Understanding the Signal/TextSecure Protocol - Sajjadul

Notes
Security Services
~~~~~~~~~~~~~~~~~
# Encryption
AES, RSA

# Digital Signature
RSA

# Key Exchange
DFKE, ECDH, X3DH

# Key Derivation Function (KDF)

HMAC, HKDF

Advanced Encryption Standard (AES)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
AES Explained (Advanced Encryption Standard) - Computerphile
https://www.youtube.com/watch?v=O4xNJsjtN6E

Book: Understanding Cryptography, Chapter 4, The Advanced Encryption

Standard (AES)
https://www.dropbox.com/s/rrwtm3k0tcoxfau/2010_Book_UnderstandingCryp
tography.pdf?dl=0

Diffie Hellman Key Exchange (DHKE)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
Secret Key Exchange (Diffie-Hellman) - Computerphile
https://www.youtube.com/watch?v=NmM9HA2MQGI

Diffie Hellman -the Mathematics bit- Computerphile

https://www.youtube.com/watch?v=Yjrfm_oRO0w

Book: Understanding Cryptography, Chapter 8.1, Diffie–Hellman Key

Exchange
https://www.dropbox.com/s/rrwtm3k0tcoxfau/2010_Book_UnderstandingCryp
tography.pdf?dl=0

Alice Bob

Domain parameters (available to Alice and Bob):

Large Prime (1024 or 2048 bits) = p
Integer {2,3,...,p-2} = g

Diffie Hellman Keys: Diffie Hellman Keys:

Private Key {2,3,...,p-2} = PrkA Private Key {2,3,...,p-2} = PrkB
Public Key = g^PrkA mod p = PkA Public Key = g^PrkB mod p = PkB

Bob sends PkB to Alice

<<-------------------------------

Alice sends PkA to Bob

------------------------------->>

Computes Shared Secret Key: Computes Shared Secret Key:

Secret Key = PkB^PrkA mod p = Secret Key = PkA^PrkB mod p =
kAB kAB

DHKE complete. Alice and Bob have kAB (symmetric key)

Alice and Bob uses AES with kAB to exchange messages between them

RSA Encryption
~~~~~~~~~~~~~~~
# Ref:
Book: Understanding Cryptography, Chapter 7, The RSA Cryptosystem
https://www.dropbox.com/s/rrwtm3k0tcoxfau/2010_Book_UnderstandingCryp
tography.pdf?dl=0

The Euclidean Algorithm

https://www.youtube.com/watch?v=p5gn2hj51hs

The Extended Euclidean algorithm

https://www.youtube.com/watch?v=hB34-GSDT3k
A (Relatively Easy To Understand) Primer on Elliptic Curve
Cryptography
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-
on-elliptic-curve-cryptography/

# Bob's parameters:
Large Prime = p
Large Prime = q
n = p.q
Phi(n) = (p-1).(q-1)
e = {1,2,...,Phi(n)-1}
e and Phi(n) are coprime: GCD(e,Phi(n)) = 1
d = Inverse(e)
d.e = 1 mod Phi(n)

