Abstract
Secure asynchronous twoparty communication applies ratcheting to strengthen privacy, in the presence of internal state exposures. Security with ratcheting is provided in two forms: forward security and postcompromise security. There have been several such secure protocols proposed in the last few years. However, they come with a high cost.
In this paper, we propose two generic constructions with favorable properties. Concretely, our first construction achieves security awareness. It allows users to detect nonpersistent active attacks, to determine which messages are not safe given a potential leakage pattern, and to acknowledge for deliveries.
In our second construction, we define a hybrid system formed by combining two protocols: typically, a weakly secure “light” protocol and a strongly secure “heavy" protocol. The design goals of our hybrid construction are, first, to let the sender decide which one to use in order to obtain an efficient protocol with ratchet on demand; and second, to restore the communication between honest participants in the case of a message loss or an active attack.
We can apply our generic constructions to any existing protocol.
This is a preview of subscription content, access via your institution.
Buying options
Notes
 1.
More precisely, the security is called “suboptimal ” [7].
 2.
They call this security level “nearoptimal ” [9].
 3.
Proceedings version.
 4.
In our work, we assume that \(\mathsf {acc}=\mathsf {false}\) implies that \(\mathsf {st}'_P = \mathsf {st}_P\) and \(\mathsf {pt}= \bot \), i.e. the state is not updated when the reception fails. Other authors assume that \(\mathsf {st}'_{P} = \mathsf {pt}= \bot \), i.e. no further reception can be done.
 5.
We use the programming technique of “function overloading” to define the \(\mathsf {RATCH}\) oracle: there are two definitions depending on whether the second input is \(``\mathsf {rec}"\) or \(``\mathsf {send}"\).
 6.
By saying that \(\mathsf {received}_\mathsf {pt}^{P}\) is prefix of \(\mathsf {sent}_\mathsf {pt}^{\overline{P}}\), we mean that \(\mathsf {sent}_\mathsf {pt}^{\overline{P}}\) is the concatenation of \(\mathsf {received}_\mathsf {pt}^P\) with a (possible empty) list of \((\mathsf {ad},\mathsf {pt})\) pairs.
 7.
 8.
The notion of epoch appeared in PoetteringRösler [10] before.
 9.
The proof is provided in the full version [4].
 10.
More precisely, in \(\mathsf {PR}\), if A is exposed then issues a message \(\mathsf {ct}\), the adversary can actually forge a ciphertext \(\mathsf {ct}'\) transporting the same \(\mathsf {pk}\) and \(\mathsf {vfk}\) and deliver it to B in a way which makes B accept. If A issues a new message \(\mathsf {ct}''\), delivering \(\mathsf {ct}''\) to B will pass the signature verification. The decryption followingup may fail, except if the kuKEM encryption scheme taking care of encryption does not check consistency, which is the case in the proposed one [10, Fig. 3, eprint version]. Therefore, \(\mathsf {ct}''\) may be accepted by B so \(\mathsf {PR}\) is not \(\mathsf {r\text {}RECOVER}\) secure. The same holds for \(\mathsf {s\text {}RECOVER}\) security.
 11.
We want it to be able to apply Lemma 12 and be aware of matching status.
 12.
The proof is given in the full version [4].
 13.
More details are provided in the full version [4].
 14.
More details are provided in the full version [4].
 15.
Our code is available at https://github.com/qantik/ratcheted.
 16.
 17.
 18.
H uses a common key \(\mathsf {hk}\) generated by \(H.\mathsf {Gen}\) and an algorithm \(H.\mathsf {Eval}\).
 19.
\(\mathsf {Sym}\) uses a key of length \(\mathsf {Sym}.\mathsf {kl}\), encrypts over the domain \(\mathsf {Sym}.\mathcal {D}\) with algorithm \(\mathsf {Sym}.\mathsf {Enc}\) and decrypts with \(\mathsf {Sym}.\mathsf {Dec}\).
 20.
\(\mathsf {DSS}\) uses a key generation \(\mathsf {DSS}.\mathsf {Gen}\), a signing algorithm \(\mathsf {DSS}.\mathsf {Sign}\), and a verification algorithm \(\mathsf {DSS}.\mathsf {Verify}\).
 21.
\(\mathsf {PKC}\) uses a key generation \(\mathsf {PKC}.\mathsf {Gen}\), an encryption algorithm \(\mathsf {PKC}.\mathsf {Enc}\), and a decryption algorithm \(\mathsf {PKC}.\mathsf {Dec}\).
 22.
\(\mathsf {SEF\text {}OTCMA}\) is the strong existential onetime chosen message attack. \(\mathsf {IND\text {}OTCCA}\) is the realorrandom indistinguishability under onetime chosen plaintext and chosen ciphertext attack. Their definitions are given in [7].
 23.
