nikita Borisov, Ian Goldberg, and Eric Brewer. Off-the-Record Communication, or, Why Not To Use PGP. In Workshop on Privacy in the Electronic Society, pages 77–84. ACM, 2004.
 Colin Boyd, Wenbo Mao, and Kenneth G Paterson. Key Agreement using Statically Keyed Authenticators. In Applied Cryptography and Network Security, pages 248–262. Springer, 2004.
 Emmanuel Bresson, Jacques Stern, and Michael Szydlo. Threshold Ring Signatures and Applications to Ad-hoc Groups. In Annual International Cryptology Conference, pages 465–480. Springer, 2002.
 Jan Camenisch and Markus Stadler. Efficient Group Signature Schemes for Large Groups. In Annual International Cryptology Conference, pages 410–424. Springer, 1997.
 Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Foundations of Computer Science, 2001. Proceedings. 42nd IEEE Symposium on, pages 136–145. IEEE, 2001.
 Ran Canetti and Hugo Krawczyk. Security Analysis of IKE’s Signature-based Key-Exchange Protocol. In Advances in Cryptology–CRYPTO’02, pages 143–161. Springer, 2002.
 Ran Canetti and Hugo Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 337–351. Springer, 2002.
 Ran Canetti, Yevgeniy Dodis, Rafael Pass, and Shabsi Walfish. Universally Composable Security with Global Setup. In Theory of Cryptography Conference, pages 61–85. Springer, 2007.
 Sanjit Chatterjee, Neal Koblitz, Alfred Menezes, and Palash Sarkar. Another Look at Tightness II: Practical Issues in Cryptography. IACR Cryptology ePrint Archive, 2016:360, 2016.
 Sherman SM Chow, Siu-Ming Yiu, and Lucas CK Hui. Efficient Identity Based Ring Signature. In International Conference on Applied Cryptography and Network Security, pages 499–512. Springer, 2005.
 Sherman SM Chow, Matthew Franklin, and Haibin Zhang. Practical Dual-Receiver Encryption. In Cryptographers’ Track at the RSA Conference, pages 85–105. Springer, 2014.
 Michele Ciampi, Giuseppe Persiano, Alessandra Scafuro, Luisa Siniscalchi, and Ivan Visconti. Improved OR Composition of Sigma-Protocols. In Theory of Cryptography Conference, pages 112–141. Springer, 2016.
 Michele Ciampi, Giuseppe Persiano, Alessandra Scafuro, Luisa Siniscalchi, and Ivan Visconti. Online/Offline OR Composition of Sigma Protocols. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 63–92. Springer, 2016.
 Craig Costello, Patrick Longa, and Michael Naehrig. Efficient algorithms for supersingular isogeny Diffie-Hellman. In Advances in Cryptology. Springer, 2016.
 Ronald Cramer and Victor Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM Journal on Computing, 33(1):167–226, 2003.
 Ronald Cramer, Ivan Damgård, and Berry Schoenmakers. Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In Annual International Cryptology Conference, pages 174–187. Springer, 1994.
 Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. Secure Off-the-Record Messaging. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, pages 81–89. ACM, 2005.
 Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. Deniable Authentication and Key Exchange. In Conference on Computer and Communications Security, pages 400–409. ACM, 2006.
 Theodore Diament, Homin K Lee, Angelos D Keromytis, and Moti Yung. The Dual Receiver Cryptosystem and Its Applications. In Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 330–343. ACM, 2004.
 Whitfield Diffie and Martin Hellman. New Directions in Cryptography. IEEE transactions on Information Theory, 22(6):644–654, 1976.
 Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi, and Victor Shoup. Anonymous Identification in Ad Hoc Groups. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 609–626. Springer, 2004.
 Yevgeniy Dodis, Jonathan Katz, Adam Smith, and Shabsi Walfish. Composability and On-Line Deniability of Authentication. In Theory of Cryptography, pages 146–162. Springer, 2009.