# Bob's Keys:
Private Key (1024+ bits) = d = PrkB
Public Key = (n,e) = PkB

# Bob sends PkB to Alice

# Alice encrypts message x:

Payload y = x o PkB = x^e mod n

# Alice sends payload to Bob

# Bob decrypts payload to get message x:

x = y o PrkB = y^PrkB mod n

RSA Digital Signature

~~~~~~~~~~~~~~~~~~~~~~
# Bob's Keys:
Private Key = PrkB
Public Key = (n,e) = PkB

# Bob sends PkB to Alice

# Bob signs message x:

Signature (2048 bits) = hash(x) o PrkB = SigB
Payload = (x,SigB)

# Bob sends payload to Alice

# Alice verifies Bob’s signature:
hash(x) o SigB o PkB = true/false

Diffie Hellman with RSA Signature

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
Key Exchange Problems - Computerphile
https://www.youtube.com/watch?v=vsXMMT2CqqE

# Bob's RSA Keys for signing:

Private Key = IPrkB
Public Key = IPkB

# Bob publishes IPkB to the server

# Domain parameters (available to Alice and Bob):

Large Prime = p
Integer {2,3,...,p-2} = g

# Bob's DH Keys:
Private Key {2,3,...,p-2} = PrkB
Public Key = g^PrkB mod p = PkB

# Bob’s DH key signature:

Signature = hash(PkB) o IPrkB = SigB

# Bob sends PkB and SigB to Alice

# Alice downloads Bob’s published IPkB from the server, to use for
signature verification

# Alice verifies Bob’s Prekey Signature:

hash(PkB) o SigB o IPkB = true/false

# Alice sends PkA to Bob

# Alice Computes Shared Secret Key:

Secret Key = PkB^PrkA mod p = kAB

# Bob Computes Shared Secret Key:

Secret Key = PkA^PrkB mod p = kAB
# DHKE complete. Alice and Bob have kAB (symmetric key)

# Alice and Bob uses AES with kAB to exchange messages between them

Elliptic Curve Cryptography (ECC)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
Elliptic Curves - Computerphile
https://www.youtube.com/watch?v=NF1pwjL9-DE

A (Relatively Easy To Understand) Primer on Elliptic Curve

Cryptography
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-
on-elliptic-curve-cryptography/

Book: Understanding Cryptography, Chapter 9, Elliptic Curve

Cryptosystems
https://www.dropbox.com/s/rrwtm3k0tcoxfau/2010_Book_UnderstandingCryp
tography.pdf?dl=0

Elliptic Curve E (coefficients a, b): y^2 ≡ x^3 + a·x + b mod p

P = (x1,y1)
Q = (x2,y2)
R = P + Q = (x1,y1) + (x2,y2) = (x3,y3)

# Point Addition:
R = P + Q
Draw a line through P and Q and obtain a third point of intersection
between the elliptic curve and the line. Mirror this
third intersection point along the x-axis. This mirrored point is, by
definition, the point R.

# Point Doubling:
P = Q
R = P + P = 2P

We draw the tangent line through P and obtain a second point of

intersection between this line and the elliptic curve. We mirror the
point of the second intersection along the x-axis.
# Inverse of P
P = (xP,yP)
-P = (xP,-yP)

The point that is reflected along the x-axis.

# Equation:
P + Q = (x1,y1) + (x2,y2) = (x3,y3)

DHKE with ECC (ECDH)

~~~~~~~~~~~~~~~~~~~~~
# Ref:
Book: Understanding Cryptography, Chapter 9.3, Diffie–Hellman Key
Exchange with Elliptic Curves
https://www.dropbox.com/s/rrwtm3k0tcoxfau/2010_Book_UnderstandingCryp
tography.pdf?dl=0

Alice Bob

Domain parameters:
Large Prime (1024 or 2048 bits) = p
Primitive element = (xP,yP) = P
Coefficients a and b of Elliptic Curve E: y^2 ≡ x^3 + a.x + b mod p

Keys: Keys:
Private Key {2,3,...,#E-1} = PrkA Private Key {2,3,…,#E-1} = PrkB
Public Key = P o PrkA = (xA,yA) = Public Key = P o PrkB = (xB,yB)
PkA = PkB

Bob sends PkB to Alice

<<-----------------------------------------

Alice sends PkA to Bob

----------------------------------------->>

Compute Shared Secret Key: Compute Shared Secret Key:

PkB o PrkA = (xAB,yAB) PkA o PrkB = (xAB,yAB)

Only x coordinate used as key: Only x coordinate used as key:

xAB = kAB xAB = kAB

Secret Key Secret Key

= Hash kAB and take 128 bits = Hash kAB and take 128 bits
= HkAB = HkAB

DHKE complete. Alice and Bob have HkAB (symmetric key)

Alice and Bob uses AES with HkAB to exchange messages between them

Elliptic Curve Digital Signature Algorithm (ECDSA)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hash-based Message Authentication Code (HMAC)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
Book: Understanding Cryptography, Chapter 12.2, MACs from Hash
Functions: HMAC
https://www.dropbox.com/s/rrwtm3k0tcoxfau/2010_Book_UnderstandingCryp
tography.pdf?dl=0

