Double Ratchet Algorithm

The Double Ratchet Algorithm was developed by Trevor Perrin and Moxie Marlinspike (Open Whisper Systems) in 2013 and introduced as part of the Signal Protocol in February 2014. The Double Ratchet Algorithm's design is based on the DH ratchet that was introduced by Off-the-Record Messaging (OTR) and combines it with a symmetric-key ratchet modeled after the Silent Circle Instant Messaging Protocol (SCIMP). The ratchet was initially named after the critically endangered aquatic salamander axolotl, which has extraordinary self-healing capabilities.Ksenia Ermoshina, Francesca Musiani. "Standardising by running code": the Signal protocol and de facto standardisation in end-to-end encrypted messaging. Internet histories, 2019, pp.1-21.

�10.1080/24701475.2019.1654697�. �halshs-02319701� In March 2016, the developers renamed the Axolotl Ratchet as the Double Ratchet Algorithm to better differentiate between the ratchet and the full protocol, because some had used the name Axolotl when referring to the Signal Protocol.{{harvnb|Cohn-Gordon|Cremers|Dowling|Garratt|2016|p=1}}

File:Ratchet example.gif

The Double Ratchet Algorithm features properties that have been commonly available in end-to-end encryption systems for a long time: encryption of contents on the entire way of transport as well as authentication of the remote peer and protection against manipulation of messages. As a hybrid of DH and KDF ratchets, it combines several desired features of both principles. From OTR messaging it takes the properties of forward secrecy and automatically reestablishing secrecy in case of compromise of a session key, forward secrecy with a compromise of the secret persistent main key, and plausible deniability for the authorship of messages. Additionally, it enables session key renewal without interaction with the remote peer by using secondary KDF ratchets. An additional key-derivation step is taken to enable retaining session keys for out-of-order messages without endangering the following keys.

It is said{{By whom|date=April 2018}} to detect reordering, deletion, and replay of sent messages, and improve forward secrecy properties against passive eavesdropping in comparison to OTR messaging.

Combined with public key infrastructure for the retention of pregenerated one-time keys (prekeys), it allows for the initialization of messaging sessions without the presence of the remote peer (asynchronous communication). The usage of triple Diffie–Hellman key exchange (3-DH) as initial key exchange method improves the deniability properties. An example of this is the Signal Protocol, which combines the Double Ratchet Algorithm, prekeys, and a 3-DH handshake.{{harvnb|Unger|Dechand|Bonneau|Fahl|2015|p=241}} The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity. It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material.{{harvnb|Unger|Dechand|Bonneau|Fahl|2015|p=239}}

{{multiple image

| direction = vertical

| width = 220

| image1 = Axolotl ratchet scheme, legend.svg

| caption1 =

| image2 = Axolotl ratchet scheme.svg

| caption2 = Diagram of the working principle

}}

A client attempts to renew session key material interactively with the remote peer using a Diffie-Hellman (DH) ratchet. If this is impossible, the clients renew the session key independently using a hash ratchet. With every message, a client advances one of two hash ratchets—one for sending and one for receiving. These two hash ratchets get seeded with a common secret from a DH ratchet. At the same time it tries to use every opportunity to provide the remote peer with a new public DH value and advance the DH ratchet whenever a new DH value from the remote peer arrives. As soon as a new common secret is established, a new hash ratchet gets initialized.

As cryptographic primitives, the Double Ratchet Algorithm uses

; for the DH ratchet: Elliptic curve Diffie-Hellman (ECDH) with Curve25519,

; for message authentication codes (MAC, authentication): Keyed-hash message authentication code (HMAC) based on SHA-256,

; for symmetric encryption: the Advanced Encryption Standard (AES), partially in cipher block chaining mode (CBC) with padding as per PKCS #5 and partially in counter mode (CTR) without padding,

; for the hash ratchet: HMAC.{{harvnb|Frosch|Mainka|Bader|Bergsma|2014}}

The following is a list of applications that use the Double Ratchet Algorithm or a custom implementation of it:

