Skip to main content

Beyond Security and Efficiency: On-Demand Ratcheting with Security Awareness

  • 844 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12711)


Secure asynchronous two-party communication applies ratcheting to strengthen privacy, in the presence of internal state exposures. Security with ratcheting is provided in two forms: forward security and post-compromise security. There have been several such secure protocols proposed in the last few years. However, they come with a high cost.

In this paper, we propose two generic constructions with favorable properties. Concretely, our first construction achieves security awareness. It allows users to detect non-persistent active attacks, to determine which messages are not safe given a potential leakage pattern, and to acknowledge for deliveries.

In our second construction, we define a hybrid system formed by combining two protocols: typically, a weakly secure “light” protocol and a strongly secure “heavy" protocol. The design goals of our hybrid construction are, first, to let the sender decide which one to use in order to obtain an efficient protocol with ratchet on demand; and second, to restore the communication between honest participants in the case of a message loss or an active attack.

We can apply our generic constructions to any existing protocol.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-75248-4_23
  • Chapter length: 29 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-75248-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   149.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.


  1. 1.

    More precisely, the security is called “sub-optimal ” [7].

  2. 2.

    They call this security level “near-optimal ” [9].

  3. 3.

    Proceedings version.

  4. 4.

    In our work, we assume that \(\mathsf {acc}=\mathsf {false}\) implies that \(\mathsf {st}'_P = \mathsf {st}_P\) and \(\mathsf {pt}= \bot \), i.e. the state is not updated when the reception fails. Other authors assume that \(\mathsf {st}'_{P} = \mathsf {pt}= \bot \), i.e. no further reception can be done.

  5. 5.

    We use the programming technique of “function overloading” to define the \(\mathsf {RATCH}\) oracle: there are two definitions depending on whether the second input is \(``\mathsf {rec}"\) or \(``\mathsf {send}"\).

  6. 6.

    By saying that \(\mathsf {received}_\mathsf {pt}^{P}\) is prefix of \(\mathsf {sent}_\mathsf {pt}^{\overline{P}}\), we mean that \(\mathsf {sent}_\mathsf {pt}^{\overline{P}}\) is the concatenation of \(\mathsf {received}_\mathsf {pt}^P\) with a (possible empty) list of \((\mathsf {ad},\mathsf {pt})\) pairs.

  7. 7.

    It is called \(\mathsf {RECOVER}\)-security in \(\mathsf {DV}\) [7]. We call it \(\mathsf {r\text {-}RECOVER}\) because we will enrich it with an \(\mathsf {s\text {-}RECOVER}\) notion in Sect. 3.1.

  8. 8.

    The notion of epoch appeared in Poettering-Rösler [10] before.

  9. 9.

    The proof is provided in the full version [4].

  10. 10.

    More precisely, in \(\mathsf {PR}\), if A is exposed then issues a message \(\mathsf {ct}\), the adversary can actually forge a ciphertext \(\mathsf {ct}'\) transporting the same \(\mathsf {pk}\) and \(\mathsf {vfk}\) and deliver it to B in a way which makes B accept. If A issues a new message \(\mathsf {ct}''\), delivering \(\mathsf {ct}''\) to B will pass the signature verification. The decryption following-up may fail, except if the kuKEM encryption scheme taking care of encryption does not check consistency, which is the case in the proposed one [10, Fig. 3, eprint version]. Therefore, \(\mathsf {ct}''\) may be accepted by B so \(\mathsf {PR}\) is not \(\mathsf {r\text {-}RECOVER}\) secure. The same holds for \(\mathsf {s\text {-}RECOVER}\) security.

  11. 11.

    We want it to be able to apply Lemma 12 and be aware of matching status.

  12. 12.

    The proof is given in the full version [4].

  13. 13.

    More details are provided in the full version [4].

  14. 14.

    More details are provided in the full version [4].

  15. 15.

    Our code is available at

  16. 16.

  17. 17.

  18. 18.

    H uses a common key \(\mathsf {hk}\) generated by \(H.\mathsf {Gen}\) and an algorithm \(H.\mathsf {Eval}\).

  19. 19.

    \(\mathsf {Sym}\) uses a key of length \(\mathsf {Sym}.\mathsf {kl}\), encrypts over the domain \(\mathsf {Sym}.\mathcal {D}\) with algorithm \(\mathsf {Sym}.\mathsf {Enc}\) and decrypts with \(\mathsf {Sym}.\mathsf {Dec}\).