HMAC: Keyed-Hashing for Message Authentication

https://www.ietf.org/rfc/rfc2104.txt
HMAC based key derivation function (HKDF)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
https://www.ietf.org/rfc/rfc5869.txt

Authenticated-Encryption with Associated-Data (AEAD)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
https://web.cs.ucdavis.edu/~rogaway/papers/ad.pdf

Extended Triple Diffie Hellman (X3DH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
The X3DH Key Agreement Protocol
https://signal.org/docs/specifications/x3dh/

Instant Messaging and the Signal Protocol - Computerphile

https://www.youtube.com/watch?v=DXv1boalsDI

NorthSec 2015 - Trevor Perrin - TextSecure Protocol: Present and

Future
https://www.youtube.com/watch?v=7WnwSovjYMs

# Scenario:
Alice wants to send initial message to Bob.
All keys used for generating Shared Secret Keys are Elliptic Curve
Diffie Hellman keys.

# Parameters:
Elliptic Curve = X25519 or X448
Hash Function = SHA512
Digital Signature = XEdDSA
Key Derivation Function (KDF) = HKDF

Alice Bob

Keys: Diffie Hellman Private keys:

Public Identity Key (long term) = Identity Key (long term) =
IPkA IPrkB
Private Identity Key (long term) = Signed Pre-key (change
IPrkA periodically) = SPrkB
Set of One-time Prekeys =
{OPrkB1,OPrkB2,...,OPrkBN}

Diffie Hellman Public keys

(generated):
Identity Key (long term) =
IPkB
Signed Prekey (change
periodically) = SPkB
Set of One-time Prekeys =
{OPkB1,OPkB2,...,OPkBN}

Prekey Signature
= Sign(hash(SPkB),IPrkB)
= SigB

Bob's Prekey Bundle (Public keys and Signature) are published to

server.

Bob will also upload a new signed prekey and prekey signature at
some interval (e.g. once a week, or once a month). The new signed
prekey SPkB and corresponding signature SigB will replace the
previous values.

Bob may keep the private key corresponding to the previous signed
prekey around for some period of time, to handle messages using it
that have been delayed in transit. Eventually, Bob should delete
this private key for forward secrecy.

Fetch Bob's Prekey Bundle from

server (only one of the OPkB will
be sent to Alice)

Bob’s Prekey Bundle:

Identity Key = IPkB
Signed Prekey = SPkB
Prekey Signature = SigB
One-time Prekey 3 = OPkB3
(optional, server may run out of
unused keys)

Server deletes Bob’s one-time prekey (OPkB3) that was sent to

 Alice. If the prekeys are coming to an end, server may notify Bob
to create more one-time prekeys.

Verify Bob’s Prekey Signature:

SigVerify(hash(SPkB),SigB,IPkB) =
true/false

Generate new Ephemeral Key for each

DH session:
Public Ephemeral Key = EPkA
Private Ephemeral Key = EPrkA

Calculate Diffie-Helmans:
Shared Secret Key 1 =
DH(SPkB,IPrkA) = kAB1
Shared Secret Key 2 =
DH(IPkB,EPrkA) = kAB2
Shared Secret Key 3 =
DH(SPkB,EPrkA) = kAB3
Shared Secret Key 4 =
DH(OPkB3,EPrkA) = kAB4
(if no OPkB3, then kAB4 is not
computed)

Shared Secret Key

= KDF(kAB1 || kAB2 || kAB3 || kAB4)
= kAB
Delete the ephemeral private
key and temporary Diffie Hellman
keys:
EPrkA
kAB1
kAB2
kAB3
kAB4

Compute an Associated Data byte

sequence from Alice and Bob’s
public Identity keys:
Associated Data
= IPkA || IPkB
= AD

Encrypt message = Ciphertext

Encrypted with some AEAD encryption

scheme using AD as associated data
and using an encryption key which
is either kAB or the output from
some cryptographic PRF keyed by
kAB.

