Skip to main content

How to (Legally) Keep Secrets from Mobile Operators

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)


Secure-channel establishment allows two endpoints to communicate confidentially and authentically. Since they hide all data sent across them, good or bad, secure channels are often subject to mass surveillance in the name of (inter)national security. Some protocols are constructed to allow easy data interception . Others are designed to preserve data privacy and are either subverted or prohibited to use without trapdoors.

We introduce \(\mathsf {LIKE}\), a primitive that provides secure-channel establishment with an exceptional, session-specific opening mechanism. Designed for mobile communications, where an operator forwards messages between the endpoints, it can also be used in other settings. \(\mathsf {LIKE}\) allows Alice and Bob to establish a secure channel with respect to n authorities. If the authorities all agree on the need for interception, they can ensure that the session key is retrieved. As long as at least one honest authority prohibits interception, the key remains secure; moreover \(\mathsf {LIKE}\) is versatile with respect to who learns the key. Furthermore, we guarantee non-frameability: nobody can falsely incriminate a user of taking part in a conversation; and honest-operator: if the operator accepts a transcript as valid, then the key retrieved by the authorities is the key that Alice and Bob should compute. Experimental results show that our protocol can be efficiently implemented.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_2
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.


  1. MCL (2020).

  2. 3GPP: TS 33.106 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G security; Lawful interception requirements (R. 15), June 2018

    Google Scholar 

  3. 3GPP: TS 33.126 3GPP; Technical Specification Group Services and System Aspects; Security; Lawful Interception requirements (R. 16), September 2019

    Google Scholar 

  4. 3GPP: TS 33.127 3GPP; Technical Specification Group Services and System Aspects; Security; Lawful Interception (LI) Architecture and Functions (R. 16), March 2020

    Google Scholar 

  5. 3GPP: TS 33.128 3GPP; Technical Specification Group Services and System Aspects; Security; Protocol and procedures for Lawful Interception (LI); Stage 3 (R. 16), March 2020

    Google Scholar 

  6. Abelson, H., et al.: Keys under doormats. Commun. ACM 58(10), 24–26 (2015)

    Google Scholar 

  7. Arfaoui, G., et al.: Legally keeping secrets from mobile operators: lawful interception key exchange (LIKE). IACR ePrint (2020).

  8. Azfar, A.: Implementation and performance of threshold cryptography for multiple escrow agents in VoIP. In: Proceedings of SPIT/IPC, pp. 143–150 (2011)

    Google Scholar 

  9. Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. J. Cryptol. 32, 1298–1336 (2019)

    Google Scholar 

  10. Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1992).

  11. Bellare, M., Goldwasser, S.: Verifiable partial key escrow. In: CCS 1997. ACM (1997)

    Google Scholar 

  12. Bellare, M., Rivest, R.L.: Translucent cryptography - an alternative to key escrow, and its implementation via fractional oblivious transfer. J. Cryptol. 12(2) (1999)

    Google Scholar 

  13. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1993).

  14. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. In: Proceedings of CHES 2011, pp. 124–142 (2011)

    Google Scholar 

  15. Boyen, X.: The uber-assumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008).

  16. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups (extended abstract). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997).

  17. Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Berlin, Heidelberg (2006).

  18. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993).

  19. Chen, L., Gollmann, D., Mitchell, C.J.: Key escrow in mutually mistrusting domains. In: Proceedings of Security Protocols, pp. 139–153 (1996)

    Google Scholar 

  20. Chen, M.: Escrowable identity-based authenticated key agreement in the standard model. Chin. Electron. J. 43, 1954–1962 (10 2015)

    Google Scholar 

  21. Comey, J. (FBI) (2014).

  22. Denning, D.E., Branstad, D.K.: A taxonomy for key escrow encryption systems. Commun. ACM 39(3) (1996)

    Google Scholar 

  23. Desmedt, Y.: Abuses in cryptography and how to fight them. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 375–389. Springer, New York (1990).