{{div col|colwidth=16em}}

• ChatSecure{{efn|name=OMEMO}}
• Conversations{{efn|name=OMEMO|Via the OMEMO protocol}}
• Cryptocat{{efn|name=OMEMO}}{{Cite web|url=https://crypto.cat/security.html|title=Security|publisher=Cryptocat|access-date=14 July 2016|archive-url=https://web.archive.org/web/20160407125207/https://crypto.cat/security.html|archive-date=7 April 2016|url-status=dead}}
• Facebook Messenger{{efn|Only in "secret conversations"}}{{efn|name=SIGNAL|Via the Signal Protocol}}{{cite magazine|last1=Greenberg|first1=Andy|url=https://www.wired.com/2016/10/facebook-completely-encrypted-messenger-update-now/|title=You Can All Finally Encrypt Facebook Messenger, So Do It|magazine=Wired|publisher=Condé Nast|access-date=5 October 2016|date=4 October 2016}}
• G Data Secure Chat{{efn|name=SIGNAL}}{{cite web|title=SecureChat|url=https://github.com/GDATASoftwareAG/SecureChat|website=GitHub|publisher=G Data|access-date=14 July 2016}}
• Gajim{{efn|name=OMEMO}}
• GNOME Fractal{{efn|name=Matrix}}
• Google Allo{{efn|Only in "incognito mode"}}{{efn|name=SIGNAL}}{{Cite magazine|last=Greenberg|first=Andy|url=https://www.wired.com/2016/05/allo-duo-google-finally-encrypts-conversations-end-end/|title=With Allo and Duo, Google Finally Encrypts Conversations End-to-End|magazine=Wired|publisher=Condé Nast|date=18 May 2016|access-date=14 July 2016}}
• Google Messages{{efn|Only in one-to-one RCS chats}}{{efn|name=SIGNAL|Via the Signal Protocol}}{{Cite web |last=Amadeo |first=Ron |date=2021-06-16 |title=Google enables end-to-end encryption for Android's default SMS/RCS app |url=https://arstechnica.com/gadgets/2021/06/google-enables-end-to-end-encryption-for-androids-default-sms-rcs-app/ |access-date=2022-03-03 |website=Ars Technica |language=en-us}}
• Haven{{efn|name=SIGNAL}}{{cite web|title=Haven Attributions|url=https://github.com/guardianproject/haven#attributions|website=GitHub|publisher=Guardian Project|access-date=22 December 2017}}{{cite web|last1=Lee|first1=Micah|title=Snowden's New App Uses Your Smartphone To Physically Guard Your Laptop|url=https://theintercept.com/2017/12/22/snowdens-new-app-uses-your-smartphone-to-physically-guard-your-laptop/|website=The Intercept|publisher=First Look Media|access-date=22 December 2017|date=22 December 2017}}
• Pond
• Element{{efn|name=Matrix|Via the Matrix protocol}}{{Cite web|url=https://techcrunch.com/2016/09/19/riot-wants-to-be-like-slack-but-with-the-flexibility-of-an-underlying-open-source-platform/|title=Riot wants to be like Slack, but with the flexibility of an underlying open source platform|last=Butcher|first=Mike|website=TechCrunch|publisher=AOL Inc.|date=19 September 2016|access-date=20 September 2016}}
• Signal{{efn|name=SIGNAL}}
• Silent Phone{{efn|name=zina|Via the Zina protocol}}{{cite web|title=Silent Circle/libzina |url=https://github.com/SilentCircle/libzina/ |website=Github|publisher=Silent Circle|access-date=19 December 2017}}
• Skype{{efn|Only in "private conversations"}}{{efn|name=SIGNAL}}{{cite web|last1=Lund|first1=Joshua|title=Signal partners with Microsoft to bring end-to-end encryption to Skype|url=https://signal.org/blog/skype-partnership/|publisher=Open Whisper Systems|access-date=11 January 2018|date=11 January 2018}}
• Viber{{efn|Viber "uses the same concepts of the "double ratchet" protocol used in Open Whisper Systems Signal application"}}{{cite web|title=Viber Encryption Overview|url=https://www.viber.com/app/uploads/viber-encryption-overview.pdf|publisher=Viber|date=25 July 2018|access-date=26 October 2018}}
• WhatsApp{{efn|name=SIGNAL}}{{cite magazine|last1=Metz|first1=Cade|title=Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People|url=https://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/|magazine=Wired|publisher=Condé Nast|access-date=5 April 2016|date=5 April 2016}}
• Wire{{efn|name=Proteus|Via the Proteus protocol}}{{Cite web|url=https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf|title=Wire Security Whitepaper|publisher=Wire Swiss GmbH|date=17 August 2018|access-date=28 August 2020}}

