The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

“…Subsequent to these strongly secure ratcheting notions, multiple weaker formal definitions for ratcheting were proposed that consider special properties such as strong explicit authentication [8], out of order receipt of ciphertexts [1], or primarily target on allowing efficient instantiations [12,4]. Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted).…”

“…Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted). 1 Recovery from attacks required by Jost et al [12] is immediate in so far as their restrictions of state exposures introduce delays implicitly. Gray marked cells indicate the reason (i.e., relaxations in security) why respective instantiations can rely on standard PKC only (circumventing our implication result).…”

“…Furthermore, both works neglect bad randomness as an attack vector. In the security experiments by Jost et al [12] and Alwen et al [1] constructions can delay the recovery from attacks longer than necessary (Jost et al therefore temporarily forbid the exposure of the local state). Additionally, they do not require the participants' states to become incompatible (immediately) on active attacks against the communication.…”

“…Interestingly, both mentioned unidirectional RKE instantiations that were defined to depict optimal security [3,17] as well as bidirectional real-world examples such as the Signal protocol (analyzed in [6]), and instantiations of the above named relaxed security notions [8,12,1,4] only rely on standard PKC (cf. rows in Table 1 with gray cells).…”

Determining the Core Primitive for Optimally Secure Ratcheting

“…Subsequent to these strongly secure ratcheting notions, multiple weaker formal definitions for ratcheting were proposed that consider special properties such as strong explicit authentication [8], out of order receipt of ciphertexts [1], or primarily target on allowing efficient instantiations [12,4]. Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted).…”

“…Table 1: Differences in security notions of ratcheting regarding (a) uni-(→), sesqui-( →), and bidirectional (↔) interaction between A and B, (b) when the adversary is allowed to expose A's and B's state (or when this is unnecessarily restricted), (c) the adversary's ability to reveal or manipulate algorithm invocations' random coins, and (d) how soon and how complete recovery from these two attacks into a secure state is required of secure constructions (or if unnecessary delays or exceptions for recovery are permitted). 1 Recovery from attacks required by Jost et al [12] is immediate in so far as their restrictions of state exposures introduce delays implicitly. Gray marked cells indicate the reason (i.e., relaxations in security) why respective instantiations can rely on standard PKC only (circumventing our implication result).…”

“…Furthermore, both works neglect bad randomness as an attack vector. In the security experiments by Jost et al [12] and Alwen et al [1] constructions can delay the recovery from attacks longer than necessary (Jost et al therefore temporarily forbid the exposure of the local state). Additionally, they do not require the participants' states to become incompatible (immediately) on active attacks against the communication.…”

“…Interestingly, both mentioned unidirectional RKE instantiations that were defined to depict optimal security [3,17] as well as bidirectional real-world examples such as the Signal protocol (analyzed in [6]), and instantiations of the above named relaxed security notions [8,12,1,4] only rely on standard PKC (cf. rows in Table 1 with gray cells).…”

Determining the Core Primitive for Optimally Secure Ratcheting

“…Upon completion of the authentication process, the key pair is generated to secure the communication platform. The generated key is part of the Double Ratchet Algorithm (previously referred to as the Axolotl Ratchet [27]) similar to Whatsapp [28,29].…”

KawalPilpres2019: a highly secured real count voting escort architecture

Entropy service for secure real‐time mission critical communications