  20. 20.

    \(\mathsf {DSS}\) uses a key generation \(\mathsf {DSS}.\mathsf {Gen}\), a signing algorithm \(\mathsf {DSS}.\mathsf {Sign}\), and a verification algorithm \(\mathsf {DSS}.\mathsf {Verify}\).

  21. 21.

    \(\mathsf {PKC}\) uses a key generation \(\mathsf {PKC}.\mathsf {Gen}\), an encryption algorithm \(\mathsf {PKC}.\mathsf {Enc}\), and a decryption algorithm \(\mathsf {PKC}.\mathsf {Dec}\).

  22. 22.

    \(\mathsf {SEF\text {-}OTCMA}\) is the strong existential one-time chosen message attack. \(\mathsf {IND\text {-}OTCCA}\) is the real-or-random indistinguishability under one-time chosen plaintext and chosen ciphertext attack. Their definitions are given in [7].

  23. 23.

    Following Durak-Vaudenay [7], for a \(C_\mathsf {trivial}\)-\(\mathsf {FORGE}\)-secure scheme, \((C_\mathsf {leak}\wedge C^{A,B}_\mathsf {forge})\)-\(\mathsf {IND\text {-}CCA}\) security is equivalent to \((C_\mathsf {leak}\wedge C^{A,B}_\mathsf {trivial\ forge})\)-\(\mathsf {IND\text {-}CCA}\) security, which corresponds to the “sub-optimal” security in Table 1.


  1. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019).

    CrossRef  Google Scholar 

  2. Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017).

    CrossRef  Google Scholar 

  3. Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES 2004, New York, NY, USA, pp. 77–84. ACM (2004)

    Google Scholar 

  4. Caforio, A., Betül Durak, F., Vaudenay, S.: On-demand ratcheting with security awareness. IACR Eprint 2019/965.

  5. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466, April 2017

    Google Scholar 

  6. Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 164–178, June 2016

    Google Scholar 

  7. Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Cham (2019).

    CrossRef  Google Scholar 

  8. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018).

    CrossRef  Google Scholar 

  9. Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019).

    CrossRef  Google Scholar 

  10. Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018).

    CrossRef  Google Scholar 

  11. Open Whisper Systems. Signal protocol library for Java/Android. GitHub repository (2017).

  12. Unger, N., et al.: SoK: secure messaging. In: 2015 IEEE Symposium on Security and Privacy, pp. 232–249, May 2015

    Google Scholar 

  13. Yan, H., Vaudenay, S.: Symmetric asynchronous ratcheted communication with associated data. In: Aoki, K., Kanaoka, A. (eds.) IWSEC 2020. LNCS, vol. 12231, pp. 184–204. Springer, Cham (2020).

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Andrea Caforio .

Editor information

Editors and Affiliations


A Implementations/Comparisons with Existing Protocols

We compare the performances of \(\mathsf {ARCAD}_\mathsf {DV}\) and \(\mathsf {EtH}\) to other ratcheted messaging and key agreement protocols that have surfaced since 2018. In particular, we implemented five other schemes from the literatureFootnote 15. Namely, the bidirectional asynchronous key-agreement protocol BRKE by \(\mathsf {PR}\) [10], the similar secure messaging protocol by \(\mathsf {JS}\) [8], the secure messaging protocol by \(\mathsf {JMM}\) [9] and a modularized version of two protocols by \(\mathsf {ACD}\) [1]. In \(\mathsf {ACD}\) [1], the given protocols are both with symmetric key cryptography \(\mathsf {ACD}\) and public-key cryptography \(\mathsf {ACD}\text {-}\mathsf {PK}\). We did not implement the \(\mathsf {DV}\) protocol [7], as \(\mathsf {ARCAD}_\mathsf {DV}\) is a slightly modified version of \(\mathsf {DV}\), hence has identical performances.

Fig. 8.
figure 8

Runtime Benchmarks The protocol in [10] is represented with \(\mathsf {PR}\); [8] with \(\mathsf {JS}\); [9] with \(\mathsf {JMM}\); and [1] with \(\mathsf {ACD}\) and \(\mathsf {ACD}\text {-}\mathsf {PK}\). \(\mathsf {ACD}\text {-}\mathsf {PK}\) is the public-key version with stronger security.

