Bidirectional asynchronous ratcheted key agreement with linear complexity

Abstract

Following up mass surveillance and privacy issues, modern secure communication protocols now seek more security such as forward secrecy and post-compromise security. They cannot rely on an assumption such as synchronization, predictable sender/receiver roles, or online availability. Ratcheting was introduced to address forward secrecy and post-compromise security in real-world messaging protocols. At CSF 2016 and CRYPTO 2017, ratcheting was studied either without zero round-trip time (0-RTT) or without bidirectional communication. At CRYPTO 2018, ratcheting with bidirectional communication was done using heavy key-update primitives. At EUROCRYPT 2019, another protocol was proposed. All those protocols use random oracles. Furthermore, exchanging messages has complexity in general. In this work, we define the bidirectional asynchronous ratcheted key agreement () with formal security notions. We provide a simple security model and design a secure scheme using no key-update primitives, no random oracle, an with complexity. It is based on a public-key cryptosystem, a signature scheme, one-time symmetric encryption, and a collision-resistant hash function family. We further show that (even unidirectional) implies public-key cryptography, meaning that it cannot solely rely on symmetric cryptography.