Following DurakVaudenay [7], for a \(C_\mathsf {trivial}\)\(\mathsf {FORGE}\)secure scheme, \((C_\mathsf {leak}\wedge C^{A,B}_\mathsf {forge})\)\(\mathsf {IND\text {}CCA}\) security is equivalent to \((C_\mathsf {leak}\wedge C^{A,B}_\mathsf {trivial\ forge})\)\(\mathsf {IND\text {}CCA}\) security, which corresponds to the “suboptimal” security in Table 1.
References
Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/9783030176532_5
Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_21
Borisov, N., Goldberg, I., Brewer, E.: Offtherecord communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES 2004, New York, NY, USA, pp. 77–84. ACM (2004)
Caforio, A., Betül Durak, F., Vaudenay, S.: Ondemand ratcheting with security awareness. IACR Eprint 2019/965. https://eprint.iacr.org/2019/965.pdf
CohnGordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466, April 2017
CohnGordon, K., Cremers, C., Garratt, L.: On postcompromise security. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 164–178, June 2016
Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Cham (2019). https://doi.org/10.1007/9783030268343_20
Jaeger, J., Stepanovs, I.: Optimal channel security against finegrained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/9783319968841_2
Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almostoptimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/9783030176532_6
Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/9783319968841_1
Open Whisper Systems. Signal protocol library for Java/Android. GitHub repository (2017). https://github.com/WhisperSystems/libsignalprotocoljava
Unger, N., et al.: SoK: secure messaging. In: 2015 IEEE Symposium on Security and Privacy, pp. 232–249, May 2015
Yan, H., Vaudenay, S.: Symmetric asynchronous ratcheted communication with associated data. In: Aoki, K., Kanaoka, A. (eds.) IWSEC 2020. LNCS, vol. 12231, pp. 184–204. Springer, Cham (2020). https://doi.org/10.1007/9783030582081_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Implementations/Comparisons with Existing Protocols
We compare the performances of \(\mathsf {ARCAD}_\mathsf {DV}\) and \(\mathsf {EtH}\) to other ratcheted messaging and key agreement protocols that have surfaced since 2018. In particular, we implemented five other schemes from the literature^{Footnote 15}. Namely, the bidirectional asynchronous keyagreement protocol BRKE by \(\mathsf {PR}\) [10], the similar secure messaging protocol by \(\mathsf {JS}\) [8], the secure messaging protocol by \(\mathsf {JMM}\) [9] and a modularized version of two protocols by \(\mathsf {ACD}\) [1]. In \(\mathsf {ACD}\) [1], the given protocols are both with symmetric key cryptography \(\mathsf {ACD}\) and publickey cryptography \(\mathsf {ACD}\text {}\mathsf {PK}\). We did not implement the \(\mathsf {DV}\) protocol [7], as \(\mathsf {ARCAD}_\mathsf {DV}\) is a slightly modified version of \(\mathsf {DV}\), hence has identical performances.
All the protocols were implemented in Go^{Footnote 16} and measured with its builtin benchmarking suite^{Footnote 17} on a regular fifth generation Intel Core i5 processor. In order to mitigate potential overheads garbage collection has been disabled for all runs. Go is comparable in speed to C/C++ though further performance gains are within reach when the protocols are reimplemented in the latter two. Additionally, some protocols deploy primitives for which no standard implementations exist, which is, for example, the case for the \(\mathsf {HIBE}\) constructions used in the \(\mathsf {PR}\) and \(\mathsf {JS}\) protocols, making custom implementations necessary that can certainly be improved upon. For the deployed primitives, when we needed an AEAD scheme, we used AESGCM. For public key cryptosystem, we used the elliptic curve version of ElGamal (ECIES); for the signature scheme, we used ECDSA. And, finally for the PRFPRNG in [1] protocol, we used HKDF with SHA256. Lastly, the protocols themselves may offer some room for performance tweaks.
The benchmarks can be categorized into two types as depicted in Fig. 8–9.

(a)
Runtime designates the total required time to exchange n messages, ignoring potential latency that normally occurs in a network.

(b)
State size shows the maximal size of a user state throughout the exchange of n messages.
A state is all the data that is kept in memory by a user. Each type itself is run on three canonical ways traffic can be shaped when two participants are communicating. In alternating traffic the parties are synchronized, i.e. take turns sending messages. In unidirectional traffic one participant first sends \(\frac{n}{2}\) messages which are received by the partner who then sends the other half. Finally, in deferred unidirectional traffic both participants send \(\frac{n}{2}\) messages before they start receiving. \(\mathsf {ACD}\text {}\mathsf {PK}\) adds some publickey primitives to the double ratchet by \(\mathsf {ACD}\) [1] to plug some postcompromise security gaps. These two variations serve as baselines to see how the metrics of a protocol can change when some of its internals are replaced or extended. Also note that due to the equivalent state sizes in unidirectional and deferred unidirectional traffic one figure is omitted.