Fig. 9.
figure 9

State Size Benchmarks Due to the equivalent state sizes in unidirectional and deferred unidirectional traffic, one figure is omitted

All the protocols were implemented in GoFootnote 16 and measured with its built-in benchmarking suiteFootnote 17 on a regular fifth generation Intel Core i5 processor. In order to mitigate potential overheads garbage collection has been disabled for all runs. Go is comparable in speed to C/C++ though further performance gains are within reach when the protocols are re-implemented in the latter two. Additionally, some protocols deploy primitives for which no standard implementations exist, which is, for example, the case for the \(\mathsf {HIBE}\) constructions used in the \(\mathsf {PR}\) and \(\mathsf {JS}\) protocols, making custom implementations necessary that can certainly be improved upon. For the deployed primitives, when we needed an AEAD scheme, we used AES-GCM. For public key cryptosystem, we used the elliptic curve version of ElGamal (ECIES); for the signature scheme, we used ECDSA. And, finally for the PRF-PRNG in [1] protocol, we used HKDF with SHA-256. Lastly, the protocols themselves may offer some room for performance tweaks.

The benchmarks can be categorized into two types as depicted in Fig. 89.

  1. (a)

    Runtime designates the total required time to exchange n messages, ignoring potential latency that normally occurs in a network.

  2. (b)

    State size shows the maximal size of a user state throughout the exchange of n messages.

A state is all the data that is kept in memory by a user. Each type itself is run on three canonical ways traffic can be shaped when two participants are communicating. In alternating traffic the parties are synchronized, i.e.  take turns sending messages. In unidirectional traffic one participant first sends \(\frac{n}{2}\) messages which are received by the partner who then sends the other half. Finally, in deferred unidirectional traffic both participants send \(\frac{n}{2}\) messages before they start receiving. \(\mathsf {ACD}\text {-}\mathsf {PK}\) adds some public-key primitives to the double ratchet by \(\mathsf {ACD}\) [1] to plug some post-compromise security gaps. These two variations serve as baselines to see how the metrics of a protocol can change when some of its internals are replaced or extended. Also note that due to the equivalent state sizes in unidirectional and deferred unidirectional traffic one figure is omitted.

As we can see, overall, the fastest protocol is \(\mathsf {EtH}\), followed by the two \(\mathsf {ACD}\) protocols, then \(\mathsf {ARCAD}_\mathsf {DV}\), then the \(\mathsf {JMM}\) protocol, and lastly the strongest protocols \(\mathsf {PR}\) and \(\mathsf {JS}\). \(\mathsf {ARCAD}_\mathsf {DV}\) and \(\mathsf {JMM}\) may be comparable except for deferred unidirectional communication.

The smallest state size is obtained with \(\mathsf {EtH}\). \(\mathsf {ARCAD}_\mathsf {DV}\) performs well in terms of state size.

Clearly, \(\mathsf {hybrid}(\mathsf {ARCAD}_\mathsf {DV},\mathsf {EtH})\) has performances which are weighted averages of the ones of \(\mathsf {ARCAD}_\mathsf {DV}\) and \(\mathsf {EtH}\), depending on the frequency of on-demand ratcheting.

B \(\mathsf {ARCAD}_\mathsf {DV}\) Formal Protocol

With slight modifications, we transform the \(\mathsf {DV}\) protocol [7] into an \(\mathsf {ARCAD}\) that we call \(\mathsf {ARCAD}_\mathsf {DV}\).

\(\mathsf {ARCAD}_\mathsf {DV}\) is based on a hash function HFootnote 18, a one-time symmetric cipher \(\mathsf {Sym}\)Footnote 19, a digital signature scheme \(\mathsf {DSS}\)Footnote 20, and a public-key cryptosystem \(\mathsf {PKC}\)Footnote 21.

