Paper 2018/938

Private Message Franking with After Opening Privacy

Iraklis Leontiadis and Serge Vaudenay


Recently Grubbs et al. [GLR17] initiated the formal study of message franking protocols. This new type of service launched by Facebook, allows the receiver in a secure messaging application to verifiably report to a third party an abusive message some sender has sent. A novel cryptographic primitive: committing AEAD has been initiated, whose functionality apart from confidentiality and authenticity asks for a compact commitment over the message, which is delivered to the receiver as part of the ciphertext. A new construction CEP (Committing Encrypt and PRF) has then been proposed, which is multi-opening secure and reduces the computational costs for the sender and the receiver. Despite the merits of the message franking protocols [GLR17], our observation which launched this work, is that all the designs be it compositional or the CEP construction, leak too much when the receiver needs to open the abusive message to the third party. Namely, the receiver opens the entire message along with the opening key to the third party, thus confidentiality of the message is entirely broken. Moreover, the opening of the entire message increases the communication cost of the protocol and in cases of big messages being exchanged (attachments, videos, multimedia files, etc.) it might be unnecessary. We provide to the best of our knowledge the first formal treatment of message franking protocols with minimum leakage whereby only the abusive blocks are opened, while the rest non-abusive blocks of the message remain private. First we give a new definition for multi-opening indistinguishability with partial opening (MO-IND-PO), which forces an adversary to distinguish encryptions of abusive blocks. We then design and analyze two protocols CEP-AOP1 (Committing Encrypt and PRF with After Opening Privacy) and CEP-AOP2, which adhere to the new privacy definition. As a side contribution we show a multi-opening secure CEP-AOP2 construction using only one PRF evaluation over the message, in a weaker but meaningful security model, relying only on standard assumptions of the underlying symmetric primitives.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
message franking protocolsabusive reportsmessaging applicationspartial openingprivacysecure communication
Contact author(s)
iraklis leontiadis @ epfl ch
2018-10-09: revised
2018-10-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Iraklis Leontiadis and Serge Vaudenay},
      title = {Private Message Franking with After Opening Privacy},
      howpublished = {Cryptology ePrint Archive, Paper 2018/938},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.