Skip to main content
Springer Nature Link
Log in

WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2023 (ASIACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14442))

  • 688 Accesses

Abstract

Developing end-to-end encrypted instant messaging solutions for group conversations is an ongoing challenge that has garnered significant attention from practitioners and the cryptographic community alike. Notably, industry-leading messaging apps such as WhatsApp and Signal Messenger have adopted the Sender Keys protocol, where each group member shares their own symmetric encryption key with others Despite its widespread adoption, Sender Keys has never been formally modelled in the cryptographic literature, raising the following natural question:

What can be proven about the security of the Sender Keys protocol, and how can we practically mitigate its shortcomings?

In addressing this question, we first introduce a novel security model to suit protocols like Sender Keys, deviating from conventional group key agreement-based abstractions. Our framework allows for a natural integration of two-party messaging within group messaging sessions that may be of independent interest. Leveraging this framework, we conduct the first formal analysis of the Sender Keys protocol, and prove it satisfies a weak notion of security. Towards improving security, we propose a series of efficient modifications to Sender Keys without imposing significant performance overhead. We combine these refinements into a new protocol that we call Sender Keys+, which may be of interest both in theory and practice.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Contrary to the folklore understanding that the Signal Messenger uses the pairwise channels approach for group messaging in small groups, Signal currently uses Sender Keys whenever possible.

  2. 2.

    Recent academic works and ongoing discussions in mailing lists have identified and addressed several security issues that emerged during the standardisation of MLS [7, 11, 35].

  3. 3.

    Note that Signal uses a dedicated private group management solution in practice [25] that we do not capture and is less affected by this attack vector than WhatsApp [46]; we refer to our full version for further details.

  4. 4.

    Our approach veers away from a theoretically systematic exploration to determine the “optimal” security for a Sender Keys-like protocol, as this would require non-standard primitives that considerably degrade performance [9, 15].

  5. 5.

    We remark that total ordering is a standard assumption in the CGKA line of work [7,8,9, 11, 39] and is assumed by MLS.

  6. 6.

    A different deletion schedule may be applied as long as these keys are clearly marked as being no longer valid, e.g., if \( {ID} ^*\) announces its maximum \(\mathsf {i_{\textsf{ck}}}\) value over two-party channels when it processes its own removal.

  7. 7.

    Although it is not captured in our model, note that the exposure of a message key alone only compromises the message it refers to and does not (computationally) leak information about the chain key or other message keys.

  8. 8.

    In practice, applications like WhatsApp and Signal bound the amount of (logical) time that keys are active for and the total number of keys that can be stored at once.

References

  1. Albrecht, M.R., Celi, S., Dowling, B., Jones, D.: Practically-exploitable cryptographic vulnerabilities in matrix. In: 2023 IEEE Symposium on Security and Privacy (2023)

    Google Scholar 

  2. Albrecht, M.R., Dowling, B., Jones, D.: Device-oriented group messaging: a formal cryptographic analysis of matrix’ core. In: 2024 IEEE Symposium on Security and Privacy (to appear) (2024)

    Google Scholar 

  3. Albrecht, M.R., Mareková, L., Paterson, K.G., Stepanovs, I.: Four attacks and a proof for telegram. In: 2022 IEEE Symposium on Security and Privacy, pp. 87–106. IEEE Computer Society Press, May 2022. https://doi.org/10.1109/SP46214.2022.9833666

  4. Alwen, J., Auerbach, B., Noval, M.C., Klein, K., Pascual-Perez, G., Pietrzak, K.: DeCAF: Decentralizable continuous group key agreement with fast healing. Cryptology ePrint Archive, Report 2022/559 (2022). https://eprint.iacr.org/2022/559

  5. Alwen, J., Auerbach, B., Noval, M.C., Klein, K., Pascual-Perez, G., Pietrzak, K., Walter, M.: CoCoA: Concurrent continuous group key agreement. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 815–844. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_28

