How to (Legally) Keep Secrets from Mobile Operators

Abstract

Secure-channel establishment allows two endpoints to communicate confidentially and authentically. Since they hide all data sent across them, good or bad, secure channels are often subject to mass surveillance in the name of (inter)national security. Some protocols are constructed to allow easy data interception . Others are designed to preserve data privacy and are either subverted or prohibited to use without trapdoors.

We introduce \(\mathsf {LIKE}\), a primitive that provides secure-channel establishment with an exceptional, session-specific opening mechanism. Designed for mobile communications, where an operator forwards messages between the endpoints, it can also be used in other settings. \(\mathsf {LIKE}\) allows Alice and Bob to establish a secure channel with respect to n authorities. If the authorities all agree on the need for interception, they can ensure that the session key is retrieved. As long as at least one honest authority prohibits interception, the key remains secure; moreover \(\mathsf {LIKE}\) is versatile with respect to who learns the key. Furthermore, we guarantee non-frameability: nobody can falsely incriminate a user of taking part in a conversation; and honest-operator: if the operator accepts a transcript as valid, then the key retrieved by the authorities is the key that Alice and Bob should compute. Experimental results show that our protocol can be efficiently implemented.

Appendices

A Model Complements

Fig. 3.

Useful notations from our model and their significance

Definition 10

(Correctness). Let \(\lambda \) a security parameter and n an integer. Run \(\mathsf {pp} \leftarrow \mathsf {Setup} (1^\lambda )\), \((\mathsf {A}.\mathsf {PK},\) \(\mathsf {A}.\mathsf {SK})\) \( \leftarrow \) \(\mathsf {{U}KeyGen} (\mathsf {pp})\), \((\mathsf {B}.\mathsf {PK},\) \(\mathsf {B}.\mathsf {SK})\) \(\leftarrow \) \(\mathsf {{U}KeyGen} (\mathsf {pp})\), \((\mathsf {O} _\mathsf {A}.\mathsf {PK},\mathsf {O} _\mathsf {A}.\mathsf {SK})\) \(\leftarrow \) \(\mathsf {{O}KeyGen} (\mathsf {pp})\), \((\mathsf {O} _\mathsf {B}.\mathsf {PK},\) \(\mathsf {O} _\mathsf {B}.\mathsf {SK})\) \(\leftarrow \) \(\mathsf {{O}KeyGen} (\mathsf {pp})\). For all \(i \in \llbracket 1,n \rrbracket \),

\((\varLambda _{i}.\mathsf {PK},\varLambda _{i}.\mathsf {SK})\leftarrow \mathsf {{A}KeyGen} (\mathsf {pp})\). Let \(\mathsf {APK} \leftarrow (\varLambda _{i}.\mathsf {PK})_{i=1}^n \). Then:

• \(\mathsf {PK}_{\mathsf {A} \rightarrow \mathsf {B}} \leftarrow (\mathsf {pp}, \mathsf {A}.\mathsf {PK}, \mathsf {B}.\mathsf {PK},\mathsf {APK})\);

• \( (\mathsf {k} _\mathsf {A}, \mathsf {sst} _\mathsf {A}, \mathsf {sst} _\mathsf {B}, \mathsf {k} _\mathsf {B}) \leftarrow \)

  \(\mathsf {AKE} {}\langle \mathsf {A} (\mathsf {A}.\mathsf {SK}),\ \mathsf {O} _\mathsf {A} (\mathsf {O} _\mathsf {A}.\mathsf {SK}),\mathsf {O} _\mathsf {B} (\mathsf {O} _\mathsf {B}.\mathsf {SK}),\mathsf {B} (\mathsf {B}.\mathsf {SK})\rangle (\mathsf {PK}_{\mathsf {A} \rightarrow \mathsf {B}}) \);

• \(\mathsf {b} _\mathsf {A} \leftarrow \mathsf {Verify} (\mathsf {pp},\mathsf {sst} _\mathsf {A}, \mathsf {A}.\mathsf {PK}, \mathsf {B}.\mathsf {PK}, \mathsf {O} _\mathsf {A}.\mathsf {PK}, \mathsf {APK})\);

• For all i in \( \llbracket 1,n \rrbracket \), \(\varLambda _{i}.t_\mathsf {A} \leftarrow \mathsf {TDGen} (\mathsf {pp},\varLambda _{i}.\mathsf {SK},\mathsf {sst} _\mathsf {A})\);

• \(\mathsf {k} ^*_\mathsf {A} \leftarrow \mathsf {Open} (\mathsf {pp},\mathsf {sst} _\mathsf {A}, (\varLambda _{i}.\mathsf {PK})_{i=1}^n, (\varLambda _{i}.t_\mathsf {A})_{i=1}^{n})\);

• \(\mathsf {b} _\mathsf {B} \leftarrow \mathsf {Verify} (\mathsf {pp},\mathsf {sst} _\mathsf {B}, \mathsf {A}.\mathsf {PK}, \mathsf {B}.\mathsf {PK}, \mathsf {O} _\mathsf {B}.\mathsf {PK}, \mathsf {APK})\);

• For all i in \(\llbracket 1,n \rrbracket \), \(\varLambda _{i}.t_\mathsf {B} \leftarrow \mathsf {TDGen} (\mathsf {pp},\varLambda _{i}.\mathsf {SK},\mathsf {sst} _\mathsf {B})\);

• \(\mathsf {k} ^*_\mathsf {B} \leftarrow \mathsf {Open} (\mathsf {pp},\mathsf {sst} _\mathsf {B}, \mathsf {APK}, (\varLambda _{i}.t_\mathsf {B})_{i=1}^{n})\).

