LINE is currently the most popular messaging service in Japan. Communications using LINE are protected by the original encryption scheme, called LINE Encryption, and specifications of the client-to-server transport encryption protocol and the client-to-client message end-to-end encryption protocol are published by the Technical Whitepaper. Though a spoofing attack (i.e., a malicious client makes another client misunderstand the identity of the peer) and a reply attack (i.e., a message in a session is sent again in another session by a man-in-the-middle adversary, and the receiver accepts these messages) to the end-to-end protocol have been shown, no formal security analysis of these protocols is known. In this paper, we show a formal verification result of secrecy of application data and authenticity for protocols of LINE Encryption (Version 1.0) by using the automated security verification tool ProVerif. Especially, since it is claimed that the transport protocol satisfies forward secrecy (i.e., even if the static private key is leaked, security of application data is guaranteed), we verify forward secrecy for client's data and for server's data of the transport protocol, and we find an attack to break secrecy of client's application data. Moreover, we find the spoofing attack and the reply attack, which are reported in previous papers.

We present a new notion of public-key encryption, called multi-divisible on-line/off-line encryptions, in which partial ciphertexts can be computed and made publicly available for the recipients before the recipients' public key and/or the plaintexts are determined. We formalize its syntax and define several security notions with regard to the level of divisibility, the number of users, and the number of encryption (challenge) queries per user. Furthermore, we show implications and separations between these security notions and classify them into three categories. We also present concrete multi-divisible on-line/off-line encryption schemes. The schemes allow the computationally-restricted and/or bandwidth-restricted devices to transmit ciphertexts with low computational overhead and/or low-bandwidth network.

Self-updating encryption (SUE) is a new cryptographic scheme produced in the recent work of Lee, Choi, Lee, Park and Yung (Asiacrypt 2013) to achieve a time-updating mechanism for revocation. In SUE, a ciphetext and a private key are associated with the time and a user can decrypt a ciphertext only if its time is earlier than that of his private key. But one drawback is the encryption computational overhead scales with the size of the time which makes it a possible bottleneck for some applications. To address this problem, we provide a new technique for the SUE that splits the encryption algorithm into two phases: an offline phase and an online phase. In the offline phase, an intermediate ciphertext header is generated before it knows the concrete encryption time. Then an online phase is implemented to rapidly generate an SUE ciphertext header when the time becomes known by making use of the intermediate ciphertext header. In addition, two different online encryption constructions are proposed in view of different time level taking 50% as the boundary. At last, we prove the security of our scheme and provide the performance analysis which shows that the vast majority of computational overhead can be moved to the offline phase. One motivating application for this technique is resource-constrained mobile devices: the preparation work can be done when the mobile devices are plugged into a power source, then they can later rapidly perform SUE operations on the move without significantly consuming the battery.