{{end div col}}

{{notelist}}

{{Reflist|colwidth=30em|refs=

{{cite web|url=https://github.com/agl/pond/commit/338395668fbb8a7819c0fccf54dccaa4d7f0ae9e |first= Adam|last=Langley|title=Wire in new ratchet system|type=GitHub contribution|date=9 November 2013|website=GitHub|access-date=16 January 2016}}

{{cite web

|url=http://www.infosecurity-magazine.com/news/g-data-adds-encryption-for-secure/

|title=G DATA Adds Encryption for Secure Mobile Chat

|last=Seals

|first=Tara

|work=Infosecurity Magazine

|publisher=Reed Exhibitions Ltd.

|date=17 September 2015

|access-date=16 January 2016}}

}}

{{Refbegin|30em}}

• {{cite web|last1=Cohn-Gordon|first1=Katriel|last2=Cremers|first2=Cas|last3=Dowling|first3=Benjamin|last4=Garratt|first4=Luke|last5=Stebila|first5=Douglas|title=A Formal Security Analysis of the Signal Messaging Protocol |url=https://eprint.iacr.org/2016/1013.pdf |website=Cryptology ePrint Archive |publisher=International Association for Cryptologic Research (IACR) |date=25 October 2016 }}
• {{cite web|last1=Frosch |first1=Tilman |last2=Mainka |first2=Christian |last3=Bader |first3=Christoph |last4=Bergsma |first4=Florian |last5=Schwenk |first5=Jörg |last6=Holz |first6=Thorsten |title=How Secure is TextSecure? |website=Cryptology ePrint Archive |publisher= International Association for Cryptologic Research (IACR) |url=https://eprint.iacr.org/2014/904.pdf |year=2014 |access-date=16 January 2016}}
• {{cite conference |first1 = Nik |last1=Unger |first2=Sergej |last2=Dechand |first3=Joseph |last3=Bonneau |first4=Sascha |last4=Fahl |first5= Henning |last5=Perl |first6=Ian Avrum |last6=Goldberg |first7= Matthew |last7= Smith |title = SoK: Secure Messaging |publisher = IEEE Computer Society's Technical Committee on Security and Privacy |conference = Proceedings of the 2015 IEEE Symposium on Security and Privacy |year = 2015 |pages = 232–249 |doi=10.1109/SP.2015.22 |url = http://ieee-security.org/TC/SP2015/papers-archived/6949a232.pdf}}

{{Refend}}

• [https://signal.org/docs/specifications/doubleratchet/ Specification] by Open Whisper Systems
• "[https://signal.org/blog/advanced-ratcheting/ Advanced cryptographic ratcheting]", abstract description by Moxie Marlinspike
• [http://git.matrix.org/git/olm/about/docs/olm.rst Olm]: C++ implementation under the Apache 2.0 license
• [https://matrix-org.github.io/vodozemac/vodozemac/index.html Vodozemac]: Rust implementation of the Olm variation, under the Apache 2.0 license
• {{YouTube|id=7uEeE3TUqmU|title=Double ratchet algorithm: The ping-pong game encrypting Signal and WhatsApp}} (exposition)

{{Cryptography navbox | public-key}}

{{Cryptographic software}}

{{FLOSS}}

Category:Cryptographic algorithms

Category:End-to-end encryption