Paper 2018/296

Asynchronous ratcheted key exchange

Bertram Poettering and Paul Rösler

Abstract

Ratcheted key exchange (RKE) is a cryptographic technique used in instant messaging systems like Signal and the WhatsApp messenger for attaining strong security in the face of state exposure attacks. RKE received academic attention in the recent works of Cohn-Gordon et al. (EuroS&P 2017) and Bellare et al. (CRYPTO 2017). While the former is analytical in the sense that it aims primarily at assessing the security that one particular protocol does achieve (which might be weaker than the notion that it should achieve), the authors of the latter develop and instantiate a notion of security from scratch, independently of existing implementations. Unfortunately, however, their model is quite restricted, e.g. for considering only unidirectional communication and the exposure of only one of the two parties. In this article we resolve the limitations of prior work by developing alternative security definitions, for unidirectional RKE as well as for RKE where both parties contribute. We follow a purist approach, aiming at finding strong yet convincing notions that cover a realistic communication model with fully concurrent operation of both participants. We further propose secure instantiations (as the protocols analyzed or proposed by Cohn-Gordon et al. and Bellare et al. turn out to be weak in our models). While our scheme for the unidirectional case builds on a generic KEM as the main building block (differently to prior work that requires explicitly Diffie-Hellman), our schemes for bidirectional RKE require a stronger, HIBE-like component.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in Crypto 2018
Keywords
RatchetingRatcheted Key ExchangeForward SecrecyPost-Compromise Security
Contact author(s)
bertram poettering @ rhul ac uk
paul roesler @ rub de
History
2018-06-08: revised
2018-03-29: received
See all versions
Short URL
https://ia.cr/2018/296
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/296,
      author = {Bertram Poettering and Paul Rösler},
      title = {Asynchronous ratcheted key exchange},
      howpublished = {Cryptology ePrint Archive, Paper 2018/296},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/296}},
      url = {https://eprint.iacr.org/2018/296}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.