[Cryptography] Signal double-ratchet vs. future breaks in ECC?

Jon Callas jon at callas.org
Mon Jul 30 21:10:50 EDT 2018

> On Jul 27, 2018, at 9:41 AM, Nemo <nemo at self-evident.org> wrote:
> I asked this on the Crypto StackExchange but got no replies:
>    https://crypto.stackexchange.com/q/60660/
> I understand how a "double ratchet" protects both future and past
> messages from one-time key compromise.
> My question is what happens if the public key (ECC) algorithm is broken,
> while the hash function(s), symmetric algorithm(s), and keys themselves
> remain secure. (Consider a hypothetical mathematical breakthrough on
> elliptic curves, or quantum computers becoming practical...)
> Perhaps somebody here knows the answer or can explain why it is a dumb
> question?

It’s not a dumb question. It shows that you are thinking more than many people are.

Here’s really a simple explanation:

Naively, you use an algorithm like DH or RSA to do “key exchange” where we exchange random bit strings and use them as keys. But you don’t *have* to use the thing you exchanged as a key, you could use it as – let’s call it a *credential* and you then derive a key from there.

If you’re using ECDH, you pretty much have to do this because you’re not exchanging a number, you’re exchanging a *point*, (x,y), and have to run that point through a KDF. (Strictly speaking, if you’re using integer DH or RSA, you’re also exchanging a point, it just happens to be a point on The Number Line and just as we all remember from elementary school, you can use points on The Number Line as if they were numbers. Or perhaps they really are numbers, but now we’re getting into Foundations of Mathematics which I adore as a subject, but it’s a digression.)

The double ratchet is really just a scheme for taking a credential and deriving a series of keys from that credential that has a bunch of desirable properties, but yes, if that initial credential exchange is compromised by any means from quantum computers to stupidity the whole security is blown. Game over.

And that’s why no one is answering that question because it’s a case of the abyss staring back.


More information about the cryptography mailing list