  24. EU: Draft council resolution on encryption - security through encryption and security despite encryption (2020).

  25. Europol.

  26. FairTrials (2020).

  27. Fan, Q., Zhang, M., Zhang, Y.: Key escrow scheme with the cooperation mechanism of multiple escrow agents (2012)

    Google Scholar 

  28. Franceschi-Bicchierai, L.: The 10 biggest revelations from Edward Snowden’s leaks (2014).

  29. IETF: Pairing-friendly curves (2020).

  30. Kahney, L.: The FBI wanted a back door to the iPhone. Tim cook said no (2019).

  31. Kilian, J., Leighton, F.T.: Fair Cryptosystems, revisited: a rigorous approach to key-escrow (extended abstract). In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 208–221. Springer, Heidelberg (1995).

  32. Long, Y., Cao, Z., Chen, K.: A dynamic threshold commercial key escrow scheme based on conic. Appl. Math. Comput. 171(2), 972–982 (2005)

    Google Scholar 

  33. Long, Y., Chen, K., Liu, S.: Adaptive chosen ciphertext secure threshold key escrow scheme from pairing. Informatica Lith. Acad. Sci. 17(4), 519–534 (2006)

    Google Scholar 

  34. Martin, K.M.: Increasing efficiency of international key escrow in mutually mistrusting domains. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 221–232. Springer, Heidelberg (1997).

  35. Micali, S.: Fair public-key cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 113–138. Springer, Heidelberg.

  36. Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 657–686. Springer, Heidelberg (2015).

  37. Museum, C.: Clipper chip.

  38. Ni, L., Chen, G., Li, J.: Escrowable identity-based authenticated key agreement protocol with strong security. Comput. Math. Appl. 65(9), 1339–1349 (2013)

    Google Scholar 

  39. Schnorr, C.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1989).

  40. Shamir, A.: Partial key escrow: a new approach to software key escrow. Presented at Key Escrow Conference (1995)

    Google Scholar 

  41. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1984).

  42. UN (1948).

  43. Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)

    Google Scholar 

  44. Wang, Z., Ma, Z., Luo, S., Gao, H.: Key escrow protocol based on a tripartite authenticated key agreement and threshold cryptography. IEEE Access 7, 149080–149096 (2019)

    Google Scholar 

  45. Wright, C.V., Varia, M.: Crypto crumple zones: enabling limited access without mass surveillance. In: Proceedings of EuroS&P 2018. IEEE (2018)

    Google Scholar 

  46. Young, A.L., Yung, M.: Kleptography from standard assumptions and applications. In: Proceedings of SCN, pp. 271–290 (2010)

    Google Scholar 

Download references


Ghada Arfaoui, Olivier Blazy, Pierre-Alain Fouque, and Cristina Onete are grateful for the support of the ANR, through project ANR MobiS5 (ANR-18-CE39-0019).

Author information

Authors and Affiliations


Editor information

Editors and Affiliations


A Model Complements

Fig. 3.
figure 3

Useful notations from our model and their significance

Definition 10

(Correctness). Let \(\lambda \) a security parameter and n an integer. Run \(\mathsf {pp} \leftarrow \mathsf {Setup} (1^\lambda )\), \((\mathsf {A}.\mathsf {PK},\) \(\mathsf {A}.\mathsf {SK})\) \( \leftarrow \) \(\mathsf {{U}KeyGen} (\mathsf {pp})\), \((\mathsf {B}.\mathsf {PK},\) \(\mathsf {B}.\mathsf {SK})\) \(\leftarrow \) \(\mathsf {{U}KeyGen} (\mathsf {pp})\), \((\mathsf {O} _\mathsf {A}.\mathsf {PK},\mathsf {O} _\mathsf {A}.\mathsf {SK})\) \(\leftarrow \) \(\mathsf {{O}KeyGen} (\mathsf {pp})\), \((\mathsf {O} _\mathsf {B}.\mathsf {PK},\) \(\mathsf {O} _\mathsf {B}.\mathsf {SK})\) \(\leftarrow \) \(\mathsf {{O}KeyGen} (\mathsf {pp})\). For all \(i \in \llbracket 1,n \rrbracket \),

