Skip to main content
SpringerLink
Log in

On Secure Ratcheting with Immediate Decryption

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2022 (ASIACRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13793))

Abstract

Ratcheting protocols let parties securely exchange messages in environments in which state exposure attacks are anticipated. While, unavoidably, some promises on confidentiality and authenticity cannot be upheld once the adversary obtains a copy of a party’s state, ratcheting protocols aim at confining the impact of state exposures as much as possible. In particular, such protocols provide forward security (after state exposure, past messages remain secure) and post-compromise security (after state exposure, participants auto-heal and regain security).

Ratcheting protocols serve as core components in most modern instant messaging apps, with billions of users per day. Most instances, including Signal, guarantee immediate decryption (ID): Receivers recover and deliver the messages wrapped in ciphertexts immediately when they become available, even if ciphertexts arrive out-of-order and preceding ciphertexts are still missing. This ensures the continuation of sessions in unreliable communication networks, ultimately contributing to a satisfactory user experience. While initial academic treatments consider ratcheting protocols without ID, Alwen et al. (EC’19) propose the first ID-aware security model, together with a provably secure construction. Unfortunately, as we note, in their protocol a receiver state exposure allows for the decryption of all prior undelivered ciphertexts. As a consequence, from an adversary’s point of view, intentionally preventing the delivery of a fraction of the ciphertexts of a conversation, and corrupting the receiver (days) later, allows for correctly decrypting all suppressed ciphertexts. The same attack works against Signal.

We argue that the level of (forward-)security realized by the protocol of Alwen et al., and mandated by their security model, is considerably lower than both intuitively expected and technically possible. The main contributions of our work are thus a careful revisit of the security notions for ratcheted communication in the ID setting, together with a provably secure proof-of-concept construction. One novel component of our model is that it reflects the progression of physical time. This allows for formally requiring that (undelivered) ciphertexts automatically expire after a configurable amount of time.

Please find the full version at https://ia.cr/2022/995.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    E.g., delays of hours can occur if a phone is switched off over night or during a long-distance flight.

  2. 2.

    Program states could leak because of malware executed on the user’s phone, by analyzing backup images of a phone’s memory that are stored insufficiently encrypted in the cloud, by analyzing memory residues on swap drives, etc. Less technical conditions include that users are legally or illegally coerced to reveal their states.

  3. 3.

    In the user interface, placeholders could indicate messages that are still missing.

  4. 4.

    Modern computing environments provide such a service right away. For instance, in Linux, via the setitimer system call or the alarm standard library function.

  5. 5.

    One might wonder about the resilience of computer clocks against desynchronization attacks where the adversary aims at desynchronizing participants. We note that instant messaging apps are typically run on mobile devices that have access to multiple independent clock sources (e.g., a local clock, NTP, GSM, and GNSS) that can be compared and relied upon when consistent. Only the strongest adversaries can arrange for a common deviation of all these clock sources simultaneously and even in this case our solutions degrade gracefully: If all clocks stop, the security of our solution doesn’t degrade below the security defined by ACD.

  6. 6.

    In a nutshell, DR provides optimal security only if used for ping-pong structured communication [17, 24]. In contrast, the constructions of [17, 24] provide security for any (in-order) communication pattern, though require stronger primitives than DR.

  7. 7.

    We note that similar KEM variants have been proposed and used in prior work on instant messaging [6, 17, 24], so in this article we claim novelty for neither the concepts nor the constructions.

  8. 8.

    More precisely, our \(\textit{recv}\) algorithm has a dedicated output for reporting to the invoking user which of the priorly sent own messages have been received by the peer; this output does not exist in prior work.

  9. 9.

    Removing or modifying existing lines will not be necessary. That said, restricting the options to only add new lines might lead to also introducing a small number of redundancies that could allow for simplifications.

  10. 10.

    The \(\textrm{BASIC}\) game itself is not used to model any kind of functionality or security. It merely describes the execution environment.

  11. 11.

    The in-sync notion first surfaced in [7] in the context of unidirectional channels. It was extended in [23] to handle bidirectional communication and associated-data strings. Our definitions are based on [23], but adapted to tolerate the out-of-order delivery of ciphertexts.

  12. 12.

    The mechanism of considering participants out-of-sync once they process (unmodified) ciphertexts from out-of-sync peers is taken from [23], see Footnote 11.

  13. 13.

    Note that the sending index of any ciphertext is uniquely recoverable (with function \(\textit{ts}\)), implying that each execution of [S03] adds a new element to the set (collisions cannot occur).

  14. 14.

    Line [E02] should be read as ‘For all \(0\le i< lt _u\): \(\textrm{VF}_u[i]\leftarrow \textrm{VF}_u[i]\cap \llbracket { lt _u}\rrbracket \)’ and expresses that all entries of \(\textrm{VF}_u[\cdot ]\) that correspond with prior sending indices are trimmed so that they cover no indices that succeed the current one (including).

