About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Publication
ASIACRYPT 2022
Conference paper
On Secure Ratcheting with Immediate Decryption
Abstract
Ratcheting protocols let parties securely exchange messages in environments in which state exposure attacks are anticipated. While, unavoidably, some promises on confidentiality and authenticity cannot be upheld once the adversary obtains a copy of a party's state, ratcheting protocols aim at confining the impact of state exposures as much as possible. In particular, such protocols provide forward security (after state exposure, past messages remain secure) and post-compromise security (after state exposure, participants auto-heal and regain security). Ratcheting protocols serve as core components in most modern instant messaging apps, with billions of users per day. Most instances, including Signal, guarantee immediate decryption (ID): Receivers recover and deliver the messages wrapped in ciphertexts immediately when they become available, even if ciphertexts arrive out-of-order and preceding ciphertexts are still missing. This ensures the continuation of sessions in unreliable communication networks, ultimately contributing to a satisfactory user experience. While most academic treatments consider ratcheting without ID, recent work by Alwen et al (EC'19) proposes the first ID-aware security model for ratcheting and a provably secure construction. However, as we note, in their protocol a receiver state exposure allows for the decryption of all prior undelivered ciphertexts. In particular, from an adversary's point of view, intentionally preventing the delivery of a fraction of the ciphertexts of a conversation, and corrupting the receiver (days) later, allows for correctly decrypting all suppressed ciphertexts. (We note that this attack not only works against the protocol proposed by Alwen et al, but also against Signal.) We argue that the level of (forward-)security established by the protocol of Alwen et al is considerably lower then both intuitively expected and technically possible. The main contributions of our work are thus a refinement of the security notions for ratcheting in the ID setting, together with a provably secure construction. A notable novelty of our model is that it also reflects the progression of physical time. This allows for requiring in security models, and realizing in solutions, that (undelivered) ciphertexts automatically expire after a configurable amount of time.