\((\varLambda _{i}.\mathsf {PK},\varLambda _{i}.\mathsf {SK})\leftarrow \mathsf {{A}KeyGen} (\mathsf {pp})\). Let \(\mathsf {APK} \leftarrow (\varLambda _{i}.\mathsf {PK})_{i=1}^n \). Then:

  • \(\mathsf {PK}_{\mathsf {A} \rightarrow \mathsf {B}} \leftarrow (\mathsf {pp}, \mathsf {A}.\mathsf {PK}, \mathsf {B}.\mathsf {PK},\mathsf {APK})\);

  • \( (\mathsf {k} _\mathsf {A}, \mathsf {sst} _\mathsf {A}, \mathsf {sst} _\mathsf {B}, \mathsf {k} _\mathsf {B}) \leftarrow \)

    \(\mathsf {AKE} {}\langle \mathsf {A} (\mathsf {A}.\mathsf {SK}),\ \mathsf {O} _\mathsf {A} (\mathsf {O} _\mathsf {A}.\mathsf {SK}),\mathsf {O} _\mathsf {B} (\mathsf {O} _\mathsf {B}.\mathsf {SK}),\mathsf {B} (\mathsf {B}.\mathsf {SK})\rangle (\mathsf {PK}_{\mathsf {A} \rightarrow \mathsf {B}}) \);

  • \(\mathsf {b} _\mathsf {A} \leftarrow \mathsf {Verify} (\mathsf {pp},\mathsf {sst} _\mathsf {A}, \mathsf {A}.\mathsf {PK}, \mathsf {B}.\mathsf {PK}, \mathsf {O} _\mathsf {A}.\mathsf {PK}, \mathsf {APK})\);

  • For all i in \( \llbracket 1,n \rrbracket \), \(\varLambda _{i}.t_\mathsf {A} \leftarrow \mathsf {TDGen} (\mathsf {pp},\varLambda _{i}.\mathsf {SK},\mathsf {sst} _\mathsf {A})\);

  • \(\mathsf {k} ^*_\mathsf {A} \leftarrow \mathsf {Open} (\mathsf {pp},\mathsf {sst} _\mathsf {A}, (\varLambda _{i}.\mathsf {PK})_{i=1}^n, (\varLambda _{i}.t_\mathsf {A})_{i=1}^{n})\);

  • \(\mathsf {b} _\mathsf {B} \leftarrow \mathsf {Verify} (\mathsf {pp},\mathsf {sst} _\mathsf {B}, \mathsf {A}.\mathsf {PK}, \mathsf {B}.\mathsf {PK}, \mathsf {O} _\mathsf {B}.\mathsf {PK}, \mathsf {APK})\);

  • For all i in \(\llbracket 1,n \rrbracket \), \(\varLambda _{i}.t_\mathsf {B} \leftarrow \mathsf {TDGen} (\mathsf {pp},\varLambda _{i}.\mathsf {SK},\mathsf {sst} _\mathsf {B})\);

  • \(\mathsf {k} ^*_\mathsf {B} \leftarrow \mathsf {Open} (\mathsf {pp},\mathsf {sst} _\mathsf {B}, \mathsf {APK}, (\varLambda _{i}.t_\mathsf {B})_{i=1}^{n})\).

For any \((\mathsf {b} _\mathsf {A}, \mathsf {b} _\mathsf {B}, \mathsf {k} _\mathsf {A}, \mathsf {k} _\mathsf {A} ^* , \mathsf {k} _\mathsf {B}, \mathsf {k} _\mathsf {B} ^*)\) generated as above: \(\mathsf {Pr}[\mathsf {b} _\mathsf {A} = \mathsf {b} _\mathsf {B} =1 \wedge \mathsf {k} _\mathsf {A} = \mathsf {k} _\mathsf {A} ^* = \mathsf {k} _\mathsf {B} = \mathsf {k} _\mathsf {B} ^*] = 1.\)

B Proof Sketches

Our main theorem includes three statements; we prove these in order below.

