# the double ratchet algorithm - ?· the double ratchet algorithm trevor perrin (editor) moxie...

Post on 17-Jul-2018

216 views

Embed Size (px)

TRANSCRIPT

The Double Ratchet Algorithm

Trevor Perrin (editor) Moxie Marlinspike

Revision 1, 2016-11-20

Contents1. Introduction 3

2. Overview 32.1. KDF chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2. Symmetric-key ratchet . . . . . . . . . . . . . . . . . . . . . . . . 52.3. Diffie-Hellman ratchet . . . . . . . . . . . . . . . . . . . . . . . . . 62.4. Double Ratchet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.6. Out-of-order messages . . . . . . . . . . . . . . . . . . . . . . . . . 17

3. Double Ratchet 183.1. External functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.2. State variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.3. Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.4. Encrypting messages . . . . . . . . . . . . . . . . . . . . . . . . . 203.5. Decrypting messages . . . . . . . . . . . . . . . . . . . . . . . . . 20

4. Double Ratchet with header encryption 224.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.2. External functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 264.3. State variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264.4. Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264.5. Encrypting messages . . . . . . . . . . . . . . . . . . . . . . . . . 274.6. Decrypting messages . . . . . . . . . . . . . . . . . . . . . . . . . 28

5. Implementation considerations 295.1. Integration with X3DH . . . . . . . . . . . . . . . . . . . . . . . . 295.2. Recommended cryptographic algorithms . . . . . . . . . . . . . . 30

6. Security considerations 316.1. Secure deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316.2. Recovery from compromise . . . . . . . . . . . . . . . . . . . . . . 316.3. Cryptanalysis and ratchet public keys . . . . . . . . . . . . . . . . 31

1

6.4. Deletion of skipped message keys . . . . . . . . . . . . . . . . . . 326.5. Deferring new ratchet key generation . . . . . . . . . . . . . . . . 326.6. Truncating authentication tags . . . . . . . . . . . . . . . . . . . . 326.7. Implementation fingerprinting . . . . . . . . . . . . . . . . . . . . 32

7. IPR 33

8. Acknowledgements 33

9. References 33

2

1. Introduction

The Double Ratchet algorithm is used by two parties to exchange encryptedmessages based on a shared secret key. Typically the parties will use somekey agreement protocol (such as X3DH [1]) to agree on the shared secret key.Following this, the parties will use the Double Ratchet to send and receiveencrypted messages.

The parties derive new keys for every Double Ratchet message so that earlier keyscannot be calculated from later ones. The parties also send Diffie-Hellman publicvalues attached to their messages. The results of Diffie-Hellman calculationsare mixed into the derived keys so that later keys cannot be calculated fromearlier ones. These properties gives some protection to earlier or later encryptedmessages in case of a compromise of a partys keys.

The Double Ratchet and its header encryption variant are presented below, andtheir security properties are discussed.

2. Overview

2.1. KDF chains

A KDF chain is a core concept in the Double Ratchet algorithm.

We define a KDF as a cryptographic function that takes a secret and randomKDF key and some input data and returns output data. The output data isindistinguishable from random provided the key isnt known (i.e. a KDF satisfiesthe requirements of a cryptographic PRF). If the key is not secret and random,the KDF should still provide a secure cryptographic hash of its key and inputdata. The HMAC and HKDF constructions, when instantiated with a securehash algorithm, meet the KDF definition [2], [3].

We use the term KDF chain when some of the output from a KDF is used asan output key and some is used to replace the KDF key, which can then beused with another input. The below diagram represents a KDF chain processingthree inputs and producing three output keys:

3

KDF key

KDF key

KDF key

Input

Output key

Input

Output key

Out

Key

Out

Key

KDF key

Input

Output key

Out

Key

In

In

In KDF

KDF

KDF

A KDF chain has the following properties (using terminology adapted from [4]):

Resilience: The output keys appear random to an adversary withoutknowledge of the KDF keys. This is true even if the adversary can controlthe KDF inputs.

Forward security: Output keys from the past appear random to anadversary who learns the KDF key at some point in time.