  6. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the Signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129–158. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17653-2_5

  7. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-56784-2_9

  8. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1463–1483. ACM Press (2021). https://doi.org/10.1145/3460120.3484820

  9. Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261–290. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-64378-2_10

  10. Alwen, J., Hartmann, D., Kiltz, E., Mularczyk, M.: Server-aided continuous group key agreement. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) ACM CCS 2022, pp. 69–82. ACM Press (Nov 2022). https://doi.org/10.1145/3548606.3560632

  11. Alwen, J., Jost, D., Mularczyk, M.: On the insider security of MLS. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 34–68. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_2

  12. Balbás, D., Collins, D., Gajland, P.: Analysis and improvements of the sender keys protocol for group messaging. XVII Reunión española sobre criptología y seguridad de la información. RECSI 2022 265, 25 (2022)

    Google Scholar 

  13. Balbás, D., Collins, D., Gajland, P.: WhatsUpp with sender keys? Analysis, improvements and security proofs. Cryptology ePrint Archive, Paper 2023/1385 (2023). https://eprint.iacr.org/2023/1385. (Full version)

  14. Balbás, D., Collins, D., Vaudenay, S.: Cryptographic administration for secure group messaging. In: 2023 USENIX Security Symposium (2023)

    Google Scholar 

  15. Balli, F., Rösler, P., Vaudenay, S.: Determining the core primitive for optimally secure ratcheting. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 621–650. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-64840-4_21

  16. Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol. RFC 9420 (2023). https://doi.org/10.17487/RFC9420, https://www.rfc-editor.org/info/rfc9420

  17. Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 619–650. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63697-9_21

  18. Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: asynchronous decentralized key management for large dynamic groups a protocol proposal for messaging layer security (MLS). Research report, Inria Paris, May 2018. https://hal.inria.fr/hal-02425247

  19. Bienstock, A., Dodis, Y., Garg, S., Grogan, G., Hajiabadi, M., Rösler, P.: On the worst-case inefficiency of CGKA. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part II. LNCS, vol. 13748, pp. 213–243. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22365-5_8

  20. Bienstock, A., Dodis, Y., Rösler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 198–228. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-64378-2_8

  21. Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the Signal double ratchet algorithm. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 784–813. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15802-5_27

  22. Blazy, O., Boureanu, I., Lafourcade, P., Onete, C., Robert, L.: How fast do you heal? A taxonomy for post-compromise security in secure-channel establishment. Cryptology ePrint Archive, Report 2022/1090 (2022). https://eprint.iacr.org/2022/1090

  23. Brzuska, C., Cornelissen, E., Kohbrok, K.: Security analysis of the MLS key derivation. In: 2022 IEEE Symposium on Security and Privacy, pp. 2535–2553. IEEE Computer Society Press (2022). https://doi.org/10.1109/SP46214.2022.9833678

  24. Canetti, R., Jain, P., Swanberg, M., Varia, M.: Universally composable end-to-end secure messaging. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 3–33. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_1

  25. Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1445–1459. ACM Press (2020). https://doi.org/10.1145/3372297.3417887

  26. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020). https://doi.org/10.1007/s00145-020-09360-1

    Article  MathSciNet  Google Scholar 

  27. Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1802–1819. ACM Press (2018). https://doi.org/10.1145/3243734.3243747

  28. Cohn-Gordon, K., Cremers, C.J.F., Garratt, L.: On post-compromise security. In: Hicks, M., Köpf, B. (eds.) CSF 2016 Computer Security Foundations Symposium, pp. 164–178. IEEE Computer Society Press (2016). https://doi.org/10.1109/CSF.2016.19

  29. Cong, K., Eldefrawy, K., Smart, N.P., Terner, B.: The key lattice framework for concurrent group messaging. Cryptology ePrint Archive, Report 2022/1531 (2022). https://eprint.iacr.org/2022/1531

  30. Cremers, C., Hale, B., Kohbrok, K.: The complexities of healing in secure group messaging: why cross-group effects matter. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 1847–1864. USENIX Association (2021)

