Paper 2022/376

Universally Composable End-to-End Secure Messaging

Ran Canetti, Boston University
Palak Jain, Boston University
Marika Swanberg, Boston University
Mayank Varia, Boston University

We model and analyze the Signal end-to-end secure messaging protocol within the Universal Composability (UC) framework. Specifically: (1) We formulate an ideal functionality that captures end-to-end secure messaging in a setting with Public Key Infrastructure (PKI) and an untrusted server, against an adversary that has full control over the network and can adaptively and momentarily compromise parties at any time, obtaining their entire internal states. Our analysis captures the forward secrecy and recovery-of-security properties of Signal and the conditions under which they break. (2) We model the main components of the Signal architecture (PKI and long-term keys, the backbone continuous-key-exchange or "asymmetric ratchet", epoch-level symmetric ratchets, authenticated encryption) as individual ideal functionalities. These components are realized and analyzed separately, and then composed using the UC and Global-State UC theorems. (3) We show how the ideal functionalities representing these components can be realized using standard cryptographic primitives with minimal hardness assumptions. Our modeling introduces additional innovations that enable arguing about the security of Signal, irrespective of the underlying communication medium, and facilitate the secure composition of dynamically generated modules that share state. These features, in conjunction with the basic modularity of the UC framework, will hopefully facilitate the use of both Signal-as-a-whole and its individual components within cryptographic applications.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2022
Secure MessagingKey ExchangeUniversal ComposabilityRatchetingModularizationSignalForward SecrecyPost-Compromise Security
Contact author(s)
caneti @ bu edu
palakj @ bu edu
marikas @ bu edu
varia @ bu edu
2023-05-19: last of 3 revisions
2022-03-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ran Canetti and Palak Jain and Marika Swanberg and Mayank Varia},
      title = {Universally Composable End-to-End Secure Messaging},
      howpublished = {Cryptology ePrint Archive, Paper 2022/376},
      year = {2022},
      doi = {10.1007/978-3-031-15979-4_1},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.