End-to-end encrypted (E2EE) messaging is an essential first step in providing message confidentiality. Unfortunately, all security guarantees of end-to-end encryption are lost when keys or plaintext are disclosed, either due to device compromise or (sometimes lawful) coercion by powerful adversaries. This work introduces Wink, the first plausibly-deniable messaging system protecting message confidentiality from partial device compromise and compelled key disclosure. Wink can surreptitiously inject hidden messages in standard random coins (e.g., salts, IVs) used by existing E2EE protocols. It does so as part of legitimate secure cryptographic functionality deployed inside the widely-available trusted execution environment (TEE) TrustZone. This results in hidden communication using virtually unchanged existing E2EE messaging apps, as well as strong plausible deniability. Wink has been demonstrated with multiple existing E2EE applications (including Telegram and Signal) with minimal (external) instrumentation, negligible overheads, and crucially, without changing on-wire message formats.

翻译：端到端加密（E2EE）消息传输是保障消息机密性的关键第一步。然而，当密钥或明文因设备遭入侵或（有时合法的）强大对手胁迫而泄露时，端到端加密的所有安全保证将不复存在。本文提出了Wink——首个在部分设备被入侵及密钥被迫泄露场景下仍能保护消息机密性的可否认消息系统。Wink可将隐藏消息秘密嵌入现有E2EE协议使用的标准随机数（如盐值、初始化向量）中，通过部署在广泛可用的可信执行环境（TEE）TrustZone中的合法安全密码功能实现。该方案在不改变现有E2EE消息应用核心的基础上实现隐蔽通信，同时提供强可否认性。已在包括Telegram和Signal在内的多个现有E2EE应用中完成演示，仅需最小化外部检测工具支持，开销可忽略，且关键的是无需改变线缆消息格式。