Alice sends initial message to Bob, consisting of:

Alice's Public Identity Key = IPkA
Alice's Public Ephemeral Key = EPkA
ID of Bob’s OPkB3 (if used)
Ciphertext

[ IPkA | EPkA | (OPkB3 ID) | Ciphertext ]

----------------------------------------->>

Calculate Diffie-Helmans:
Shared Secret Key 1 =
DH(IPkA,SPrkB) = kAB1
Shared Secret Key 2 =
DH(EPkA,IPrkB) = kAB2
Shared Secret Key 3 =
DH(EPkA,SPrkB) = kAB3
Shared Secret Key 4 =
DH(EPkA,OPrkB3) = kAB4
(if no OPkB3 ID was sent by
 Alice, then kAB4 is not
computed)

Shared Secret Key

= KDF(kAB1 || kAB2 || kAB3 ||
kAB4)
= kAB

Delete the temporary Diffie

Hellman keys:
kAB1
kAB2
kAB3
kAB4

Compute an Associated Data

byte sequence from Alice and
Bob’s public Identity keys:
Associated Data
= IPkA || IPkB
= AD

Decrypt Ciphertext using AD

and kAB

If decryption fails, Bob

interrupts the protocol and
deletes kAB.

If decryption succeeds,
Bob deletes his one-time
private key (OPrkB3) used by
Alice, for forward secrecy.

Alice will send next messages to Bob, by continually deriving new

secret keys from kAB, using Double Ratchet Algo.

Bob will decrypt these messages, by continually deriving new secret

keys from kAB, using Double Ratchet Algo.

Bob will periodically generate and upload new signed prekey SPkB
and corresponding signature SigB. He will eventually delete the old
SPrkB to provide perfect forward secrecy.

For authentication, Bob and Alice can compare their identity public
 keys IPkA and IPkB by comparing public key fingerprints manually or
by scanning a QR code. This is not part of X3DH protocol.

Double Ratchet Algo (Axolotl Ratchet)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
Double Ratchet Messaging Encryption - Computerphile
https://www.youtube.com/watch?v=9sO2qdTci-s

The Double Ratchet Algorithm

https://signal.org/docs/specifications/doubleratchet/

NorthSec 2015 - Trevor Perrin - TextSecure Protocol: Present and

Future
https://www.youtube.com/watch?v=7WnwSovjYMs

# KDF Chains:
A KDF chain has the following properties:
1. The output keys appear random to an adversary without knowledge of
the KDF keys. This is true even if the adversary can control the KDF
inputs.
2. Output keys from the past appear random to an adversary who learns
the KDF key at some point in time.
3. Future output keys appear random to an adversary who learns the
KDF key at some point in time, provided that future inputs have added
sufficient entropy.

In a Double Ratchet session between Alice and Bob each party stores a
KDF key for three chains: a root chain, a sending chain, and a
receiving chain (Alice's sending chain matches Bob's receiving chain,
and vice versa).
# Symmetric-key ratchet:
Every message sent or received is encrypted with a unique message
key. The message keys are output keys from the sending and receiving
KDF chains.

The KDF inputs for the sending and receiving chains are constant. The
sending and receiving chains just ensure that each message is
encrypted with a unique key that can be deleted after encryption or
decryption. Because message keys aren't used to derive any other
keys, message keys may be stored without affecting the security of
other message keys.
# Diffie-Hellman ratchet:
If an attacker steals one party's sending and receiving chain keys,
the attacker can compute all future message keys and decrypt all
future messages. To prevent this, the Double Ratchet combines the
symmetric-key ratchet with a DH ratchet which updates chain keys
based on Diffie-Hellman outputs.

To implement the DH ratchet, each party generates a DH key pair (a

Diffie-Hellman public key and private key) which becomes their
current ratchet key pair. Every message from either party begins with
a header which contains the sender's current ratchet public key. When
a new ratchet public key is received from the remote party, a DH
ratchet step is performed which replaces the local party's current
ratchet key pair with a new key pair.
# Double Ratchet:
1. When a message is sent or received, a symmetric-key ratchet step
is applied to the sending or receiving chain to derive the message
key.
2. When a new ratchet public key is received, a DH ratchet step is
performed prior to the symmetric-key ratchet to replace the chain
keys.

