Skip to main content

The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11476)


Signal is a famous secure messaging protocol used by billions of people, by virtue of many secure text messaging applications including Signal itself, WhatsApp, Facebook Messenger, Skype, and Google Allo. At its core it uses the concept of “double ratcheting,” where every message is encrypted and authenticated using a fresh symmetric key; it has many attractive properties, such as forward security, post-compromise security, and “immediate (no-delay) decryption,” which had never been achieved in combination by prior messaging protocols.

While the formal analysis of the Signal protocol, and ratcheting in general, has attracted a lot of recent attention, we argue that none of the existing analyses is fully satisfactory. To address this problem, we give a clean and general definition of secure messaging, which clearly indicates the types of security we expect, including forward security, post-compromise security, and immediate decryption. We are the first to explicitly formalize and model the immediate decryption property, which implies (among other things) that parties seamlessly recover if a given message is permanently lost—a property not achieved by any of the recent “provable alternatives to Signal.”

We build a modular “generalized Signal protocol” from the following components: (a) continuous key agreement (CKA), a clean primitive we introduce and which can be easily and generically built from public-key encryption (not just Diffie-Hellman as is done in the current Signal protocol) and roughly models “public-key ratchets;” (b) forward-secure authenticated encryption with associated data (FS-AEAD), which roughly captures “symmetric-key ratchets;” and (c) a two-input hash function that is a pseudorandom function (resp. generator with input) in its first (resp. second) input, which we term PRF-PRNG. As a result, in addition to instantiating our framework in a way resulting in the existing, widely-used Diffie-Hellman based Signal protocol, we can easily get post-quantum security and not rely on random oracles in the analysis.

J. Alwen—Partially supported by the European Research Council under ERC Consolidator Grant (682815 - TOCNeT).

S. Coretti—Supported by NSF grants 1314568 and 1319051.

Y. Dodis—Partially supported by gifts from VMware Labs, Facebook and Google, and NSF grants 1314568, 1619158, 1815546.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    Namely, good randomness is only needed to achieve PCS, while all other security properties hold even with the adversarially controlled randomness (when parties are not compromised).

  2. 2.

    Specifically, the healing time of the generic Signal protocol presented in this work is \(\Delta _{\mathsf {SM}}= 2 + \Delta _{\mathsf {CKA}}\).

  3. 3.

    For syntactic reasons having to do with our abstractions, our protocol is a minor variant of Signal, but is logically equivalent to Signal in every aspect.

  4. 4.

    The reader may skip over this definition on first read. The properties are referenced where they are needed.

  5. 5.

    cf. Property (B) in Definition 2.

  6. 6.

    Of course, one could also parametrize the number of rounds required to recover (all CKA schemes in this work recover within two rounds, however).

  7. 7.

    The DDH assumption states that it is hard to distinguish DH triples \((g^a,g^b,g^{ab})\) from random triples \((g^a,g^b,g^c)\), where a, b, and c are uniformly random and independent exponents.

  8. 8.

    For ease of description, the FS-AEAD state of the parties is not made explicit as a variable \(v\).

  9. 9.

    \(\mathsf B\) also starts in epoch \(t_{\mathsf B}\leftarrow 0\).


  1. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S., (eds.) 25th USENIX Security Symposium, pp. 327–343. USENIX Association (2016)

    Google Scholar 

  2. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. Cryptology ePrint Archive, Report 2018/1037 (2018).

  3. Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017).

    CrossRef  Google Scholar 

  4. Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003).

    CrossRef  Google Scholar 

  5. Borisov, N., Goldberg, I., Brewer, E.A.: Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES 2004, 28 October 2004, pp. 77–84 (2004)

    Google Scholar 

  6. Bos, J., et al.: Crystals - kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017).

  7. Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, pp. 451–466. IEEE (2017)

    Google Scholar 

  8. Cohn-Gordon, K., Cremers, C.J.F., Garratt, L.: On post-compromise security. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, pp. 164–178. IEEE Computer Society (2016)

    Google Scholar 

  9. Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018).

    CrossRef  Google Scholar 

  10. Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement without key-update primitives. Cryptology ePrint Archive, Report 2018/889 (2018).

  11. Messenger secret conversations: Technical whitepaper.

  12. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002).

    CrossRef  Google Scholar 

  13. Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 305–320 (2015)

    Google Scholar 

  14. Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017).

    CrossRef  Google Scholar 

  15. Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017).

    CrossRef  Google Scholar 

  16. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018).

    CrossRef  Google Scholar 

  17. Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, LNCS, vol. 11476, pp. 159–188 (2019).

  18. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-Hashing for Message Authentication. RFC 2104, February 1997

    Google Scholar 

  19. Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869, May 2010

    Google Scholar 

  20. Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. RFC 7748, January 2016

    Google Scholar 

  21. Lund, J.: Signal partners with Microsoft to bring end-to-end encryption to Skype.

  22. Marlinspike, M.: Open whisper systems partners with Google on end-to-end encryption for Allo.

  23. Marlinspike, M., Perrin, T.: The double Ratchet algorithm, November 2016.

  24. Marlinspike, M., Perrin, T.: The double Ratchet algorithm, November 2016.

  25. National Institute of Standards and Technology (NIST). FIPS 180–4. secure hash standard. Technical report, US Department of Commerce, August 2015

    Google Scholar 

  26. Poettering, B., Rösler, P.: Asynchronous ratcheted key exchange. Cryptology ePrint Archive, Report 2018/296 (2018).

  27. Rogaway, P.: Authenticated-encryption with associated-data. In: CCS 2002, Washington, DC, 18–22 November 2002, pp. 98–107 (2002)

    Google Scholar 

  28. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006).

    CrossRef  Google Scholar 

  29. Whatsapp encryption overview: Technical white paper, December 2017.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Joël Alwen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alwen, J., Coretti, S., Dodis, Y. (2019). The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11476. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17652-5

  • Online ISBN: 978-3-030-17653-2

  • eBook Packages: Computer ScienceComputer Science (R0)