Paper 2022/376

Universally Composable End-to-End Secure Messaging

Ran Canetti, Boston University
Palak Jain, Boston University
Marika Swanberg, Boston University
Mayank Varia, Boston University

We provide a full-fledged security analysis of the Signal end-to-end messaging protocol within the UC framework. In particular: (1) We formulate an ideal functionality that captures end-to-end secure messaging, in a setting with PKI and an untrusted server, against an adversary that has full control over the network and can adaptively and momentarily compromise parties at any time and obtain their entire internal states. In particular our analysis captures the forward and backwards secrecy properties of Signal and the conditions under which they break. (2) We model the various components of Signal (PKI and long-term keys, backbone "asymmetric ratchet", epoch-level symmetric ratchets, authenticated encryption) as individual ideal functionalities that are analysed separately and then composed using the UC and Global-State UC theorems. (3) We use the Random Oracle Model to model non-committing encryption for arbitrary-length messages, but the rest of the analysis is in the plain model based on standard primitives. In particular, we show how to realize Signal's key derivation functions in the standard model, from generic components, and under minimalistic cryptographic assumptions. Our analysis improves on previous ones in the guarantees it provides, in its relaxed security assumptions, and in its modularity. We also uncover some weaknesses of Signal that were not previously discussed. Our modeling differs from previous UC models of secure communication in that the protocol is modeled as a set of local algorithms, keeping the communication network completely out of scope. We also make extensive, layered use of global-state composition within the plain UC framework. These innovations may be of separate interest.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2022
Secure Messaging Key Exchange Universal Composability Ratcheting Modularization Signal Forward Secrecy Post-Compromise Security
Contact author(s)
caneti @ bu edu
palakj @ bu edu
marikas @ bu edu
varia @ bu edu
2022-10-04: last of 2 revisions
2022-03-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ran Canetti and Palak Jain and Marika Swanberg and Mayank Varia},
      title = {Universally Composable End-to-End Secure Messaging},
      howpublished = {Cryptology ePrint Archive, Paper 2022/376},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.