On Secure Ratcheting with Immediate Decryption

Abstract

Ratcheting protocols let parties securely exchange messages in environments in which state exposure attacks are anticipated. While, unavoidably, some promises on confidentiality and authenticity cannot be upheld once the adversary obtains a copy of a party's state, ratcheting protocols aim at confining the impact of state exposures as much as possible. In particular, such protocols provide forward security (after state exposure, past messages remain secure) and post-compromise security (after state exposure, participants auto-heal and regain security). Ratcheting protocols serve as core components in most modern instant messaging apps, with billions of users per day. Most instances, including Signal, guarantee immediate decryption (ID): Receivers recover and deliver the messages wrapped in ciphertexts immediately when they become available, even if ciphertexts arrive out-of-order and preceding ciphertexts are still missing. This ensures the continuation of sessions in unreliable communication networks, ultimately contributing to a satisfactory user experience. While most academic treatments consider ratcheting without ID, recent work by Alwen et al (EC'19) proposes the first ID-aware security model for ratcheting and a provably secure construction. However, as we note, in their protocol a receiver state exposure allows for the decryption of all prior undelivered ciphertexts. In particular, from an adversary's point of view, intentionally preventing the delivery of a fraction of the ciphertexts of a conversation, and corrupting the receiver (days) later, allows for correctly decrypting all suppressed ciphertexts. (We note that this attack not only works against the protocol proposed by Alwen et al, but also against Signal.) We argue that the level of (forward-)security established by the protocol of Alwen et al is considerably lower then both intuitively expected and technically possible. The main contributions of our work are thus a refinement of the security notions for ratcheting in the ID setting, together with a provably secure construction. A notable novelty of our model is that it also reflects the progression of physical time. This allows for requiring in security models, and realizing in solutions, that (undelivered) ciphertexts automatically expire after a configurable amount of time.