Paper 2024/220
Security of Symmetric Ratchets and Key Chains - Implications for Protocols like TLS 1.3, Signal, and PQ3
, Ericsson ResearchAbstract
Symmetric ratchets and one-way key chains play a vital role in numerous important security protocols such as TLS 1.3, DTLS 1.3, QUIC, Signal, MLS, EDHOC, OSCORE, and Apple PQ3. Despite the crucial role they play, very little is known about their security properties. This paper categorizes and examines different ratchet constructions, offering a comprehensive overview of their security. Our analysis reveals notable distinctions between different types of one-way key chains. Notably, the type of ratchet used by TLS 1.3, Signal, and PQ3 exhibit a significant number of weak keys, an unexpectedly high rate of key collisions surpassing birthday attack expectations, and a predictable shrinking key space susceptible to novel Time-Memory Trade-Off (TMTO) attacks with complexity $\approx N^{1/4}$. Consequently, the security level provided by e.g., TLS 1.3 is significantly lower than anticipated. To address these concerns, we analyze the aforementioned protocols and provide numerous concrete recommendations for enhancing their security, as well as guidance for future security protocol design.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- TLS 1.3SignalPQ3Secret-key CryptographyKey DerivationRatchetKey ChainStream CipherCryptanalysisTMTO
- Contact author(s)
- john mattsson @ ericsson com
- History
- 2024-02-22: last of 3 revisions
- 2024-02-13: received
- See all versions
- Short URL
- https://ia.cr/2024/220
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/220,
author = {John Preuß Mattsson},
title = {Security of Symmetric Ratchets and Key Chains - Implications for Protocols like TLS 1.3, Signal, and PQ3},
howpublished = {Cryptology ePrint Archive, Paper 2024/220},
year = {2024},
note = {\url{https://eprint.iacr.org/2024/220}},
url = {https://eprint.iacr.org/2024/220}
}
