Paper 2016/1028

Ratcheted Encryption and Key Exchange: The Security of Messaging

Mihir Bellare, Asha Camper Singh, Joseph Jaeger, Maya Nyayapati, and Igors Stepanovs


We aim to understand, formalize and provably achieve the goals underlying the core key-ratcheting technique of Borisov, Goldberg and Brewer, extensions of which are now used in secure messaging systems. We give syntax and security definitions for ratcheted encryption and key-exchange. We give a proven-secure protocol for ratcheted key exchange. We then show how to generically obtain ratcheted encryption from ratcheted key-exchange and standard encryption.

Note: Fixed the upper bounds provided for the security of ODHE in ROM assumption in Appendix A.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2017
symmetric encryptionforward securitybackward securityauthenticated key exchangeDiffie-HellmanOff-the-Record Messaging protocolSignal protocol
Contact author(s)
istepano @ eng ucsd edu
2019-03-16: last of 3 revisions
2016-11-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mihir Bellare and Asha Camper Singh and Joseph Jaeger and Maya Nyayapati and Igors Stepanovs},
      title = {Ratcheted Encryption and Key Exchange: The Security of Messaging},
      howpublished = {Cryptology ePrint Archive, Paper 2016/1028},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.