{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T04:27:35Z","timestamp":1780633655049,"version":"3.54.1"},"reference-count":42,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T00:00:00Z","timestamp":1769990400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"crossref","award":["UKRI156"],"award-info":[{"award-number":["UKRI156"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,23]]},"abstract":"<jats:p>LINE has emerged as one of the most popular communication platforms in many East Asian countries, including Thailand and Japan, with millions of active users. Therefore, it is essential to understand its security guarantees. In this work, we present the first provable security analysis of the LINE version two (LINEv2 messaging protocol, focusing on its cryptographic guarantees in a real-world setting. We capture the architecture and security of the LINE messaging protocol by modifying the Multi-Stage Key Exchange (MSKE) model, a framework for analysing cryptographic protocols under adversarial conditions. While LINEv2 achieves basic security properties such as key indistinguishability and message authentication, we highlight the lack of forward secrecy (FS) and post-compromise security (PCS). To address this, we introduce a stronger version of the LINE protocol, introducing FS and PCS to LINE, analysing and benchmarking our results.<\/jats:p>","DOI":"10.62056\/ahjbksa5v","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Drawing the $\ud835\uddab\ud835\udda8\ud835\uddad\ud835\udda4$: Cryptographic Analysis and Security Improvements for the $\ud835\uddab\ud835\udda8\ud835\uddad\ud835\udda4$ E2EE Protocol"],"prefix":"10.62056","volume":"3","author":[{"given":"Benjamin","family":"Dowling","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0220mzb33","id-type":"ROR","asserted-by":"publisher"}],"name":"King's College London","place":["United Kingdom"]}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Prosanta","family":"Gope","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05krs5044","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Sheffield","place":["United Kingdom"]}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mehr","family":"Nisa","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05krs5044","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Sheffield","place":["United Kingdom"]}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bhagya","family":"Wimalasiri","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0220mzb33","id-type":"ROR","asserted-by":"publisher"}],"name":"King's College London","place":["United Kingdom"]}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:MAU","volume-title":"Number of mobile phone messaging app users worldwide from\n  2019 to 2025","author":"Statistica","year":"2024"},{"key":"ref2:datareportal2024japan","volume-title":"Digital 2024: Japan","author":"Data Reportal","year":"2024"},{"key":"ref3:lycorp2025mediaguide","volume-title":"LY Corporation Media Guide 2025","author":"LY Corporation","year":"2025"},{"key":"ref4:lycorp2025thailand","volume-title":"LINE Thailand's New Strategy to Enrich Digital Life in\n  Thailand: Report on LINE CONFERENCE THAILAND 2025","author":"LY Corporation","year":"2025"},{"key":"ref5:whatsappSASM","doi-asserted-by":"publisher","first-page":"330","DOI":"10.1007\/978-3-031-38551-3_11","article-title":"Security analysis of the whatsapp end-to-end encrypted\n  backup protocol","author":"Gareth T Davies","year":"2023"},{"key":"ref6:signal-1","doi-asserted-by":"publisher","first-page":"1914","DOI":"10.1109\/eurosp.2017.27","article-title":"A Formal Security Analysis of the Signal Messaging\n  Protocol","volume":"33","author":"Katriel Cohn-Gordon","year":"2020","journal-title":"Journal of Cryptology"},{"key":"ref7:paterson2023three","first-page":"1289","article-title":"Three lessons from Threema: Analysis of a secure\n  messenger","author":"Kenneth G Paterson","year":"2023"},{"key":"ref8:Telegram_attacks","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1109\/SP46214.2022.9833666","article-title":"Four Attacks and a Proof for Telegram","author":"Martin R. Albrecht","year":"2022"},{"key":"ref9:10351027","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1109\/SP46215.2023.10351027","article-title":"Practically-exploitable Cryptographic Vulnerabilities in\n  Matrix","author":"Martin R. Albrecht","year":"2023"},{"key":"ref10:Line_forensic","first-page":"11","article-title":"Forensic analysis of LINE messenger on android","volume":"29","author":"Ming Sang Chang","year":"2018","journal-title":"J. Comput"},{"key":"ref11:Line_forensic2","doi-asserted-by":"publisher","first-page":"305","DOI":"10.22219\/kinetik.v4i4.850","article-title":"Live forensics analysis of line app on proprietary operating\n  system","author":"Imam Riadi","year":"2019","journal-title":"Kinetik: Game Technology, Information System, Computer\n  Network, Computing, Electronics, and Control"},{"key":"ref12:LINE-1","article-title":"Alice and bob, who the $\\{$FOCI$\\}$ are they?: Analysis of\n  end-to-end encryption in the $\\{$LINE$\\}$ messaging application","author":"Antonio M Espinoza","year":"2017"},{"key":"ref13:shi2019verification","doi-asserted-by":"publisher","first-page":"1439","DOI":"10.1587\/transinf.2018fop0001","article-title":"Verification of LINE encryption version 1.0 using ProVerif","volume":"102","author":"Cheng Shi","year":"2019","journal-title":"IEICE TRANSACTIONS on Information and Systems"},{"key":"ref14:isobe2018breaking","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/978-3-319-98989-1_13","article-title":"Breaking message integrity of an end-to-end encryption\n  scheme of LINE","author":"Takanori Isobe","year":"2018"},{"key":"ref15:LineWP2022","volume-title":"Encryption: