 Okay. Hello. I'm Alexander Beanstock. This paper is a more complete analysis of the signal double ratchet algorithm. And this is work with Jaden, Sanjom, Pratay and Srini. Okay, so what is the signal protocol? Well, it's a secure messaging protocol for long live sessions that was based off of the off the record protocol. Of course, it's used by billions of people via the signal app itself, also WhatsApp, Facebook messenger, messages by Google, and also many more that aren't listed on the slide. Okay, so obviously it's a very practical protocol. And in addition, it won the Levchin prize at real world crypto. So, you know, this is how you know that it's really a real world protocol. Okay, so what is the setting for secure messaging quickly. So first of all, it's an asynchronous protocol, meaning that the two parties involved don't send in fixed rounds, but rather they can sort of send in an overlapping fashion. And this is important to note because actually the off the record protocol was synchronous itself, and really they were novel changes in signal that made this protocol asynchronous. And also, the protocol should work over an unreliable network where messages may arrive arbitrarily out of order, or even be completely lost. Despite this, we still want immediate decryption, meaning that even if a message is completely out of order, the receiver should be able to immediately decrypt it in place in the correct spot in the conversation transcript, and also message loss resilience, meaning that if one message is completely lost forever, they shouldn't just do the protocol. And also parties are maybe offline for extended periods of time, you know, like if somebody is on an airplane or something like this. So there should be a server that provides a mailbox service for messages so that when a party does come online, it can download these messages from the server. Okay, also these sessions are long lived. So state leakage might be likely over the lifetime of the session. And I mean by this is a sort of transient snapshot of the state. Okay, and finally, devices could be using bad randomness. So the properties that we want from a secure messaging protocol at first of all, and to insecurity, meaning that messages should be secure, even from this delivery server, when there's no leakage. Okay, and now if there is liquid leakage, pass from past messages should still remain secure despite this leakage. And furthermore, we asked for post compromised security, meaning that the protocol should sort of naturally recover from a leakage. If the attacker is passive once this leakage happens. And I say naturally because, you know, the protocol doesn't know if a user is corrupted. And so this recovery yeah should just be natural, meaning that yeah like you shouldn't have to actually restart the protocol in order to get security again. Okay, and finally, we asked for resilience against bad randomness, meaning that if there is no leakage than bad randomness should not hurt the protocol. So the sort of the non trivial part of signal is that we want to achieve all these properties simultaneously. Okay, so sort of intuitively for its security is achieved by deleting old keys. So post compromised security is achieved by refreshing keys with new randomness and resilience against bad randomness is achieved by leveraging the security of old secure keys. Okay, so what do we do in our paper. Well, first of all, we only study the core double ratchet algorithm, and not actually the initial key exchange protocol of signal. Okay, and we provide a UC based simulation style definition for the double ratchet. We capture the security of the double ratchet, more tightly than previous works that study the double ratchet. And along the way we also capture the intuitively necessary building box for the security of the double ratchet. And finally we uncover a minor weakness of the double ratchet and provide a very efficient fix. So thank you. Please come to the talk if you want to learn more.