    Google Scholar 

  31. Davies, G.T., et al.: Security analysis of the whatsapp end-to-end encrypted backup protocol. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology. CRYPTO 2023. LNCS, vol. 14084. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38551-3_11

  32. Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-26834-3_20

  33. Galal, T.: yowsup, Code Repository (2021). https://github.com/tgalal/yowsup

  34. Hashimoto, K., Katsumata, S., Postlethwaite, E., Prest, T., Westerbaan, B.: A concrete treatment of efficient continuous group key agreement via multi-recipient PKEs. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1441–1462. ACM Press (2021). https://doi.org/10.1145/3460120.3484817

  35. Internet Engineering Task Force, I.: Messaging layer security, mailing list (2023). https://mailarchive.ietf.org/arch/browse/mls/

  36. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 33–62. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-96884-1_2

  37. Jefferys, K.: Session Protocol: Technical implementation details (2020). https://getsession.org/blog/session-protocol-technical-information. Accessed 4 July 2023

  38. Kenneth G. Paterson, Matteo Scarlata, K.T.T.: Three lessons from threema: analysis of a secure messenger. In: 2023 USENIX Security Symposium (2023)

    Google Scholar 

  39. Klein, K., et al.: Keep the dirt: Tainted TreeKEM, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy, pp. 268–284. IEEE Computer Society Press, May 2021. https://doi.org/10.1109/SP40001.2021.00035

  40. Marlinspike, M.: Private Group Messaging (2014). https://signal.org/blog/private-groups/. Accessed 5 Sep 2023

  41. Marlinspike, M., Perrin, T.: The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

  42. Marlinspike, M., Perrin, T.: The x3dh key agreement protocol. Open Whisper Syst. 283, 10 (2016)

    Google Scholar 

  43. Marlinspike, M., et al.: Signal protocol (2016). https://github.com/signalapp/libsignal-protocol-java/tree/master/java/src/main/java/org/whispersystems/libsignal

  44. Pijnenburg, J., Poettering, B.: On secure ratcheting with immediate decryption. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part III. LNCS, vol. 13793, pp. 89–118. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22969-5_4

  45. Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 3–32. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-96884-1_1

  46. Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in signal, WhatsApp, and Threema. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 415–429. IEEE, London, UK (2018). https://doi.org/10.1109/EuroSP.2018.00036

  47. Weidner, M., Kleppmann, M., Hugenroth, D., Beresford, A.R.: Key agreement for decentralized secure group messaging with strong security guarantees. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2024–2045. ACM Press (2021). https://doi.org/10.1145/3460120.3484542

  48. WhatsApp: WhatsApp Encryption Overview Technical white paper, vol. 3, October 2020. https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

Download references

Acknowledgments

This work is supported by the PICOCRYPT project that has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (Grant agreement No. 101001283), partially supported by PRODIGY Project (TED2021-132464B-I00) funded by MCIN/AEI/10.13039/501100011033/ and the European Union NextGenerationEU / PRTR, partially funded by Ministerio de Universidades (FPU21/00600), and funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.

Author information

Authors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    David Balbás

  2. Universidad Politécnica de Madrid, Madrid, Spain

    David Balbás

  3. EPFL, Lausanne, Switzerland

    Daniel Collins

  4. Max Planck Institute for Security and Privacy, Bochum, Germany

    Phillip Gajland

  5. Ruhr University Bochum, Bochum, Germany

    Phillip Gajland

Authors
  1. David Balbás
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Collins
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Phillip Gajland
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Balbás .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jian Guo

  2. Monash University, Melbourne, VIC, Australia

    Ron Steinfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Balbás, D., Collins, D., Gajland, P. (2023). WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14442. Springer, Singapore. https://doi.org/10.1007/978-981-99-8733-7_10

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8733-7_10

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8732-0

  • Online ISBN: 978-981-99-8733-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics