Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Drawing the LINE: Cryptographic Analysis and Security Improvements for the LINE E2EE Protocol

Benjamin Dowling, Prosanta Gope, Mehr U Nisa, Bhagya Wimalasiri

TL;DR

This work delivers the first formal cryptographic analysis of LINEv2, revealing missing forward secrecy and post-compromise security in LINE's E2EE design, and demonstrates that bot conversations are not end-to-end encrypted. To address these gaps, the authors introduce LINEvDR, a double ratchet–based enhancement that preserves LINE’s architecture while delivering FS and PCS, along with replay protection and KCI resilience. They provide a formal security treatment within a tailored MSKE framework and validate the approach with a Rust-based reference implementation and benchmarks, showing that LINEvDR incurs modest performance overhead relative to LINEv2. The study highlights the value of rigorous cryptographic analysis for real-world systems and offers a practical, backward-compatible path toward stronger security for LINE users, with avenues for future privacy enhancements and post-quantum considerations.

Abstract

LINE has emerged as one of the most popular communication platforms in many East Asian countries, including Thailand and Japan, with millions of active users. Therefore, it is essential to understand its security guarantees. In this work, we present the first provable security analysis of the LINE version two (LINEv2) messaging protocol, focusing on its cryptographic guarantees in a real-world setting. We capture the architecture and security of the LINE messaging protocol by modifying the Multi-Stage Key Exchange (MSKE) model, a framework for analysing cryptographic protocols under adversarial conditions. While LINEv2 achieves basic security properties such as key indistinguishability and message authentication, we highlight the lack of forward secrecy (FS) and post-compromise security (PCS). To address this, we introduce a stronger version of the LINE protocol, introducing FS and PCS to LINE, analysing and benchmarking our results.

Drawing the LINE: Cryptographic Analysis and Security Improvements for the LINE E2EE Protocol

TL;DR

This work delivers the first formal cryptographic analysis of LINEv2, revealing missing forward secrecy and post-compromise security in LINE's E2EE design, and demonstrates that bot conversations are not end-to-end encrypted. To address these gaps, the authors introduce LINEvDR, a double ratchet–based enhancement that preserves LINE’s architecture while delivering FS and PCS, along with replay protection and KCI resilience. They provide a formal security treatment within a tailored MSKE framework and validate the approach with a Rust-based reference implementation and benchmarks, showing that LINEvDR incurs modest performance overhead relative to LINEv2. The study highlights the value of rigorous cryptographic analysis for real-world systems and offers a practical, backward-compatible path toward stronger security for LINE users, with avenues for future privacy enhancements and post-quantum considerations.

Abstract

LINE has emerged as one of the most popular communication platforms in many East Asian countries, including Thailand and Japan, with millions of active users. Therefore, it is essential to understand its security guarantees. In this work, we present the first provable security analysis of the LINE version two (LINEv2) messaging protocol, focusing on its cryptographic guarantees in a real-world setting. We capture the architecture and security of the LINE messaging protocol by modifying the Multi-Stage Key Exchange (MSKE) model, a framework for analysing cryptographic protocols under adversarial conditions. While LINEv2 achieves basic security properties such as key indistinguishability and message authentication, we highlight the lack of forward secrecy (FS) and post-compromise security (PCS). To address this, we introduce a stronger version of the LINE protocol, introducing FS and PCS to LINE, analysing and benchmarking our results.
Paper Structure (37 sections, 3 theorems, 8 equations, 16 figures, 3 tables)

This paper contains 37 sections, 3 theorems, 8 equations, 16 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Overview of LINE Messaging Protocol
  4. $\mathsf{LINEv2}$: $\mathsf{LINE}$ Letter Sealing Protocol version 2
  5. Registration Phase
  6. Session Establishment
  7. Encryption
  8. Decryption
  9. $\mathsf{LINEv2}$ Packet Analysis Experiment
  10. Limitations in $\mathsf{LINEv2}$ protocol
  11. Why Not Replace $\mathsf{LINE}$ with Signal?
  12. Improving the Cryptographic Design of $\mathsf{LINE}$
  13. $\mathsf{LINEvDR}$: LINE Double Ratchet
  14. Formal Security Analysis of $\mathsf{LINE}$
  15. Multi Stage Key Exchange Model
  16. ...and 22 more sections

Key Result

theorem 1

Let $\mathsf{LINEv2}$ be the $\mathsf{LINE}$ protocol version 2 described in Figure . Assuming that the $\mathsf{ddh}$ assumption holds, modelling $\mathsf{SHA-256}$ as a $\mathsf{PRF}$Following the methodology of Bergsma et al. PRF-def, we model the keyed use of SHA-256 as a PRF. One could also model $\mathsf{SHA-256}$ as a random oracle (as in the proof of Theorem ), to which the

Figures (16)

  • Figure 1: $\mathsf{LINEv2}$ protocol phases (excluding registration). Given our analysis focuses on session establishment and message exchange, the registration phase is omitted for brevity (see Appendix for details). Registration and session establishment are illustrated concurrently for both parties but may occur independently.
  • Figure 2: $\mathsf{LINEvDR}$ Letter Sealing double ratchet protocol phases (excluding registration). Given our analysis focuses on session establishment and message exchange, the registration phase is omitted for brevity (see Appendix for details). Text in blue highlights our modifications to $\mathsf{LINEv2}$, notably the integration of double ratchet mechanisms. In $[i,j]$, $i$ denotes the asymmetric ratchet and $j$ the symmetric ratchet maintained by both parties; even $i$ values indicate Alice as the sender, and odd $i$ values indicate Bob.
  • Figure 3: Pseudocode description of the MSKE Experiment
  • Figure 4: Left: $\mathsf{LINE}$ Freshness Predicate and Right: $\mathsf{LINE}$ Matching Predicate
  • Figure 5: A trivial KCI attack.
  • ...and 11 more figures

Theorems & Definitions (16)

  • definition 1
  • definition 2: $\mathsf{LINE}$ Freshness Predicate
  • definition 3: $\mathsf{LINE}$ Matching Predicate
  • theorem 1: Key Indistinguishability Security of $\mathsf{LINEv2}$
  • proof
  • theorem 2: Message Authentication of $\mathsf{LINE}$
  • proof
  • theorem 3: Key Indistinguishability Security of $\mathsf{LINEvDR}$
  • proof
  • definition 4: $\mathsf{MSKE}$
  • ...and 6 more