Alice Bob

Root Chain Key 1 Root Chain Key 1

= Secret key computed from X3DH = Secret key computed from X3DH
= kAB1 = kAB1
Bob and Alice both have derived the same secret key kAB1 from X3DH

During initialization, Bob's

signed prekeys from X3DH becomes
Bob's initial DH ratchet keys:

Ratchet Public Key 1 = SPrkB =

RtPkB1
Ratchet Private Key 1 = SPrkB =
RtPrKB1

Bob sends his Diffie-Hellman Ratchet Public Key to Alice. No

encrypted message.
[ RtPkB1 | _ ]
<<-----------------------------------------

Since Alice received a new Ratchet Key from Bob during

Initialization, she must:
1. Generate a new pair of Diffie-Hellman Ratchet keys.
2. Step up the Root Chain Ratchet.
2. Reset the Sending Chain Ratchet.

Generates Diffie-Hellman Ratchet

keys:
Ratchet Public Key 1 = RtPkA1
Ratchet Private Key 1 = RtPrkA1

Root Chain KDF Input 1

= DH(RtPkB1,RtPrkA1)
= DH1

Step up the Root Chain Ratchet

(1 -> 2):
Root Chain Key 2
= KDF(kAB1,DH1)
= kAB2

Reset the Sending Chain Ratchet:

Sending Chain Key 1
= Extra bits from kAB2
= SkA1

Delete keys:
Root Chain Key 1 = kAB1

Alice wants to send her first message to Bob

Since Alice is using her existing Ratchet Key, she must:

1. For every encrypted message received, step up the Receiving
Chain Ratchet.
2. For every message to send, step up the Sending Chain Ratchet.

Step up the Sending Chain

Ratchet (1 -> 2):

Sending Chain Constant = C

Sending Chain Key 2

= KDF(SkA1,C)
= SkA2

Sender Alice's Message Key 1

= Extra bits from SkA2
= A1
Encrypt message with A1
= CiphertextA1

Create payload that begins with

a header containing Alice's
current ratchet public key
(RtPkA1).

Delete keys:
Sending Chain Key 1 = SkA1
Sender Alice's Message Key 1 =
A1

Alice sends message to Bob.

[ RtPkA1 | N=0 | PN=0 | CiphertextA1 ]

--------------------------------------->>

Extracts RtPkA1 from message

header.

Since Bob received a new Ratchet Key from Alice, he must:

1. Step up the Root Chain Ratchet.
2. Reset the Receiving Chain Ratchet.
3. Step up the Receiving Chain Ratchet.
4. Generate a new pair of Diffie-Hellman Ratchet keys.
5. Step up the Root Chain Ratchet again.
6. Reset the Sending Chain Ratchet.

Root Chain KDF Input 1

= DH(RtPkA1,RtPrkB1)
= DH1

Step up the Root Chain Ratchet (1

-> 2):
Root Chain Key 2
= KDF(kAB1,DH1)
= kAB2

Reset the Receiving Chain

Ratchet:
Receiving Chain Key 1
= Extra bits from kAB2
= RkB1
SkA1 = RkB1

Delete keys:
Root Chain Key 1 = kAB1

Step up the Receiving Chain

Ratchet (1 -> 2):

Receiving Chain Constant = C

Receiving Chain Key 2

= KDF(RkB1,C)
= RkB2

Receiver Bob's Message Key 1

= Extra bits from RkB2
= A1

Decrypt CiphertextA1 with A1

Delete keys:
Receiving Chain Key 1 = RkB1
Receiver Bob's Message Key 1 = A1

Generates Diffie-Hellman Ratchet

keys:
Ratchet Public Key 2 = RtPkB2
Ratchet Private Key 2 = RtPrKB2

Root Chain KDF Input 2

= DH(RtPkA1,RtPrkB2)
= DH2
 Step up the Root Chain Ratchet (2
-> 3):
Root Chain Key 3
= KDF(kAB2,DH2)
= kAB3

Reset the Sending Chain Ratchet:

Sending Chain Key 1
= Extra bits from kAB3
= SkB1

Delete keys:
Root Chain Key 2 = kAB2

Bob wants to send his first message to Alice

 Since Bob is using his existing Ratchet Key, he must:
1. For every encrypted message received, step up the Receiving
Chain Ratchet.
2. For every message to send, step up the Sending Chain Ratchet.

