Double Ratchet vs Ephemeral DH: Security Benefits

TL;DR

The Double Ratchet protocol (used in Signal and others) is much more secure than repeatedly using Diffie-Hellman (DH) key exchange. It provides forward secrecy, deniability, and better resistance to compromise compared to constant Ephemeral DH.

Understanding the Problem

Both Double Ratchet and Ephemeral DH aim to establish a shared secret key for secure communication. However, they do it in very different ways with significant security implications.

1. Constant Ephemeral DH: How It Works (and Why It’s Risky)

1. Key Exchange Each Message: Every time you send a message, a new Diffie-Hellman key exchange is performed. This means a new shared secret is generated for each message.
2. Derivation of Session Keys: The shared secret from DH is used to derive session keys (encryption/decryption keys) for that specific message.

Problems with Constant Ephemeral DH:

• Forward Secrecy Issues: If an attacker manages to record all the DH exchanges, they can decrypt past messages if they later compromise your long-term private key. Each message’s secret depends on your long-term key.
• Compromise of Session Keys: Even if your long-term key isn’t compromised, an attacker who intercepts enough session keys might be able to reconstruct the shared secrets used for past communications.

2. Double Ratchet Protocol: A More Secure Approach

Double Ratchet uses a combination of Diffie-Hellman and symmetric key cryptography (like HMAC) to create a constantly evolving chain of keys.

1. Initial Key Exchange: An initial DH exchange establishes a shared secret.
2. Root Chain & Messaging Chains: This secret is used to generate two chains:
   • Root Chain: Used for long-term key derivation and infrequent updates.
   • Messaging Chain: Used for deriving keys for individual messages.
3. Ratchet Steps: For each message sent:
   • A new symmetric key is derived from the current messaging chain key and a random value (nonce).
   • This new key becomes the next messaging chain key.
   • The root chain is periodically updated using another DH exchange.

Example: Imagine each message ‘ratchets’ forward, creating a new key based on the old one and some randomness. This makes it very difficult for an attacker to go back in time.

3. Benefits of Double Ratchet over Constant Ephemeral DH

1. Forward Secrecy: Because each message uses a unique, derived key that depends on previous keys and randomness, compromising one key doesn’t reveal past or future messages. The chain is broken at the point of compromise.
2. Deniability: Double Ratchet allows for plausible deniability. It’s harder to prove you sent a specific message because the keys are constantly changing, and it’s difficult to link your long-term identity directly to individual messages.
3. Resistance to Compromise: Even if an attacker intercepts some session keys, they can’t easily reconstruct past communications or future keys without knowing the entire chain of derived keys.

4. Code Example (Conceptual – Simplified)

This is a very simplified illustration to show the concept; real implementations are much more complex.

# Conceptual Double Ratchet key derivation
def derive_next_key(previous_key, nonce):
  # Use a secure hash function (e.g., SHA-256)
  hashed_value = hash(previous_key + str(nonce))
  return hashed_value

# Example usage:
initial_key = "some_shared_secret"
nonce1 = 1
message_key1 = derive_next_key(initial_key, nonce1)
nonce2 = 2
message_key2 = derive_next_key(message_key1, nonce2) # Key for the next message

5. Conclusion

Double Ratchet provides a significantly stronger security model than constant Ephemeral DH due to its forward secrecy, deniability features and resistance to compromise. This is why it’s used in secure messaging applications like Signal.