Paper 2022/486

MARSHAL: Messaging with Asynchronous Ratchets and Signatures for faster HeALing

Olivier Blazy, Pierre-Alain Fouque, Thibaut Jacques, Pascal Lafourcade, Cristina Onete, and Léo Robert


Secure messaging applications are deployed on devices that can be compromised, lost, stolen, or corrupted in many ways. Thus, recovering from attacks to get back to a clean state is essential and known as healing. Signal is a widely-known, privacy-friendly messaging application, that uses key-ratcheting mechanism updates keys at each stage to provide end-to-end channel security, forward secrecy, and post-compromise security. We strengthen this last property, by providing a faster healing. Signal needs up to two full chains of messages before recovering, our protocol enables recovery after the equivalent of a chain of only one message. We also provide an extra protection against session-hijacking attacks. We do so, while building on the pre-existing Signal backbone, without weakening its other security assumptions, and still being compatible with Signal's out-of-order message handling feature. Our implementation results show that, while slower than Signal (as expected), MARSHAL's spectacular gain in healing speed comes at a surprisingly low cost, with individual stages (including key-derivation, encryption, and decryption) taking less than 6 ms.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Symposium On Applied Computing 2022
Secure messagingSignalHealingE2E encryption
Contact author(s)
leo robert @ uca fr
2022-04-23: received
Short URL
Creative Commons Attribution


      author = {Olivier Blazy and Pierre-Alain Fouque and Thibaut Jacques and Pascal Lafourcade and Cristina Onete and Léo Robert},
      title = {MARSHAL: Messaging with Asynchronous Ratchets and Signatures for faster HeALing},
      howpublished = {Cryptology ePrint Archive, Paper 2022/486},
      year = {2022},
      doi = {10.1145/3477314.3507044},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.