\(\mathsf {ARCAD}_\mathsf {DV}\), just as \(\mathsf {DV}\), consists of many modules which are built on top of each other. The “smallest" module is a “naive” signcryption scheme \(\mathsf {SC}\) which can be of the form

$$\begin{aligned} \mathsf {SC}.\mathsf {Enc}(\overbrace{\mathsf {sk}_S,\mathsf {pk}_R}^{\mathsf {st}_S},\mathsf {ad},\mathsf {pt})= & {} \mathsf {PKC}.\mathsf {Enc}(\mathsf {pk}_R,(\mathsf {pt},\mathsf {DSS}.\mathsf {Sign}(\mathsf {sk}_S,(\mathsf {ad},\mathsf {pt})))) \\ \mathsf {SC}.\mathsf {Dec}(\underbrace{\mathsf {sk}_R,\mathsf {pk}_S}_{\mathsf {st}_R},\mathsf {ad},\mathsf {ct})= & {} \left[ \begin{array}{l} (\mathsf {pt},\sigma )\leftarrow \mathsf {PKC}.\mathsf {Dec}(\mathsf {sk}_R,\mathsf {ct})\;;\; \\ \mathsf {DSS}.\mathsf {Verify}(\mathsf {pk}_S,(\mathsf {ad},\mathsf {pt}),\sigma )\;?\;\mathsf {pt}\;:\;\bot \\ \end{array}\right] \end{aligned}$$

\(\mathsf {SC}\) extends to a multiple-state (and multiple-key) encryption called \(\mathsf {onion}\). It handles the the case where the states get accumulated during a sequential send or receive operation during the communication. It generates a secret key to encrypt a plaintext. This secret key is, then, secret shared and encrypted under different states so that if a state is exposed, its shares would still remain confidential. \(\mathsf {onion}\) leads to a unidirectional scheme called \(\mathsf {uni}\) where participants have fixed roles as either senders or receivers. The underlying idea of unidirectional communication is to let the sender generate the next send/receive states for the future exchange during the current send operation and transmit the next receive state to the receiver. These future states are shown as \(\mathsf {st}'_S\) and \(\mathsf {st}'_{R}\) in the second row of Fig. 10. After each \(\mathsf {uni.Send}\) and \(\mathsf {uni.Rec}\) operations, the states are completely flushed to ensure security.

Finally, unidirectional communication allow us to construct the bidirectional \(\mathsf {ARCAD}_\mathsf {DV}\) as shown in the last row of Fig. 10. Since the communication become bidirectional, the participant P also keeps states for receiving. More specifically, the sender generates a pair of fresh states and transmits the send state to the counterpart so that s/he can use it to send a reply to back to the sender with this states.

\(\mathsf {ARCAD}_\mathsf {DV}\) is depicted on Fig. 11.

Note that we removed some parts of the protocol which ensure \(\mathsf {r\text {-}RECOVER}\) security. This is because the generic transformation in Sect. 3 which we apply on \(\mathsf {ARCAD}_\mathsf {DV}\) will restore it in a stronger and generic way.

We recall the security results.

Theorem 30

(Security of \(\mathsf {ARCAD}_\mathsf {DV}\) [7]). \(\mathsf {ARCAD}_\mathsf {DV}\) is correct. If \(\mathsf {Sym}.\mathsf {kl}(\lambda )=\Omega (\lambda )\), H is collision-resistant, \(\mathsf {DSS}\) is \(\mathsf {SEF\text {-}OTCMA}\), \(\mathsf {PKC}\) is \(\mathsf {IND\text {-}CCA}\)-secure, and \(\mathsf {Sym}\) is \(\mathsf {IND\text {-}OTCCA}\)-secure, then \(\mathsf {ARCAD}_\mathsf {DV}\) is \(C_\mathsf {trivial}\)-\(\mathsf {FORGE}\)-secure, \((C_\mathsf {leak}\wedge C_\mathsf {forge}^{A,B})\)-\(\mathsf {IND\text {-}CCA}\)-secure and \(\mathsf {PREDICT}\)-secure.Footnote 22\(^{,}\)Footnote 23

Fig. 10.
figure 10

High-level overview of the protocol described in Fig. 11

Fig. 11.
figure 11

\(\mathsf {ARCAD}_\mathsf {DV}\) Protocol Adapted from \(\mathsf {DV}\) [7] without \(\mathsf {RECOVER}\)-Security.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Caforio, A., Durak, F.B., Vaudenay, S. (2021). Beyond Security and Efficiency: On-Demand Ratcheting with Security Awareness. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-75247-7

  • Online ISBN: 978-3-030-75248-4

  • eBook Packages: Computer ScienceComputer Science (R0)