Cryptology ePrint Archive: Report 2018/296

Asynchronous ratcheted key exchange

Bertram Poettering and Paul Rösler

Abstract: Ratcheted key exchange (RKE) is a cryptographic technique used in instant messaging systems like Signal and the WhatsApp messenger for attaining strong security in the face of state exposure attacks. RKE received academic attention in the recent works of Cohn-Gordon et al. (EuroS&P 2017) and Bellare et al. (CRYPTO 2017). While the former is analytical in the sense that it aims primarily at assessing the security that one particular protocol does achieve (which might be weaker than the notion that it should achieve), the authors of the latter develop and instantiate a notion of security from scratch, independently of existing implementations. Unfortunately, however, their model is quite restricted, e.g. for considering only unidirectional communication and the exposure of only one of the two parties.

In this article we resolve the limitations of prior work by developing alternative security definitions, for unidirectional RKE as well as for RKE where both parties contribute. We follow a purist approach, aiming at finding strong yet convincing notions that cover a realistic communication model with fully concurrent operation of both participants. We further propose secure instantiations (as the protocols analyzed or proposed by Cohn-Gordon et al. and Bellare et al. turn out to be weak in our models). While our scheme for the unidirectional case builds on a generic KEM as the main building block (differently to prior work that requires explicitly Diffie-Hellman), our schemes for bidirectional RKE require a stronger, HIBE-like component.

Category / Keywords: cryptographic protocols / Ratcheting, Ratcheted Key Exchange, Forward Secrecy, Post-Compromise Security

Original Publication (with major differences): IACR-CRYPTO-2018

Date: received 29 Mar 2018, last revised 8 Jun 2018

Contact author: bertram poettering at rhul ac uk, paul roesler@rub de

Available format(s): PDF | BibTeX Citation

Version: 20180608:174050 (All versions of this report)

Short URL: ia.cr/2018/296


[ Cryptology ePrint archive ]