🔒 Changing Combination
Diffie-Hellman Ratchet
In 15 minutes: When and why to trigger new Diffie-Hellman exchanges
Prerequisite: Symmetric Key Ratchet
🎯 The Simple Story
Alice and Bob use KDF chains for message keys. When do they update RK?
When responding to a message!
- Alice sends message to Bob
- Bob received, needs to respond
- Both perform new DH exchange
- Update RK → RK_new
- Derive new chain keys
This is the DH ratchet.
🧠 Mental Model
Hold this picture in your head:
Alice sends to Bob:
Current state (RK, CK_A1, CK_B1)
↓
Alice: Send message 1 with K1
↓
Bob: Receives message 1
↓
Bob: Wants to respond
↓
DH Ratchet Triggered!
↓
Bob: Create new DH key pair (Bob_EK_new)
Alice: Create new DH key pair (Alice_EK_new)
↓
Compute DH_new = Alice_EK_new × Bob_EK_new
↓
RK = KDF(DH_new) (new root key)
↓
CK_A = KDF(RK) (new sending chain)
CK_B = KDF(RK) (new receiving chain)
↓
Old RK, CK_A1, CK_B1 discarded!
Think of it like:
🔒 Combination lock (Bob replies → new combination)
🔄 Fresh start (When responding, reset cryptostate)
⏩ Key freshness (Regular DH updates prevent stagnation)
📊 See It Happen
DH ratchet timing:
🎭 When to Trigger DH Ratchet
Trigger condition: When responding to a message!
Alice's side:
- If Alice sent last message → no DH ratchet yet
- If Alice is responding to Bob's message → DH ratchet!
Bob's side:
- If Bob received → respond (even if just acknowledgment)
- Trigger DH ratchet!
🔢 The Math
# Current state
RK_old (current root key)
# Bob receives message from Alice
bob_received = true
# Bob needs to respond
if bob_received:
# DH ratchet
Bob_EK_private, Bob_EK_public ← Generate DH key pair
Alice_EK_public ← from message
DH_new = Bob_EK_private × Alice_EK_public
RK_new = KDF(DH_new)
CK_A_new = KDF(RK_new)
CK_B_new = KDF(RK_new)
Discard old RK_old, CK_A_old, CK_B_old
return RK_new
💡 Why DH Ratchet?
Benefits:
- Key freshness: Regular DH updates keep cryptostate fresh
- Post-compromise security: Even if RK compromised, new DH freshens it
- Eventual recovery: Compromise recovers after DH ratchet
- Limited damage: Compromise time limited to between DH ratchets
Without DH ratchet:
- If RK compromised → all messages compromised (until RK manually updated)
With DH ratchet:
- If RK compromised → only messages until next DH at risk
- Next DH freshens RK, compromise recovers!
✅ Quick Check
When to DH ratchet?
When responding:
Not every message! Only when responding.
If Alice sends 10 messages to Bob:
- No DH ratchet (just KDF chains) If Bob responds to message 10:
- DH ratchet triggers!
Why DH ratchet?
Fresh keys = limited compromise:
RK compromised → only messages until next DH at risk.
Next DH adds new entropy → RK fresh → compromise recovers!
📋 Key Takeaways
✅ Trigger: When responding to message
✅ Purpose: Freshen RK with new DH
✅ Both sides: Perform DH, update RK synchronously
�✅ Result: New RK, new chain keys
✅ Benefits: Fresh keys, post-compromise security
✅ Limit damage: Compromise only to current DH segment
🎉 What's Next
DH ratchet explained! Next: Combined System.