Our E-Chat application is an instant messenger similar to popular instant messaging systems like ICQ or Jabber. It was developed for demonstration purposes only. It therefore only enables two predefined parties to communicate with each other. In addition, an arbitrary number of "spy" clients is allowed to connect and eavesdrop on the session. The goal of the application is to give the user an insight into cryptographic transformations which could be used to make an arbitrary instant messaging session secure and to demonstrate some features of our crypto library such as homomorphic, scalar and blinding operations.

### Details on the Application

The E-Chat application implements a chat session in which a server (Bob) may exchange chat messages with a client (Alice). After starting the E-Chat application with Bob as server, it waits for the client Alice to connect. Alice can connect to Bob by entering his IP address. Alice also chooses one of four predefined cryptosystems which will be used to encrypt all messages sent back and forth between Alice and Bob. She then generates a private and public key pair,and sends the public key to Bob. Once Alice is initiating the connection, Bob accepts the connection and receives her public key. He then generates a key pair on his own and sends his public key to Alice. From this point on all communication between Alice and Bob is encrypted.

Spies are a third kind of player in this fictitious scenario. They are only allowed to connect once a chat session between Alice and Bob has been established. Spies are then able to connect to Bob's IP address and receive public keys from both Bob and Alice. This is a fictional scenario since a real chat server will not allow spies to listen to chat sessions directly. In reality it would therefore be harder for a spy to gain access to the communication channel and the keys.

Not only can Alice and Bob exchange encrypted messages between themselves, but the spy, who knows the public keys of both parties, can inject encrypted messages to both Alice and Bob as well. However, spies cannot read intercepted messages because they do not know the private keys of Alice or Bob which are necessary to decrypt the transmitted ciphertexts.

Depending on the cryptosystem used it is, however, possible for the spy to modify encrypted messages such that the resulting message is a valid ciphertext just as Alice or Bob would send it. Note that Alice and Bob are also able to modify ciphertexts. In order for these modifications to be possible an encryption scheme must be homomorphic. An encryption scheme is said to be homomorphic if for given encryptions , of arbitrary messages and with any encryption key k it holds that = for some operators in the plaintext space and in the ciphertext space. That is, based on the homomorphic property E-Chat provides the following three operations:

- Homomorph: For multiplicatively homomorphic cryptosystems (e.g., ElGamal) applying this operation to two ciphertexts corresponds to a multiplication in the plaintext domain and for additively homomorphic cryptosystems (e.g., Paillier) it corresponds to addition in the plaintext domain. With E-Chat it is possible for an attacker to receive two ciphertexts and compute and send a new ciphertext corresponding to the product or sum of these two ciphertexts. The resulting ciphertext cannot be distinguished from a regular message sent by Alice or Bob.
- Scalar: The scalar operation is a generalization of the homomorphic operation. Performing it on a ciphertext and a plaintext value results in the multiplication of the encrypted message with the given integer in the plaintext domain (e.g., ).
- Blind: Performing this operation on a given ciphertext corresponds to adding or multiplying the ciphertext with a random encryption of the identity element. This operation therefore does not change the encrypted message but it does change the ciphertext (re-randomization). Note that due to semantic security, the blinding operation is applied after each homomorph or scalar operation.