Step up the Sending Chain Ratchet

(1->2):

Sending Chain Constant = C

Sending Chain Key 2

= KDF(SkB1,C)
= SkB2

Sender Bob's Message Key 1

= Extra bits from SkB2
= B1

Encrypt message with B1

= CiphertextB1

Create payload that begins with a

header containing Alice's current
ratchet public key (RtPkB2).

Delete keys:
Sending Chain Key 1 = SkB1
Sender Bob's Message Key 1 = B1

Bob sends message to Alice.

[ RtPkB2 | N=0 | PN=0 | CiphertextB1 ]
<<---------------------------------------

Extracts RtPkB2 from message

header.

Since Alice received a new Ratchet Public Key from Bob, she must:
1. Step up the Root Chain Ratchet.
2. If encrypted message exists, reset the Receiving Chain Ratchet.
3. If encrypted message exists, step up the Receiving Chain
Ratchet.
4. Generate a new pair of Diffie-Hellman Ratchet keys.
5. Step up the Root Chain Ratchet again.
 6. Reset the Sending Chain Ratchet.

Root Chain KDF Input 2

= DH(RtPkB2,RtPrkA1)
= DH2

Step up the Root Chain Ratchet

(2->3):
Root Chain Key 3
= KDF(kAB2,DH2)
= kAB3

Reset the Receiving Chain

Ratchet:
Receiving Chain Key 1
= Extra bits from kAB3
= RkA1

RkA1 = SkB1

Delete keys:
Root Chain Key 2 = kAB2

Step up the Receiving Chain

Ratchet (1->2):

Receiving Chain Constant = C

Receiving Chain Key 2

= KDF(RkA1,C)
= RkA2

Receiver Alice's Message Key 1

= Extra bits from RkA2
= B1

Decrypt CiphertextB1 with B1

Delete keys:
Receiving Chain Key 1 = RkA1
Receiver Alice's Message Key 1 =
B1

Generates Diffie-Hellman Ratchet

keys:
Ratchet Public Key 2 = RtPkA2
Ratchet Private Key 2 = RtPrkA2

Root Chain KDF Input 3

= DH(RtPkB2,RtPrkA2)
= DH3

Step up the Root Chain Ratchet

(3->4):
Root Chain Key 4
= KDF(kAB3,DH3)
= kAB4

Reset the Sending Chain Ratchet:

Sending Chain Key 3
= Extra bits from kAB4
= SkA3

Delete keys:
Root Chain Key 3 = kAB3

Alice then sends a message A2,

receives a message B2 with Bob's old ratchet public key,
and then sends messages A3 and A4.

[ RtPkA2 | N=0 | PN=1 | CiphertextA2 ]

---------------------------------------->>
[ RtPkB2 | N=1 | PN=0 | CiphertextB2 ]
<<----------------------------------------
[ RtPkA2 | N=1 | PN=1 | CiphertextA3 ]
---------------------------------------->>
[ RtPkA2 | N=2 | PN=1 | CiphertextA4 ]
 ---------------------------------------->>

Since Alice and Bob are both using their existing Ratchet Key, they
must:
1. For every encrypted message received, step up the Receiving
Chain Ratchet.
2. For every message to send, step up the Sending Chain Ratchet.

Alice received messages B3 and B4 with the Bob's new ratchet public
key
and sends a message A5.

[ RtPkB3 | N=0 | PN=2 | CiphertextB3 ]

<<----------------------------------

Since Alice received message B3 with a new Ratchet Public Key from
Bob, she must:
1. Step up the Root Chain Ratchet.
2. If encrypted message exists, reset the Receiving Chain Ratchet.
3. If encrypted message exists, step up the Receiving Chain
Ratchet.
4. Generate a new pair of Diffie-Hellman Ratchet keys.
5. Step up the Root Chain Ratchet again.
6. Reset the Sending Chain Ratchet.

