Paper 2024/741

A Deniability Analysis of Signal's Initial Handshake PQXDH

Rune Fiedler, Technische Universität Darmstadt
Christian Janson, Technische Universität Darmstadt
Abstract

Many use messaging apps such as Signal to exercise their right to private communication. To cope with the advent of quantum computing, Signal employs a new initial handshake protocol called PQXDH for post-quantum confidentiality, yet keeps guarantees of authenticity and deniability classical. Compared to its predecessor X3DH, PQXDH includes a KEM encapsulation and a signature on the ephemeral key. In this work we show that PQXDH does not meet the same deniability guarantees as X3DH due to the signature on the ephemeral key. Our analysis relies on plaintext awareness of the KEM, which Signal's implementation of PQXDH does not provide. As for X3DH, both parties (initiator and responder) obtain different deniability guarantees due to the asymmetry of the protocol. For our analysis of PQXDH, we introduce a new model for deniability of key exchange that allows a more fine-grained analysis. Our deniability model picks up on the ideas of prior work and facilitates new combinations of deniability notions, such as deniability against malicious adversaries in the big brother model, i.e. where the distinguisher knows all secret keys. Our model may be of independent interest.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. PoPETS 2024
Keywords
deniabilitySignalPQXDHX3DHkey exchange
Contact author(s)
rune fiedler @ cryptoplexity de
christian janson @ cryptoplexity de
History
2024-05-16: approved
2024-05-15: received
See all versions
Short URL
https://ia.cr/2024/741
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/741,
      author = {Rune Fiedler and Christian Janson},
      title = {A Deniability Analysis of Signal's Initial Handshake {PQXDH}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/741},
      year = {2024},
      url = {https://eprint.iacr.org/2024/741}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.