Paper 2024/220

Security of Symmetric Ratchets and Key Chains - Implications for Protocols like TLS 1.3, Signal, and PQ3

John Preuß Mattsson, Ericsson Research

Symmetric ratchets and one-way key chains play a vital role in numerous important security protocols such as TLS 1.3, DTLS 1.3, QUIC, Signal, MLS, EDHOC, OSCORE, and Apple PQ3. Despite the crucial role they play, very little is known about their security properties. This paper categorizes and examines different ratchet constructions, offering a comprehensive overview of their security. Our analysis reveals notable distinctions between different types of one-way key chains. Notably, the type of ratchet used by TLS 1.3, Signal, and PQ3 exhibit a significant number of weak keys, an unexpectedly high rate of key collisions surpassing birthday attack expectations, and a predictable shrinking key space susceptible to novel Time-Memory Trade-Off (TMTO) attacks with complexity $\approx N^{1/4}$. Consequently, the security level provided by e.g., TLS 1.3 is significantly lower than anticipated. To address these concerns, we analyze the aforementioned protocols and provide numerous concrete recommendations for enhancing their security, as well as guidance for future security protocol design.

Available format(s)
Cryptographic protocols
Publication info
TLS 1.3SignalPQ3Secret-key CryptographyKey DerivationRatchetKey ChainStream CipherCryptanalysisTMTO
Contact author(s)
john mattsson @ ericsson com
2024-02-22: last of 3 revisions
2024-02-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {John Preuß Mattsson},
      title = {Security of Symmetric Ratchets and Key Chains - Implications for Protocols like {TLS} 1.3, Signal, and {PQ3}},
      howpublished = {Cryptology ePrint Archive, Paper 2024/220},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.