As we can see, overall, the fastest protocol is \(\mathsf {EtH}\), followed by the two \(\mathsf {ACD}\) protocols, then \(\mathsf {ARCAD}_\mathsf {DV}\), then the \(\mathsf {JMM}\) protocol, and lastly the strongest protocols \(\mathsf {PR}\) and \(\mathsf {JS}\). \(\mathsf {ARCAD}_\mathsf {DV}\) and \(\mathsf {JMM}\) may be comparable except for deferred unidirectional communication.
The smallest state size is obtained with \(\mathsf {EtH}\). \(\mathsf {ARCAD}_\mathsf {DV}\) performs well in terms of state size.
Clearly, \(\mathsf {hybrid}(\mathsf {ARCAD}_\mathsf {DV},\mathsf {EtH})\) has performances which are weighted averages of the ones of \(\mathsf {ARCAD}_\mathsf {DV}\) and \(\mathsf {EtH}\), depending on the frequency of ondemand ratcheting.
B \(\mathsf {ARCAD}_\mathsf {DV}\) Formal Protocol
With slight modifications, we transform the \(\mathsf {DV}\) protocol [7] into an \(\mathsf {ARCAD}\) that we call \(\mathsf {ARCAD}_\mathsf {DV}\).
\(\mathsf {ARCAD}_\mathsf {DV}\) is based on a hash function H^{Footnote 18}, a onetime symmetric cipher \(\mathsf {Sym}\)^{Footnote 19}, a digital signature scheme \(\mathsf {DSS}\)^{Footnote 20}, and a publickey cryptosystem \(\mathsf {PKC}\)^{Footnote 21}.
\(\mathsf {ARCAD}_\mathsf {DV}\), just as \(\mathsf {DV}\), consists of many modules which are built on top of each other. The “smallest" module is a “naive” signcryption scheme \(\mathsf {SC}\) which can be of the form
\(\mathsf {SC}\) extends to a multiplestate (and multiplekey) encryption called \(\mathsf {onion}\). It handles the the case where the states get accumulated during a sequential send or receive operation during the communication. It generates a secret key to encrypt a plaintext. This secret key is, then, secret shared and encrypted under different states so that if a state is exposed, its shares would still remain confidential. \(\mathsf {onion}\) leads to a unidirectional scheme called \(\mathsf {uni}\) where participants have fixed roles as either senders or receivers. The underlying idea of unidirectional communication is to let the sender generate the next send/receive states for the future exchange during the current send operation and transmit the next receive state to the receiver. These future states are shown as \(\mathsf {st}'_S\) and \(\mathsf {st}'_{R}\) in the second row of Fig. 10. After each \(\mathsf {uni.Send}\) and \(\mathsf {uni.Rec}\) operations, the states are completely flushed to ensure security.
Finally, unidirectional communication allow us to construct the bidirectional \(\mathsf {ARCAD}_\mathsf {DV}\) as shown in the last row of Fig. 10. Since the communication become bidirectional, the participant P also keeps states for receiving. More specifically, the sender generates a pair of fresh states and transmits the send state to the counterpart so that s/he can use it to send a reply to back to the sender with this states.
\(\mathsf {ARCAD}_\mathsf {DV}\) is depicted on Fig. 11.
Note that we removed some parts of the protocol which ensure \(\mathsf {r\text {}RECOVER}\) security. This is because the generic transformation in Sect. 3 which we apply on \(\mathsf {ARCAD}_\mathsf {DV}\) will restore it in a stronger and generic way.
We recall the security results.
Theorem 30
(Security of \(\mathsf {ARCAD}_\mathsf {DV}\) [7]). \(\mathsf {ARCAD}_\mathsf {DV}\) is correct. If \(\mathsf {Sym}.\mathsf {kl}(\lambda )=\Omega (\lambda )\), H is collisionresistant, \(\mathsf {DSS}\) is \(\mathsf {SEF\text {}OTCMA}\), \(\mathsf {PKC}\) is \(\mathsf {IND\text {}CCA}\)secure, and \(\mathsf {Sym}\) is \(\mathsf {IND\text {}OTCCA}\)secure, then \(\mathsf {ARCAD}_\mathsf {DV}\) is \(C_\mathsf {trivial}\)\(\mathsf {FORGE}\)secure, \((C_\mathsf {leak}\wedge C_\mathsf {forge}^{A,B})\)\(\mathsf {IND\text {}CCA}\)secure and \(\mathsf {PREDICT}\)secure.^{Footnote 22}\(^{,}\)^{Footnote 23}
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Caforio, A., Durak, F.B., Vaudenay, S. (2021). Beyond Security and Efficiency: OnDemand Ratcheting with Security Awareness. In: Garay, J.A. (eds) PublicKey Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham. https://doi.org/10.1007/9783030752484_23
Download citation
DOI: https://doi.org/10.1007/9783030752484_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030752477
Online ISBN: 9783030752484
eBook Packages: Computer ScienceComputer Science (R0)