Paper 2018/1037

The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

Joël Alwen, Sandro Coretti, and Yevgeniy Dodis

Abstract

Signal is a famous secure messaging protocol used by billions of people, by virtue of many secure text messaging applications including Signal itself, WhatsApp, Facebook Messenger, Skype, and Google Allo. At its core it uses the concept of "double ratcheting," where every message is encrypted and authenticated using a fresh symmetric key; it has many attractive properties, such as forward security, post-compromise security, and "immediate (no-delay) decryption," which had never been achieved in combination by prior messaging protocols. While the formal analysis of the Signal protocol, and ratcheting in general, has attracted a lot of recent attention, we argue that none of the existing analyses is fully satisfactory. To address this problem, we give a clean and general definition of secure messaging, which clearly indicates the types of security we expect, including forward security, post-compromise security, and immediate decryption. We are the first to explicitly formalize and model the immediate decryption property, which implies (among other things) that parties seamlessly recover if a given message is permanently lost---a property not achieved by any of the recent "provable alternatives to Signal." We build a modular "generalized Signal protocol" from the following components: (a) continuous key agreement (CKA), a clean primitive we introduce and which can be easily and generically built from public-key encryption (not just Diffie-Hellman as is done in the current Signal protocol) and roughly models "public-key ratchets;" (b) forward-secure authenticated encryption with associated data (FS-AEAD), which roughly captures "symmetric-key ratchets;" and (c) a two-input hash function that is a pseudorandom function (resp. generator with input) in its first (resp. second) input, which we term PRF-PRNG. As a result, in addition to instantiating our framework in a way resulting in the existing, widely-used Diffie-Hellman based Signal protocol, we can easily get post-quantum security and not rely on random oracles in the analysis. We further show that our design can be elegantly extended to include other forms of "fine-grained state compromise" recently studied at CRYPTO'18, but without sacrificing the immediate decryption property. However, we argue that the additional security offered by these modifications is unlikely to justify the efficiency hit of using much heavier public-key cryptography in place of symmetric-key cryptography.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in EUROCRYPT 2019
Keywords
Signal protocoldouble ratchetingsecure messagingmodularizationpost-quantum security
Contact author(s)
corettis @ gmail com
History
2020-02-21: last of 11 revisions
2018-10-30: received
See all versions
Short URL
https://ia.cr/2018/1037
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2018/1037,
      author = {Joël Alwen and Sandro Coretti and Yevgeniy Dodis},
      title = {The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1037},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/1037}},
      url = {https://eprint.iacr.org/2018/1037}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.