For any \((\mathsf {b} _\mathsf {A}, \mathsf {b} _\mathsf {B}, \mathsf {k} _\mathsf {A}, \mathsf {k} _\mathsf {A} ^* , \mathsf {k} _\mathsf {B}, \mathsf {k} _\mathsf {B} ^*)\) generated as above: \(\mathsf {Pr}[\mathsf {b} _\mathsf {A} = \mathsf {b} _\mathsf {B} =1 \wedge \mathsf {k} _\mathsf {A} = \mathsf {k} _\mathsf {A} ^* = \mathsf {k} _\mathsf {B} = \mathsf {k} _\mathsf {B} ^*] = 1.\)

B Proof Sketches

Our main theorem includes three statements; we prove these in order below.

First Statement: KS. We begin by proving that the adversary has a negligible probability of winning the key-security experiment by querying the oracle \(\mathsf {{Test}} \) on an instance that matches no other instance. Notably, if the tested instance does not abort the protocol, the adversary will have to break the EUF-CMA of the signature scheme to generate the expected signatures without using a matching session.

Thus, the targeted instance must have a matching one. By key-freshness, \(\mathcal {A}\) must test a key generated by two honest users, such that the trapdoor of at least one honest authority has never been queried to the oracle \(\mathsf {{RevealTD}} \). We prove (by a reduction) that \(\mathcal {A}\) can only win by breaking the BDDH assumption. Let \((W_*,X_*,Y_*,W'_*,X'_*,Y'_*,Z_*)\) be a BDDH instance. We set \(W_*\) as the part of the public key \(\varLambda _{}.\mathsf {pk} \) of the honest authority, and we set \(X_2\) as \(X'_*\), \(X_1\) as \(X_*\) and Y as \(Y'_*\) for the session that matches the tested instance. Then, we build the key as follows, where \(\varLambda _{} \) is the honest authority: \(\mathsf {k} \leftarrow Z_* \prod _{i=1;\varLambda _{i} \not = \varLambda _{}}^{n} e(X_*,Y'_* )^{\varLambda _{i}.\mathsf {SK}}.\) To compute the secret keys of the authorities controlled by the adversary, we run the extractor on the proofs of knowledge of the discrete logarithm of the public keys \(\varLambda _{i}.\mathsf {PK} \). If \(Z_*\) is a random value, \(\mathsf {k} \) will be random for the adversary, else \(Z_*=e(X_*,Y'_* )^{\varLambda _{}.\mathsf {SK}}\). Moreover, we simulate the oracle \(\mathsf {{RevealTD}} \) on sessions with values X and Y chosen by the adversary by using the extractor on the signatures of knowledge of their discrete logarithms.

Second Statement: NF. To win the non-frameability experiment, the adversary has to build a valid session state \(\mathsf {sst} \) for a given user, containing a valid signature of this user. We prove this theorem by reduction: assuming that an adversary is able to break the non-frameability, since this adversary generates a valid signature for a user, we can use it to break the EUF-CMA security.

Third Statement: HO. The first step of the HO proof is to design a key extractor, which takes in input a session state \(\mathsf {sst}\) , brute-forces the discrete logarithm of Bob’s Y, then computes the key as Bob would: \( \mathsf {k} = e\left( \prod _{i=1}^n \varLambda _{i}.\mathsf {pk},X_2 \right) ^y.\) Our goal is to prove that this is the key the authorities would retrieve.

We first show (by reduction) that the adversary can only build by itself a valid \(\mathsf {sst} \) (that may match a fake authority set) with negligible probability. Namely, if an adversary can output valid signatures for an honest operator, then we can use it to break the EUF-CMA of the signature scheme.

Moreover, for any authority \(\varLambda _{} \) and any values \(X_1\) and Y, the proof of knowledge of a trapdoor ensures that \(g_1^{{\varLambda _{}}.\mathsf {SK}}=\varLambda _{}.\mathsf {pk} \) and \(\varLambda _{}.t_1=e(X_1,Y)^{{\varLambda _{}}.\mathsf {SK}}\), which implies that \(\varLambda _{}.t_1=e(\varLambda _{}.\mathsf {pk},X_2)^y\) and: \( \mathsf {k} _* = \prod _{i=1}^n\varLambda _{i}.t_1 = e\left( \prod _{i=1}^n \varLambda _{i}.\mathsf {pk},X_2 \right) ^y.\) Thus, to win the HO experiment (and return a key such that \(\mathsf {k} \not = \mathsf {k} _*\)), the adversary must produce a proof on a false statement, which happens with negligible probability.