LINE Security - 2022 H1","author":"LINE Corporation","year":"2022"},{"key":"ref16:DBLRAT","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-030-17653-2_5","article-title":"The Double Ratchet: Security Notions, Proofs, and\n  Modularization for the Signal Protocol","author":"Jo\u00ebl Alwen","year":"2019"},{"key":"ref17:MSKE-1","doi-asserted-by":"publisher","first-page":"1193","DOI":"10.1145\/2660267.2660308","article-title":"Multi-stage key exchange and the case of Google's QUIC\n  protocol","author":"Marc Fischlin","year":"2014"},{"key":"ref18:BenTLS1.3","doi-asserted-by":"publisher","first-page":"1197","DOI":"10.1145\/2810103.2813653","article-title":"A cryptographic analysis of the TLS 1.3 handshake protocol\n  candidates","author":"Benjamin Dowling","year":"2015"},{"key":"ref19:chatbotExploitation","article-title":"Bots can Snoop: Uncovering and Mitigating Privacy Risks of\n  Bots in Group Chats","author":"Kai-Hsiang Chou","year":"2024","journal-title":"arXiv preprint arXiv:2410.06587"},{"key":"ref20:stebila2024security","article-title":"Security analysis of the iMessage PQ3 protocol","author":"Douglas Stebila","year":"2024","journal-title":"Cryptology ePrint Archive"},{"key":"ref21:dodis2025triple","doi-asserted-by":"publisher","first-page":"302","DOI":"10.1007\/978-3-031-91101-9_11","article-title":"Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal\n  Protocol","author":"Yevgeniy Dodis","year":"2025"},{"key":"ref22:LineBreak2025","volume-title":"LINE-Break: Cryptanalysis and Reverse Engineering of Letter\n  Sealing","author":"LINE-Break Team","year":"2025"},{"key":"ref23:LineWP","volume-title":"LINE Encryption Overview Technical Whitepaper","author":"LINE Corporation","year":"2019"},{"key":"ref24:matrix-comparison","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00075","volume-title":"Device-Oriented Group Messaging: A Formal Cryptographic\n  Analysis of Matrix\u2019 Core","author":"Martin R. Albrecht","year":"2023"},{"key":"ref25:telegramFA","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-91101-9_8","article-title":"Analysis of the Telegram Key Exchange","author":"Martin R Albrecht","year":"2025","journal-title":"Cryptology ePrint Archive"},{"key":"ref26:PRF-def","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1145\/2660267.2660286","article-title":"Multi-ciphersuite security of the Secure Shell (SSH)\n  protocol","author":"Florian Bergsma","year":"2014"},{"key":"ref27:practicalaesgcm","first-page":"3","article-title":"Practical challenges with AES-GCM and the need for a new\n  cipher","author":"Panos Kampanakis","year":"2023"},{"key":"ref28:derbez2024key","doi-asserted-by":"publisher","first-page":"135","DOI":"10.46586\/tosc.v2024.i1.135-157","article-title":"Key committing attacks against AES-based AEAD schemes","volume":"2024","author":"Patrick Derbez","year":"2024","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref29:x25519-dalek","volume-title":"x25519-dalek","author":"isis agora lovecruft","year":"2025"},{"key":"ref30:aes-gcm-crate","volume-title":"AES-GCM","author":"Vlad Filippov","year":"2025"},{"key":"ref31:hkdf-crate","volume-title":"HKDF","author":"Vlad Filippov","year":"2025"},{"key":"ref32:sha2-crate","volume-title":"sha2","author":"Tony Arcieri","year":"2025"},{"key":"ref33:criterion","volume-title":"Criterion: A statistics-driven micro-benchmarking library\n  for Rust","author":"Brook Heisler","year":"2025"},{"key":"ref34:bernstein2006curve25519","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/11745853_14","article-title":"Curve25519: New Diffie-Hellman Speed Records","volume":"3958","author":"Daniel J. Bernstein","year":"2006"},{"key":"ref35:HKDF","volume-title":"RFC 5869: HMAC-based Extract-and-Expand Key Derivation\n  Function (HKDF)","author":"Hugo Krawczyk","year":"2010"},{"key":"ref36:nist80038d","volume-title":"Recommendation for Block Cipher Modes of Operation:\n  Galois\/Counter Mode (GCM) and GMAC","author":"Morris Dworkin","year":"2007"},{"key":"ref37:etsi_133501_v16","volume-title":"5G; Security architecture and procedures for 5G System\n  (3GPP TS 33.501 version 16.3.0 Release 16)","author":"ETSI 3GPP","year":"2020"},{"key":"ref38:wiresharkExp","volume-title":"Wireshark: Decrypt SSL\/TLS Practical\n  Examples [Tutorial]","author":"Celal Dogan"},{"key":"ref39:AEADdef","doi-asserted-by":"publisher","first-page":"98","DOI":"10.1145\/586110.586125","article-title":"Authenticated-encryption with associated-data","author":"Phillip Rogaway","year":"2002"},{"key":"ref40:conf-AEAD","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1007\/978-3-030-45374-9_12","article-title":"Flexible authenticated and confidential channel\n  establishment (fACCE): Analyzing the noise protocol framework","author":"Benjamin Dowling","year":"2020"},{"key":"ref41:KDF","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1007\/978-3-642-39218-4_10","article-title":"Key Derivation Function: the SCKDF scheme","author":"Chai Wen Chuah","year":"2013"},{"key":"ref42:DDH-def","doi-asserted-by":"publisher","first-page":"242","DOI":"10.1007\/s00145-015-9220-6","article-title":"An Algebraic Framework for Diffie\u2013Hellman Assumptions","volume":"30","author":"Alex Escala","year":"2017","journal-title":"Journal of Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/1432-1378","issn-type":"electronic"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:04:04Z","timestamp":1778040244000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/29"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":42,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/ahjbksa5v","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-02-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-23","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-85"}}