Break-in recovery: Future output keys appear random to an adversarywho learns the KDF key at some point in time, provided that future inputshave added sufficient entropy.

In a Double Ratchet session between Alice and Bob each party stores a KDFkey for three chains: a root chain, a sending chain, and a receiving chain(Alices sending chain matches Bobs receiving chain, and vice versa).

As Alice and Bob exchange messages they also exchange new Diffie-Hellman

4

public keys, and the Diffie-Hellman output secrets become the inputs to theroot chain. The output keys from the root chain become new KDF keys for thesending and receiving chains. This is called the Diffie-Hellman ratchet.

The sending and receiving chains advance as each message is sent and received.Their output keys are used to encrypt and decrypt messages. This is called thesymmetric-key ratchet

The next sections explain the symmetric-key and Diffie-Hellman ratchets in moredetail, then show how they are combined into the Double Ratchet.

2.2. Symmetric-key ratchet

Every message sent or received is encrypted with a unique message key. Themessage keys are output keys from the sending and receiving KDF chains. TheKDF keys for these chains will be called chain keys.

The KDF inputs for the sending and receiving chains are constant, so thesechains dont provide break-in recovery. The sending and receiving chains justensure that each message is encrypted with a unique key that can be deletedafter encryption or decryption. Calculating the next chain key and message keyfrom a given chain key is a single ratchet step in the symmetric-key ratchet.The below diagram shows two steps:

Chain key

Chain key

Chain key

Constant

Message key

Constant

Message key

Out

Key

In

Out

Key

In

KDF

KDF

5

Because message keys arent used to derive any other keys, message keys maybe stored without affecting the security of other message keys. This is useful forhandling lost or out-of-order messages (see Section 2.6).

2.3. Diffie-Hellman ratchet

If an attacker steals one partys sending and receiving chain keys, the attacker cancompute all future message keys and decrypt all future messages. To prevent this,the Double Ratchet combines the symmetric-key ratchet with a DH ratchetwhich updates chain keys based on Diffie-Hellman outputs.

To implement the DH ratchet, each party generates a DH key pair (a Diffie-Hellman public key and private key) which becomes their current ratchet keypair. Every message from either party begins with a header which contains thesenders current ratchet public key. When a new ratchet public key is receivedfrom the remote party, a DH ratchet step is performed which replaces thelocal partys current ratchet key pair with a new key pair.

This results in a ping-pong behavior as the parties take turns replacingratchet key pairs. An eavesdropper who briefly compromises one of the partiesmight learn the value of a current ratchet private key, but that private keywill eventually be replaced with an uncompromised one. At that point, theDiffie-Hellman calculation between ratchet key pairs will define a DH outputunknown to the attacker.

The following diagrams show how the DH ratchet derives a shared sequence ofDH outputs.

Alice is initialized with Bobs ratchet public key. Alices ratchet public key isntyet known to Bob. As part of initialization Alice performs a DH calculationbetween her ratchet private key and Bobs ratchet public key:

Private key Public key

Public key Private keyPublic key

DH DH output

Alice Bob

6

Alices initial messages advertise her ratchet public key. Once Bob receives oneof these messages, Bob performs a DH ratchet step: He calculates the DH outputbetween Alices ratchet public key and his ratchet private key, which equalsAlices initial DH output. Bob then replaces his ratchet key pair and calculatesa new DH output:

Private key

Private key Public key

Public key Public key

Alice Bob

DH DH output

Public key

DHDH output

Private keyPublic key

DHDH output

=

Bobs DH ratchet step

Bobs new ratchet key pair

7

Messages sent by Bob advertise his new public key. Eventually, Alice will receiveone of Bobs messages and perform a DH ratchet step, replacing her ratchet keypair and deriving two DH outputs, one that matches Bobs latest and a new one:

Private key

Private key Public key

Public key Public key

DH DH output

Public key

DHDH output

Private keyPublic key

DHDH output

=

Alices DH ratchet step

Public key

=DH DH output

Private key Public key

DH DH output

Alice Bob

8

Messages sent by Alice advertise her new public key. Eventually, Bob will receiveone of these messages and perform a second DH ratchet step, and so on:

Private key

Private key Public key

Public ke

Recommended