 Danny Dolev, Cynthia Dwork, and Moni Naor. Non-Malleable Cryptography. In SIAM Journal on Computing, pages 542–552, 1998.
 Cynthia Dwork, Moni Naor, and Amit Sahai. Concurrent Zero-Knowledge. In Symposium on Theory of Computing, pages 409–418. ACM, 1998.
 Taher ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, 31(4):469–472, 1985.
 Sebastian Faust, Markulf Kohlweiss, Giorgia Azzurra Marson, and Daniele Venturi. On the Non-malleability of the Fiat-Shamir Transform. In International Conference on Cryptology in India, pages 60–79. Springer, 2012.
 Amos Fiat and Moni Naor. Broadcast Encryption. In Annual International Cryptology Conference, pages 480–491. Springer, 1993.
 Amos Fiat and Adi Shamir. How To Prove Yourself: Practical Solutions to Identification and Signature Problems. In Advances in Cryptology–CRYPTO’86, pages 186–194. Springer, 1987.
 M. Fischlin, F. Günther, B. Schmidt, and B. Warinschi. Key Confirmation in Key Exchange: A Formal Treatment and Implications for TLS 1.3. In 2016 IEEE Symposium on Security and Privacy (SP), pages 452–469, 2016.
 Marc Fischlin and Sogol Mazaheri. Notions of Deniable Message Authentication. In Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society, WPES ’15, pages 55–64. ACM, 2015. ISBN 978-1-4503-3820-2. 10.1145/2808138.2808143.
 Marc Fischlin and Cristina Onete. Relaxed Security Notions for Signatures of Knowledge. In International Conference on Applied Cryptography and Network Security, pages 309–326. Springer, 2011.
 Steven D Galbraith, Christophe Petit, Barak Shani, and Yan Bo Ti. On the security of supersingular isogeny cryptosystems. In Advances in Cryptology–ASIACRYPT, pages 63–91. Springer, 2016.
 Juan A Garay, Philip MacKenzie, and Ke Yang. Strengthening Zero-Knowledge Protocols Using Signatures. In Eurocrypt, volume 2656, pages 177–194. Springer, 2003.
 Rosario Gennaro, Stanisław Jarecki, Hugo Krawczyk, and Tal Rabin. Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In Advances in Cryptology–EUROCRYPT, pages 295–310. Springer, 1999.
 Shafi Goldwasser, Silvio Micali, and Ronald L Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal on Computing, 17(2): 281–308, 1988.
 Mark Gollom. Alain Philippon phone password case: Powers of border agents and police differ, 2015. URL http://www.cbc.ca/news/1.2983841. Accessed 2017-08-11.
 Viet Tung Hoang, Jonathan Katz, and Alex J Malozemoff. Automated Analysis and Synthesis of Authenticated Encryption Schemes. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 84–95. ACM, 2015.
 Dennis Hofheinz, Jörn Müller-Quade, and Rainer Steinwandt. Initiator-Resilient Universally Composable Key Exchange. In European Symposium on Research in Computer Security, pages 61–84. Springer, 2003.
 David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In International Workshop on Post-Quantum Cryptography, pages 19–34. Springer, 2011.
 Shaoquan Jiang and Reihaneh Safavi-Naini. An Efficient Fully Deniable Key Exchange Protocol. In Financial Cryptography and Data Security. Springer, 2008.
 Jonathan Katz. Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications. In Advances in Cryptology–EUROCRYPT, pages 211–228. Springer, 2003.
 John Kelsey, Shu-jen Chang, and Ray Perlner. SHA-3 Derived Functions. NIST Special Publication, 800:185, 2016.
 Taechan Kim and Razvan Barbulescu. Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case. In Advances in Cryptology–CRYPTO’16, pages 543–571. Springer, 2016.
 Neal Koblitz and Alfred J Menezes. The random oracle model: a twenty-year retrospective. Designs, Codes and Cryptography, 77(2-3):587–610, 2015.
