Paper 2025/1512
Virtual End-to-End Encryption: Analysis of the Doctolib Protocol
Abstract
Doctolib is a popular healthcare platform, used by over 90 million users across France, Italy, and Germany. One of its main features is the secure data exchange between patients and doctors, with 7 million documents shared per month. Doctolib claims to provide the "world's first end-to-end encryption platform built for health applications". The encryption protocol, described in a Whitepaper and Github repository, relies on envelope encryption and lets users upload ciphertexts for the secure data exchange. The ciphertexts are stored and retrieved through a distributed system, consisting of a data server and a key server. To access the data, recipients fetch the ciphertexts and decrypt them with their private key. However, the platform does not require end-users to maintain any cryptographic keys themselves and instead relies on a virtual device that leverages the two-server setting. The virtual device splits the user's private key over both servers, and uses password-based authentication for its retrieval. Overall, the goal of the protocol is to ensure confidentiality of the uploaded medical records as long as at most one server is corrupt. In this work, we analyze the security of Doctolib's distributed encryption protocol. First, we define a set of formal security models for such password-based distributed envelope encryption, that capture the optimal security properties under different corruption settings. We then analyze the protocol - abstracted from the available information - in our model, and show that it does not achieve the desired security guarantees. We finally propose a simple modification that strengthens the original protocol through the use of a distributed oblivious pseudorandom function that provably achieves all our security properties.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Major revision. 20th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2025)
- DOI
- 10.1145/3708821.3710841
- Keywords
- end-to-end encryptioncloud storageenvelope encryptionpassword-based security
- Contact author(s)
-
dennis dayanikli @ hpi de
anja lehmann @ hpi de - History
- 2025-08-28: approved
- 2025-08-22: received
- See all versions
- Short URL
- https://ia.cr/2025/1512
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/1512,
author = {Dennis Dayanikli and Laura Holz and Anja Lehmann},
title = {Virtual End-to-End Encryption: Analysis of the Doctolib Protocol},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/1512},
year = {2025},
doi = {10.1145/3708821.3710841},
url = {https://eprint.iacr.org/2025/1512}
}