# Information Security and Cryptography Research Group

## A Unified and Composable Take on Ratcheting

### Daniel Jost, Ueli Maurer, and Marta Mularczyk

Theory of Cryptography — TCC 2019, LNCS, Springer International Publishing, vol. 11891, pp. 180–210, Dec 2019.

Ratcheting, an umbrella term for certain techniques for achieving secure messaging with strong guarantees, has spurred much interest in the cryptographic community, with several novel protocols proposed as of lately. Most of them are composed from several sub-protocols, often sharing similar ideas across different protocols. Thus, one could hope to reuse the sub-protocols to build new protocols achieving different security, efficiency, and usability trade-offs. This is especially desirable in view of the community's current aim for group messaging, which has a significantly larger design space. However, the underlying ideas are usually not made explicit, but rather implicitly encoded in a (fairly complex) security game, primarily targeted at the overall security proof. This not only hinders modular protocol design, but also makes the suitability of a protocol for a particular application difficult to assess.

In this work we demonstrate that ratcheting components can be modeled in a composable framework, allowing for their reuse in a modular fashion. To this end, we first propose an extension of the Constructive Cryptography framework by so-called global event histories, to allow for a clean modularization even if the component modules are not fully independent but actually subtly intertwined, as in most ratcheting protocols. Second, we model a unified, flexibly instantiable type of strong security statement for secure messaging within that framework. Third, we show that one can phrase strong guarantees for a number of sub-protocols from the existing literature in this model with only minor modifications, slightly stronger assumptions, and reasonably intuitive formalizations.

When expressing existing protocols' guarantees in a simulation-based framework, one has to address the so-called commitment problem. We do so by reflecting the removal of access to certain oracles under specific conditions, appearing in game-based security definitions, in the real world of our composable statements. We also propose a novel non-committing protocol for settings where the number of messages a party can send before receiving a reply is bounded.

## BibTeX Citation

@inproceedings{JoMaMu19b,
author       = {Daniel Jost and Ueli Maurer and Marta Mularczyk},
title        = {A Unified and Composable Take on Ratcheting},
editor       = {Hofheinz, Dennis and Rosen, Alon},
booktitle    = {Theory of Cryptography --- TCC 2019},
pages        = 180--210,
series       = {LNCS},
volume       = 11891,
year         = 2019,
month        = 12,