Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Double Ratchet Algorithm

From Wikipedia, the free encyclopedia
Cryptographic key management algorithm
"Double ratchet" redirects here. For the hand tool, seeWrench.
Full ratchet step in the double ratchet algorithm. The Key Derivation Function (KDF) provides the ratcheting mechanism. The first "ratchet" is applied to the symmetric root key, the second ratchet to the asymmetric Diffie Hellman (DH) key.[1]

Incryptography, theDouble Ratchet Algorithm (previously referred to as theAxolotl Ratchet[2][3]) is akey managementalgorithm that was developed byTrevor Perrin andMoxie Marlinspike in 2013. It can be used as part of acryptographic protocol to provideend-to-end encryption forinstant messaging. After an initialkey exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on theDiffie–Hellman key exchange (DH) and a ratchet based on akey derivation function (KDF), such as ahash function, and is therefore called a double ratchet.

The algorithm provides forward secrecy for messages, and implicit renegotiation of forward keys; properties for which the protocol is named.[4]

This has been extended as of October 2025 to theSparse Post Quantum Ratchet (SPQR) with aCRYSTALS-Kyber quantum ratchet to provide post-quantum Forward Secrecy and Post-Compromise Security guarantees in what the Signal authors call aTriple Ratchet.[5]

History

[edit]

The Double Ratchet Algorithm was developed by Trevor Perrin and Moxie Marlinspike (Open Whisper Systems) in 2013 and introduced as part of theSignal Protocol in February 2014. The Double Ratchet Algorithm's design is based on the DH ratchet that was introduced byOff-the-Record Messaging (OTR) and combines it with a symmetric-key ratchet modeled after theSilent Circle Instant Messaging Protocol (SCIMP). The ratchet was initially named after the critically endangered aquatic salamanderaxolotl, which has extraordinary self-healing capabilities.[6] In March 2016, the developers renamed the Axolotl Ratchet as the Double Ratchet Algorithm to better differentiate between the ratchet and the full protocol,[3] because some had used the name Axolotl when referring to the Signal Protocol.[7][3]

Overview

[edit]
A gif of a ratchet moving showing that the mechanism can only move in one direction
A mechanical ratchet

The Double Ratchet Algorithm features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well asauthentication of the remote peer and protection against manipulation of messages. As a hybrid ofDH andKDF ratchets, it combines several desired features of both principles. FromOTR messaging it takes the properties offorward secrecy and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, andplausible deniability for the authorship of messages. Additionally, it enables session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering the following keys.

It is said[by whom?] to detect reordering, deletion, and replay of sent messages, and improve forward secrecy properties against passive eavesdropping in comparison to OTR messaging.

Combined withpublic key infrastructure for the retention of pregenerated one-time keys (prekeys), it allows for the initialization of messaging sessions without the presence of the remote peer (asynchronous communication). The usage oftriple Diffie–Hellman key exchange (3-DH) as initial key exchange method improves the deniability properties. An example of this is the Signal Protocol, which combines the Double Ratchet Algorithm, prekeys, and a 3-DH handshake.[8] The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.[9] It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material.[9]

Functioning

[edit]
Diagram of the working principle

A client attempts to renew session key material interactively with the remote peer using a Diffie-Hellman (DH) ratchet. If this is impossible, the clients renew the session key independently using a hash ratchet. With every message, a client advances one of two hash ratchets—one for sending and one for receiving. These two hash ratchets get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialized.

As cryptographic primitives, the Double Ratchet Algorithm uses

for the DH ratchet
Elliptic curve Diffie-Hellman (ECDH) withCurve25519,
formessage authentication codes (MAC, authentication)
Keyed-hash message authentication code (HMAC) based onSHA-256,
for symmetric encryption
theAdvanced Encryption Standard (AES), partially in cipher block chainingmode (CBC) withpadding as perPKCS #5 and partially in counter mode (CTR) without padding,
for the hash ratchet
HMAC.[10]

Applications

[edit]

The following is a list of applications that use the Double Ratchet Algorithm or a custom implementation of it.

Federated networks

[edit]

Centralized networks

[edit]

The Double Ratchet Algorithm does not attempt to solve the inherent vulnerability of centralized networks tobackdoors that introduce flaws in the algorithm implementation, the cryptographical protocol (which the algorithm is part of) or implementation thereof, or unrelated parts of the official application. It has been implemented nonetheless in a number of official clients for various centralized networks:

Notes

[edit]
  1. ^Only in "secret conversations"
  2. ^abcdefghVia theSignal Protocol
  3. ^Only in "incognito mode"
  4. ^Only in one-to-oneRCS chats
  5. ^Via the Zina protocol
  6. ^Only in "private conversations"
  7. ^Viber "uses the same concepts of the "double ratchet" protocol used in Open Whisper Systems Signal application"
  8. ^Via the Proteus protocol

