The Signal protocol is a cryptographic messaging protocol that provides end-to-end encryption for instant messaging in WhatsApp, Wire, and Facebook Messenger among many others, serving well over 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a technique called ratcheting in which session keys are updated with every message sent. We conduct a formal security analysis of Signal’s initial extended triple Diffie–Hellman (X3DH) key agreement and Double Ratchet protocols as a multi-stage authenticated key exchange protocol. We extract from the implementation a formal description of the abstract protocol and define a security model which can capture the “ratcheting” key update structure as a multi-stage model where there can be a “tree” of stages, rather than just a sequence. We then prove the security of Signal’s key exchange core in our model, demonstrating several standard security properties. We have found no major flaws in the design and hope that our presentation and results can serve as a foundation for other analyses of this widely adopted protocol.

中文翻译：

---

信号消息协议的正式安全分析

Signal 协议是一种加密消息传递协议，可为 WhatsApp、Wire 和 Facebook Messenger 等众多即时消息提供端到端加密，为超过 10 亿活跃用户提供服务。Signal 包括几个不常见的安全属性（例如“未来保密”或“妥协后安全”），通过一种称为棘轮的技术启用，其中会话密钥随着每条消息的发送而更新。我们对 Signal 的初始扩展三重 Diffie-Hellman (X3DH) 密钥协议和双棘轮协议作为多阶段认证密钥交换协议进行了正式的安全分析。我们从实现中提取抽象协议的正式描述，并定义一个安全模型，该模型可以将“棘轮”密钥更新结构捕获为多阶段模型，其中可以存在阶段“树”，而不仅仅是一个序列。然后我们在我们的模型中证明 Signal 的密钥交换核心的安全性，展示了几个标准的安全属性。我们在设计中没有发现重大缺陷，并希望我们的演示和结果可以作为对该广泛采用的协议的其他分析的基础。