 Hugo Krawczyk. SKEME: A Versatile Secure Key Exchange Mechanism for Internet. In Network and Distributed System Security Symposium, pages 114–127. IEEE, 1996.
 Hugo Krawczyk. SIGMA: The ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In Annual International Cryptology Conference, pages 400–425. Springer, 2003.
 Chae Hoon Lim and Pil Joong Lee. A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup. In Advances in Cryptology—CRYPTO ’97, pages 249–263. Springer-Verlag, 1997.
 Yehuda Lindell. General Composition and Universal Composability in Secure Multi-Party Computation. In Foundations of Computer Science, 2003. Proceedings. 44th Annual IEEE Symposium on, pages 394–403. IEEE, 2003.
 Joseph K Liu, Victor K Wei, and Duncan S Wong. Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups. In Australasian Conference on Information Security and Privacy, pages 325–335. Springer, 2004.
 Ronald L Rivest, Adi Shamir, and Yael Tauman. How to Leak a Secret. In International Conference on the Theory and Application of Cryptology and Information Security, pages 552–565. Springer, 2001.
 Phillip Rogaway. Authenticated-Encryption with Associated-Data. In Proceedings of the 9th ACM conference on Computer and communications security, pages 98–107. ACM, 2002.
 Sven Schäge. TOPAS: 2-Pass Key Exchange with Full Perfect Forward Secrecy and Optimal Communication Complexity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1224–1235. ACM, 2015.
 John M Schanck, William Whyte, and Zhenfei Zhang. Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world. Proceedings on Privacy Enhancing Technologies, 2016(4):219–236, 2016.
 Claus-Peter Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174, 1991.
 Hovav Shacham and Brent Waters. Efficient Ring Signatures without Random Oracles. In Public Key Cryptography, pages 166–180. Springer, 2007.
 Gene Tsudik. Message Authentication with One-Way Hash Functions. ACM SIGCOMM Computer Communication Review, 22(5):29–38, 1992.
 Nik Unger. Deniable Key Exchanges for Secure Messaging. PhD thesis, University of Waterloo, 2015.
 Nik Unger and Ian Goldberg. Deniable Key Exchanges for Secure Messaging. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1211–1223. ACM, 2015.
 Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. SoK: Secure Messaging. In 2015 IEEE Symposium on Security and Privacy, pages 232–249, 2015.
 Shabsi Walfish. Enhanced Security Models for Network Protocols. PhD thesis, New York University, 2008.
 Shangping Wang, Rui Ma, Yaling Zhang, and Xiaofeng Wang. Ring signature scheme based on multivariate public key cryptosystems. Computers & Mathematics with Applications, 62(10):3973–3979, 2011.
 Weiqiang Wen, Libin Wang, and Min Xie. One-Round Deniable Key Exchange with Perfect Forward Security. Technical Report 2014/904, Cryptology ePrint Archive, 2014. URL https://eprint.iacr.org/2014/661.
 Hu Xiong, Zhiguang Qin, and Fagen Li. A Taxonomy of Ring Signature Schemes: Theory and Applications. IETE Journal of Research, 59(4):376–382, 2013.
 Andrew Chi-Chih Yao and Yunlei Zhao. OAKE: A New Family of Implicitly Authenticated Diffie-Hellman Protocols. In Conference on Computer and Communications Security, pages 1113–1128. ACM, 2013.
 Kazuki Yoneyama and Kazuo Ohta. Ring Signatures: Universally Composable Definitions and Constructions. Information and Media Technologies, 2(4):1038–1051, 2007.
 Taek-Young Youn, Changhoon Lee, and Young-Ho Park. An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes. Computer Communications, 34(3):353–357, 2011.
 Fangguo Zhang and Kwangjo Kim. ID-Based Blind Signature and Ring Signature from Pairings. In International Conference on the Theory and Application of Cryptology and Information Security, pages 533–547. Springer, 2002.