First Statement: KS. We begin by proving that the adversary has a negligible probability of winning the key-security experiment by querying the oracle \(\mathsf {{Test}} \) on an instance that matches no other instance. Notably, if the tested instance does not abort the protocol, the adversary will have to break the EUF-CMA of the signature scheme to generate the expected signatures without using a matching session.

Thus, the targeted instance must have a matching one. By key-freshness, \(\mathcal {A}\) must test a key generated by two honest users, such that the trapdoor of at least one honest authority has never been queried to the oracle \(\mathsf {{RevealTD}} \). We prove (by a reduction) that \(\mathcal {A}\) can only win by breaking the BDDH assumption. Let \((W_*,X_*,Y_*,W'_*,X'_*,Y'_*,Z_*)\) be a BDDH instance. We set \(W_*\) as the part of the public key \(\varLambda _{}.\mathsf {pk} \) of the honest authority, and we set \(X_2\) as \(X'_*\), \(X_1\) as \(X_*\) and Y as \(Y'_*\) for the session that matches the tested instance. Then, we build the key as follows, where \(\varLambda _{} \) is the honest authority: \(\mathsf {k} \leftarrow Z_* \prod _{i=1;\varLambda _{i} \not = \varLambda _{}}^{n} e(X_*,Y'_* )^{\varLambda _{i}.\mathsf {SK}}.\) To compute the secret keys of the authorities controlled by the adversary, we run the extractor on the proofs of knowledge of the discrete logarithm of the public keys \(\varLambda _{i}.\mathsf {PK} \). If \(Z_*\) is a random value, \(\mathsf {k} \) will be random for the adversary, else \(Z_*=e(X_*,Y'_* )^{\varLambda _{}.\mathsf {SK}}\). Moreover, we simulate the oracle \(\mathsf {{RevealTD}} \) on sessions with values X and Y chosen by the adversary by using the extractor on the signatures of knowledge of their discrete logarithms.

Second Statement: NF. To win the non-frameability experiment, the adversary has to build a valid session state \(\mathsf {sst} \) for a given user, containing a valid signature of this user. We prove this theorem by reduction: assuming that an adversary is able to break the non-frameability, since this adversary generates a valid signature for a user, we can use it to break the EUF-CMA security.

Third Statement: HO. The first step of the HO proof is to design a key extractor, which takes in input a session state \(\mathsf {sst}\) , brute-forces the discrete logarithm of Bob’s Y, then computes the key as Bob would: \( \mathsf {k} = e\left( \prod _{i=1}^n \varLambda _{i}.\mathsf {pk},X_2 \right) ^y.\) Our goal is to prove that this is the key the authorities would retrieve.

We first show (by reduction) that the adversary can only build by itself a valid \(\mathsf {sst} \) (that may match a fake authority set) with negligible probability. Namely, if an adversary can output valid signatures for an honest operator, then we can use it to break the EUF-CMA of the signature scheme.

Moreover, for any authority \(\varLambda _{} \) and any values \(X_1\) and Y, the proof of knowledge of a trapdoor ensures that \(g_1^{{\varLambda _{}}.\mathsf {SK}}=\varLambda _{}.\mathsf {pk} \) and \(\varLambda _{}.t_1=e(X_1,Y)^{{\varLambda _{}}.\mathsf {SK}}\), which implies that \(\varLambda _{}.t_1=e(\varLambda _{}.\mathsf {pk},X_2)^y\) and: \( \mathsf {k} _* = \prod _{i=1}^n\varLambda _{i}.t_1 = e\left( \prod _{i=1}^n \varLambda _{i}.\mathsf {pk},X_2 \right) ^y.\) Thus, to win the HO experiment (and return a key such that \(\mathsf {k} \not = \mathsf {k} _*\)), the adversary must produce a proof on a false statement, which happens with negligible probability.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Arfaoui, G. et al. (2021). How to (Legally) Keep Secrets from Mobile Operators. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)