Okay, welcome back to the lecture, Cryptographic Communication Protocols.

Last week we looked at practical messaging systems, somewhat the final or the most important

practical aspect or part of this lecture.

We looked at the Double Ratchet Protocol on a rather high level.

Before that we collected enough information to understand how does key update work, which

components do we have, which components could we have to implement or build such a protocol.

The Double Ratchet Protocol is surprisingly simple.

Consists of two components, the asymmetric ratchet and the symmetric ratchet.

The asymmetric ratchet is just a Diffie-Hellman key exchange that continuously works between

Alice and Bob.

So they continuously share new Diffie-Hellman shares and compute the resulting Diffie-Hellman

key exchanges.

From those Diffie-Hellman key exchanges, Alice and Bob derive symmetric keys and these

key derivations work in round trips.

So basically we have a round trip based Diffie-Hellman key exchange and in order to be sure that

Alice and Bob can perform these Diffie-Hellman key exchanges even if messages are lost in

transmission or messages are reordered, then this round trip makes sure that things still

work because basically every message that is sent from Alice in her round trip will

contain the same information as the first message in that round trip.

So the ciphertexts somewhat have redundancy and so the round trips continue until the

communication is over.

And so the asymmetric ratchet makes sure we have post-compromised security, we establish

fresh secrets from random coins that the attacker cannot foresee in the past and it also has

a somewhat weak notion of forward security because of course we remove old exponents

once we create new exponents in this asymmetric Diffie-Hellman based ratchet.

And so also previous things cannot be computed after they have been used after new round

trips started.

And then the symmetric ratchet is just basically from the Diffie-Hellman key exchanges deriving

symmetric keys and storing them in case things were received out of order but removing things

immediately after they have been used.

So all the chain keys, all the root keys, all these symmetric keys in this big grid

of different keys that depend on each other, first of all root keys from the Diffie-Hellman

key exchanges, then the chain keys from the root keys and then the message keys from the

chain keys, all of these things are removed immediately after they have been used.

So this is a super fine-grained notion of forward security, basically everything that

has been received cannot be recomputed afterwards.

Okay, this is the double ratchet and the question was, okay, how can we achieve security in

group messaging?

And the oldest idea of how to achieve this is just using the pairwise two-party double

ratchet channels or any other two-party channels and then we just have one pair, one pairwise

channel to each group member and when we send a message we basically send n minus one ciphertexts

to one to each group member.

This is inefficient for large groups and so two big alternatives turned out to be practically

relevant.

The first one is we just have a symmetric ratchet and each sender has their own symmetric

ratchet.

This is the sender key approach.

The sender key approach means in a group n users each have a sender key and the sender

key is a chain key and we arrive or the sender when sending derives from the chain key a

new chain key for the next message and a message key.