References

[edit]
  1. ^Trevor Perrin (editor), Moxie Marlinspike, "The Double Ratchet Algorithm. Revision 1, 2016-11-20
  2. ^Perrin, Trevor (30 March 2016)."Compare Revisions".GitHub. Retrieved9 April 2016.
  3. ^abcMarlinspike, Moxie (30 March 2016)."Signal on the outside, Signal on the inside". Open Whisper Systems. Retrieved31 March 2016.
  4. ^Cohn-Gordon, K.; Cremers, C.; Garratt, L. (2016)."On Post-compromise Security".2016 IEEE 29th Computer Security Foundations Symposium (CSF). pp. 164–178.doi:10.1109/CSF.2016.19.ISBN 978-1-5090-2607-4.S2CID 5703986.
  5. ^https://signal.org/blog/spqr
  6. ^Ksenia Ermoshina, Francesca Musiani. "Standardising by running code": the Signal protocol and de facto standardisation in end-to-end encrypted messaging. Internet histories, 2019, pp.1-21. 10.1080/24701475.2019.1654697 . halshs-02319701
  7. ^Cohn-Gordon et al. 2016, p. 1
  8. ^Unger et al. 2015, p. 241
  9. ^abUnger et al. 2015, p. 239
  10. ^Frosch et al. 2014
  11. ^Butcher, Mike (19 September 2016)."Riot wants to be like Slack, but with the flexibility of an underlying open source platform".TechCrunch. AOL Inc. Retrieved20 September 2016.
  12. ^"Security". Cryptocat. Archived fromthe original on 7 April 2016. Retrieved14 July 2016.
  13. ^abVyacheslav Karpukhin."OMEMO for Psi · GitHub".GitHub. Retrieved2018-03-04.
  14. ^Richard Bayerle."lurch - OMEMO for libpurple".GitHub. Retrieved2017-02-12.
  15. ^Olivier Mehani."Lurch4Adium - OMEMO Xtra for Adium".GitHub. Retrieved2017-06-08.
  16. ^René Calles."profanity-omemo-plugin: A Python plugin to use (axolotl / Signal Protocol) encryption for the profanity XMPP messenger".GitHub. Retrieved2017-01-10.
  17. ^Greenberg, Andy (4 October 2016)."You Can All Finally Encrypt Facebook Messenger, So Do It".Wired. Condé Nast. Retrieved5 October 2016.
  18. ^Seals, Tara (17 September 2015)."G DATA Adds Encryption for Secure Mobile Chat".Infosecurity Magazine. Reed Exhibitions Ltd. Retrieved16 January 2016.
  19. ^"SecureChat".GitHub. G Data. Retrieved14 July 2016.
  20. ^Greenberg, Andy (18 May 2016)."With Allo and Duo, Google Finally Encrypts Conversations End-to-End".Wired. Condé Nast. Retrieved14 July 2016.
  21. ^Amadeo, Ron (2021-06-16)."Google enables end-to-end encryption for Android's default SMS/RCS app".Ars Technica. Retrieved2022-03-03.
  22. ^"Haven Attributions".GitHub. Guardian Project. Retrieved22 December 2017.
  23. ^Lee, Micah (22 December 2017)."Snowden's New App Uses Your Smartphone To Physically Guard Your Laptop".The Intercept. First Look Media. Retrieved22 December 2017.
  24. ^Langley, Adam (9 November 2013)."Wire in new ratchet system".GitHub (GitHub contribution). Retrieved16 January 2016.
  25. ^"Silent Circle/libzina".Github. Silent Circle. Retrieved19 December 2017.
  26. ^Lund, Joshua (11 January 2018)."Signal partners with Microsoft to bring end-to-end encryption to Skype". Open Whisper Systems. Retrieved11 January 2018.
  27. ^"Viber Encryption Overview"(PDF). Viber. 25 July 2018. Retrieved26 October 2018.
  28. ^Metz, Cade (5 April 2016)."Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People".Wired. Condé Nast. Retrieved5 April 2016.
  29. ^"Wire Security Whitepaper"(PDF). Wire Swiss GmbH. 17 August 2018. Retrieved28 August 2020.

Literature

[edit]
  • Cohn-Gordon, Katriel; Cremers, Cas; Dowling, Benjamin; Garratt, Luke; Stebila, Douglas (25 October 2016)."A Formal Security Analysis of the Signal Messaging Protocol"(PDF).Cryptology ePrint Archive. International Association for Cryptologic Research (IACR).
  • Frosch, Tilman; Mainka, Christian; Bader, Christoph; Bergsma, Florian; Schwenk, Jörg; Holz, Thorsten (2014)."How Secure is TextSecure?"(PDF).Cryptology ePrint Archive. International Association for Cryptologic Research (IACR). Retrieved16 January 2016.
  • Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian Avrum; Smith, Matthew (2015).SoK: Secure Messaging(PDF). Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society's Technical Committee on Security and Privacy. pp. 232–249.doi:10.1109/SP.2015.22.

External links

[edit]
Algorithms
Integer factorization
Discrete logarithm
Lattice/SVP/CVP/LWE/SIS
Others
Theory
Standardization
Topics
General
Mathematics
Email clients
Secure
communication
OTR
SSH
TLS & SSL
VPN
ZRTP
P2P
DRA
Disk encryption
(Comparison)
Anonymity
File systems(List)
Security-focused
operating system
Service providers
Educational
Anti–computer forensics
Related topics
General
Software
packages
Community
Organisations
Licenses
Types and
standards
Challenges
Related
topics
Retrieved from "https://en.wikipedia.org/w/index.php?title=Double_Ratchet_Algorithm&oldid=1326279546"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp