Paper 2024/1625

On the Tight Security of the Double Ratchet

Daniel Collins, Purdue University West Lafayette, Georgia Institute of Technology
Doreen Riepel, University of California, San Diego
Si An Oliver Tran, ETH Zurich
Abstract

The Signal Protocol is a two-party secure messaging protocol used in applications such as Signal, WhatsApp, Google Messages and Facebook Messenger and is used by billions daily. It consists of two core components, one of which is the Double Ratchet protocol that has been the subject of a line of work that aims to understand and formalise exactly what security it provides. Existing models capture strong guarantees including resilience to state exposure in both forward security (protecting past secrets) and post-compromise security (restoring security), adaptive state corruptions, message injections and out-of-order message delivery. Due to this complexity, prior work has failed to provide security guarantees that do not degrade in the number of interactions, even in the single-session setting. Given the ubiquity of the Double Ratchet in practice, we explore tight security bounds for the Double Ratchet in the multi-session setting. To this end, we revisit the modelling of Alwen, Coretti and Dodis (EUROCRYPT 2019) who decompose the protocol into modular, abstract components, notably continuous key agreement (CKA) and forward-secure AEAD (FS-AEAD). To enable a tight security proof, we propose a CKA security model that provides one-way security under key checking attacks. We show that multi-session security of the Double Ratchet can be tightly reduced to the multi-session security of CKA and FS-AEAD, capturing the same strong security guarantees as Alwen et al. Our result improves upon the bounds of Alwen et al. in the random oracle model. Even so, we are unable to provide a completely tight proof for the Double Ratchet based on standard Diffie-Hellman assumptions, and we conjecture it is not possible. We thus go a step further and analyse CKA based on key encapsulation mechanisms (KEMs). In contrast to previous works, our new analysis allows for tight constructions based on the DDH and post-quantum assumptions.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. ACM CCS 2024
Keywords
double ratchetsecure messagingsignaltight security
Contact author(s)
danielpatcollins @ gmail com
doreen riepel @ gmail com
sitran @ student ethz ch
History
2024-10-11: revised
2024-10-10: received
See all versions
Short URL
https://ia.cr/2024/1625
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1625,
      author = {Daniel Collins and Doreen Riepel and Si An Oliver Tran},
      title = {On the Tight Security of the Double Ratchet},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1625},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1625}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.