Paper 2024/220

Security of Symmetric Ratchets and Key Chains - Implications for Protocols like TLS 1.3, Signal, and PQ3

John Preuß Mattsson, Ericsson Research
Abstract

Symmetric ratchets and one-way key chains play a vital role in numerous important security protocols such as TLS 1.3, DTLS 1.3, QUIC, Signal, MLS, EDHOC, OSCORE, and Apple PQ3. Despite the crucial role they play, very little is known about their security properties. This paper categorizes and examines different ratchet constructions, offering a comprehensive overview of their security. Our analysis reveals notable distinctions between different types of one-way key chains. Notably, the type of ratchet used by TLS 1.3, Signal, and PQ3 exhibit a significant number of weak keys, an unexpectedly high rate of key collisions surpassing birthday attack expectations, and a predictable shrinking key space susceptible to novel Time-Memory Trade-Off (TMTO) attacks with complexity $\approx N^{1/4}$. Consequently, the security level provided by e.g., TLS 1.3 is significantly lower than anticipated. To address these concerns, we analyze the aforementioned protocols and provide numerous concrete recommendations for enhancing their security, as well as guidance for future security protocol design.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
TLS 1.3SignalPQ3Secret-key CryptographyKey DerivationRatchetKey ChainStream CipherCryptanalysisTMTO
Contact author(s)
john mattsson @ ericsson com
History
2024-02-22: last of 3 revisions
2024-02-13: received
See all versions
Short URL
https://ia.cr/2024/220
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/220,
      author = {John Preuß Mattsson},
      title = {Security of Symmetric Ratchets and Key Chains - Implications for Protocols like {TLS} 1.3, Signal, and {PQ3}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/220},
      year = {2024},
      url = {https://eprint.iacr.org/2024/220}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.