[ RtPkB3 | N=1 | PN=2 | CiphertextB4 ]

<<----------------------------------

Since Alice received message B4 with an existing Ratchet Key from

 Bob, she must:
1. For every encrypted message received, step up the Receiving
Chain Ratchet.
2. For every message to send, step up the Sending Chain Ratchet.

[ RtPkA3 | N=0 | PN=3 | CiphertextA5 ]

---------------------------------->>

Since Bob received message A5 with a new Ratchet Public Key from
Alice, he must:
1. Step up the Root Chain Ratchet.
2. If encrypted message exists, reset the Receiving Chain Ratchet.
3. If encrypted message exists, step up the Receiving Chain
Ratchet.
4. Generate a new pair of Diffie-Hellman Ratchet keys.
5. Step up the Root Chain Ratchet again.
6. Reset the Sending Chain Ratchet.
# Out-of-order messages:
The Double Ratchet handles lost or out-of-order messages by including
in each message header the message's number in the sending chain
(N=0,1,2,...) and the length (number of message keys) in the previous
sending chain (PN). This enables the recipient to advance to the
relevant message key while storing skipped message keys in case the
skipped messages arrive later.

On receiving a message, if a DH ratchet step is triggered then the

received PN minus the length of the current receiving chain is the
number of skipped messages in that receiving chain. The received N is
the number of skipped messages in the new receiving chain (i.e. the
chain after the DH ratchet).
If a DH ratchet step isn't triggered, then the received N minus the
length of the receiving chain is the number of skipped messages in
that chain.

For example, consider the message sequence from the previous section
when messages B2 and B3 are skipped. Message B4 will trigger Alice's
DH ratchet step (instead of B3). Message B4 will have PN=2 and N=1.
On receiving B4 Alice will have a receiving chain of length 1 (B1),
so Alice will store message keys for B2 and B3 so they can be
decrypted if they arrive later:
Sesame Algorithm
~~~~~~~~~~~~~~~~~
Ref:
The Sesame Algorithm: Session Management for Asynchronous Message
Encryption
https://signal.org/docs/specifications/sesame/

# Scenarios:
1. Alice and Bob might each have several devices, so encrypting a
message from Alice to Bob might require creating sessions from
Alice's sending device to all of Bob's devices, and also to Alice's
other devices (so they receive a copy of the message).
2. Alice and Bob might add and remove devices, so they will have to
add and delete sessions to handle these changes.
3. Alice and Bob might simultaneously initiate a new session with
each other, so that two new sessions are created. For the Double
Ratchet to be maximally effective Alice and Bob must send and receive
messages using matching sessions, so they must agree on which
matching sessions to use.
4. Alice might choose to erase her device's session state, or restore
from a backup, thus causing either her or Bob to possess orphaned
sessions which no longer match one of the other party's sessions.

# Assumptions:
1. Each user has a UserID (a username or phone number).
1. Users can add or delete devices at any time.
2. Each device has a DeviceID which is unique for the UserID.
3. Each device has an identity key pair.
3. The server stores a mailbox for each device.
4. Devices send messages to other devices' mailboxes. Server stores
the sending device's UserID and DeviceID alongside the message.
5. Devices fetch messages from their own mailbox. Recipient device
fetches the message and the sender's UserID and DeviceID from the
server.
6. Messages can be encrypted and decrypted using a session, which is
some secret data stored by a device.
7. SessionID uniquely identifies each session.
8. A device can create a new initiating session at any time.

# Device States:
1. Each device stores a set of UserIDs, and corresponding DeviceIDs.
Enables enables a device to send a copy of each outbound message to
the user's other devices.
2. Sesame supports two different models for key pairs: With per-user
identity keys, all devices under a user share the same key pair. With
per-device identity keys, each device may have a different key pair.

Signal Protocol (Putting it all together)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Ref:
NorthSec 2015 - Trevor Perrin - TextSecure Protocol: Present and
Future
https://www.youtube.com/watch?v=7WnwSovjYMs

What's Up With Group Messaging? - Computerphile

https://www.youtube.com/watch?v=Q0_lcKrUdWg&t=18s
Private Group Messaging
https://signal.org/blog/private-groups/

1. Extended Triple Diffie Hellman (X3DH)

2. Double Ratchet Algo
3. Sesame Algo