The algorithm provides forward secrecy for messages, and implicit renegotiation of forward keys; properties for which the protocol is named.[3]
History
The Double Ratchet Algorithm was developed by Trevor Perrin and Moxie Marlinspike (
Open Whisper Systems) in 2013 and introduced as part of the
Signal Protocol in February 2014. The Double Ratchet Algorithm's design is based on the DH ratchet that was introduced by
Off-the-Record Messaging (OTR) and combines it with a symmetric-key ratchet modeled after the
Silent Circle Instant Messaging Protocol (SCIMP). The ratchet was initially named after the critically endangered aquatic salamander
axolotl, which has extraordinary self-healing capabilities.[4] In March 2016, the developers renamed the Axolotl Ratchet as the Double Ratchet Algorithm to better differentiate between the ratchet and the full protocol,[2] because some had used the name Axolotl when referring to the Signal Protocol.[5][2]
Overview
The Double Ratchet Algorithm features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well as
authentication of the remote peer and protection against manipulation of messages. As a hybrid of
DH and
KDF ratchets, it combines several desired features of both principles. From
OTR messaging it takes the properties of
forward secrecy and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, and
plausible deniability for the authorship of messages. Additionally, it enables session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering the following keys.
It is said[by whom?] to detect reordering, deletion, and replay of sent messages, and improve forward secrecy properties against passive eavesdropping in comparison to OTR messaging.
Combined with
public key infrastructure for the retention of pregenerated one-time keys (prekeys), it allows for the initialization of messaging sessions without the presence of the remote peer (
asynchronous communication). The usage of
triple Diffie–Hellman key exchange (3-DH) as initial key exchange method improves the deniability properties. An example of this is the Signal Protocol, which combines the Double Ratchet Algorithm, prekeys, and a 3-DH handshake.[6] The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.[7] It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material.[7]
Functioning
Diagram of the working principle
A client attempts to renew session key material interactively with the remote peer using a Diffie-Hellman (DH) ratchet. If this is impossible, the clients renew the session key independently using a hash ratchet. With every message, a client advances one of two hash ratchets—one for sending and one for receiving. These two hash ratchets get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialized.
As cryptographic primitives, the Double Ratchet Algorithm uses
for the DH ratchet
Elliptic curve Diffie-Hellman (ECDH) with
Curve25519,
^Ksenia Ermoshina, Francesca Musiani. "Standardising by running code": the Signal protocol and de facto standardisation in end-to-end encrypted messaging. Internet histories, 2019, pp.1-21.
�10.1080/24701475.2019.1654697�. �halshs-02319701�
Cohn-Gordon, Katriel; Cremers, Cas; Dowling, Benjamin; Garratt, Luke; Stebila, Douglas (25 October 2016).
"A Formal Security Analysis of the Signal Messaging Protocol"(PDF). Cryptology ePrint Archive. International Association for Cryptologic Research (IACR).
Frosch, Tilman; Mainka, Christian; Bader, Christoph; Bergsma, Florian; Schwenk, Jörg; Holz, Thorsten (2014).
"How Secure is TextSecure?"(PDF). Cryptology ePrint Archive. International Association for Cryptologic Research (IACR). Retrieved 16 January 2016.
Unger, Nik; Dechand, Sergej; Bonneau, Joseph; Fahl, Sascha; Perl, Henning; Goldberg, Ian Avrum; Smith, Matthew (2015).
SoK: Secure Messaging(PDF). Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society's Technical Committee on Security and Privacy. pp. 232–249.
doi:
10.1109/SP.2015.22.