  15. 15.

    A relation \(R\subseteq \mathbb {N}\times \mathbb {N}\) is monotone [R04] if for all \((x,y),(x',y')\in R\) we have \(x\le x'\Rightarrow y\le y'\).

  16. 16.

    The instruction should be read as ‘Reward the adversary if it makes an in-sync participant accept an associated-data–ciphertext pair for which at least one of associated-data and ciphertext is not authentic’.

  17. 17.

    Unlike regular signature schemes where for each signer there can be many independent verifiers, and unlike regular public key encryption where for each decryptor there can be many encryptors, for the primitives we consider in the current section a strict one-to-one correspondence between sender and receiver is assumed.

  18. 18.

    The \(\textit{expire}\) algorithm expires always to oldest currently supported epoch. That is, active epochs of KeKEMs always span a continuous interval.

References

  1. Alwen, J., et al.: CoCoA: concurrent continuous group key agreement. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 815–844. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_28

    Chapter  Google Scholar 

  2. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5

    Chapter  Google Scholar 

  3. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9

    Chapter  Google Scholar 

  4. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1463–1483. ACM Press (2021). https://doi.org/10.1145/3460120.3484820

  5. Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_10

    Chapter  Google Scholar 

  6. Balli, F., Rösler, P., Vaudenay, S.: Determining the core primitive for optimally secure ratcheting. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 621–650. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_21

    Chapter  Google Scholar 

  7. Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Atluri, V. (ed.) ACM CCS 2002. pp. 1–11. ACM Press (2002). https://doi.org/10.1145/586110.586112

  8. Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28

    Chapter  Google Scholar 

  9. Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the Signal Double Ratchet algorithm. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13507, pp. 784–813. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_27

    Chapter  Google Scholar 

  10. Caforio, A., Durak, F.B., Vaudenay, S.: On-demand ratcheting with security awareness. Cryptology ePrint Archive, Report 2019/965 (2019). https://eprint.iacr.org/2019/965

  11. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16

    Chapter  Google Scholar 

  12. Canetti, R., Jain, P., Swanberg, M., Varia, M.: Universally composable end-to-end secure messaging. In: Dodis, Y., Shrimpton, T. (eds.) Lecture Notes in Computer Science. LNCS, vol. 13508, pp. 3–33. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_1

    Chapter  Google Scholar 

  13. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 451–466 (2017)

    Google Scholar 

  14. Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_20

    Chapter  Google Scholar 

  15. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_34

    Chapter  Google Scholar 

  16. Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 190–218. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_7

    Chapter  Google Scholar 

  17. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_2

    Chapter  Google Scholar 

  18. Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6

    Chapter  Google Scholar 

  19. Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 180–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_7

    Chapter  Google Scholar 

  20. Li, C., Palanisamy, B.: Timed-release of self-emerging data using distributed hash tables. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 2344–2351 (2017)

    Google Scholar 

  21. Liu, J., Jager, T., Kakvi, S.A., Warinschi, B.: How to build time-lock encryption. Des. Codes Crypt. 86(11), 2549–2586 (2018). https://doi.org/10.1007/s10623-018-0461-x

    Article  MATH  Google Scholar 

  22. Marlinspike, M., Perrin, T.: The Double Ratchet Algorithm (2016). https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

  23. Marson, G.A., Poettering, B.: Security notions for bidirectional channels. IACR Trans. Symm. Cryptol. 2017(1), 405–426 (2017). https://doi.org/10.13154/tosc.v2017.i1.405-426

  24. Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_1

    Chapter  Google Scholar 

  25. Schwenk, J.: Modelling time for authenticated key exchange protocols. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014, Part II. LNCS, vol. 8713, pp. 277–294. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11212-1_16

    Chapter  Google Scholar 

  26. Yan, H., Vaudenay, S.: Symmetric asynchronous ratcheted communication with associated data. In: Aoki, K., Kanaoka, A. (eds.) IWSEC 2020. LNCS, vol. 12231, pp. 184–204. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58208-1_11

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Royal Holloway, University of London, Egham Hill, Egham, Surrey, UK

    Jeroen Pijnenburg

  2. IBM Research Europe – Zurich, Säumerstr 4, 8803, Rüschlikon, Switzerland

    Bertram Poettering

Authors
  1. Jeroen Pijnenburg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bertram Poettering
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bertram Poettering .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Madras, Chennai, India

    Shweta Agrawal

  2. Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pijnenburg, J., Poettering, B. (2022). On Secure Ratcheting with Immediate Decryption. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22969-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22968-8

  • Online ISBN: 978-3-031-22969-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation