Cryptography

Signal Protocol

WhatsApp has 3 billion users. Encrypting each message individually with Double Ratchet for each recipient in a group of 256 members would require 255 encryption operations per message. Sender Keys reduce this to 1 encryption. Signal Protocol makes end-to-end encryption practical at global scale by solving the efficiency-security tradeoff at every layer: Double Ratchet for forward secrecy, X3DH for asynchronous key agreement, Sender Keys for groups.

**WhatsApp**: Signal Protocol for all messages since 2016. 3 billion users, 100+ billion messages per day. Sender Keys for group chats.
**Signal app**: reference implementation of Signal Protocol. The only major messaging app with sealed sender for metadata protection.
**iMessage Contact Key Verification (2023)**: Apple added Signal-like key verification to iMessage. Not full Signal Protocol but step toward metadata protection.
**Matrix/Element**: open federated messaging using Double Ratchet (Olm/Megolm). Sender Keys variant (Megolm) for large rooms.

Double Ratchet: New Key Per Message

The Double Ratchet Algorithm (Marlinspike & Perrin, 2016) combines two ratchets: a Diffie-Hellman ratchet providing break-in recovery, and a symmetric ratchet providing forward secrecy. Each message uses a unique encryption key derived from the current chain state.

WhatsApp, Signal, Google Messages (RCS), and iMessage (with Contact Key Verification) use Double Ratchet. The Sesame algorithm from Signal Research extends it to multi-device delivery.

What two security properties does Double Ratchet provide simultaneously?

X3DH: First Exchange with a New Contact

X3DH (Extended Triple Diffie-Hellman) establishes an initial shared secret between parties who have never communicated, supporting asynchronous messaging: the receiver may be offline when Alice sends the first message.

X3DH provides: mutual authentication (identity keys), forward secrecy (ephemeral key EK_A), deniability (no signature on the message itself - DH provides implicit authentication). The one-time prekey OPK_B prevents replay attacks.

Why does X3DH use four DH operations instead of one?

Sealed Sender: Sender Anonymity

Standard Signal delivery reveals the sender identity to the Signal server (to route the message). Sealed Sender (2018) encrypts the sender identity inside the message, so the server sees only the recipient - not the sender.

Sealed Sender protects against a malicious or compromised Signal server learning communication patterns. Combined with sealed groups, it provides significant metadata protection. WhatsApp and iMessage do not implement sealed sender.

What metadata does Sealed Sender hide from the Signal server?

Group Messaging: Sender Keys

Double Ratchet scales poorly to group chats: in a group of n members, each message would require n-1 separate encryptions. Sender Keys (used by Signal for groups and WhatsApp) solve this: each member maintains a personal sending chain key shared once with all group members.

Signal uses Sender Keys for groups. WhatsApp uses Sender Keys for groups. When a member is removed, WhatsApp shows "Security code changed" and redistributes keys, preventing the removed member from seeing future messages.

What is the computational complexity advantage of Sender Keys over individual Double Ratchet for group messages?

Key Ideas

**Double Ratchet**: symmetric + DH ratchet. Forward secrecy (past keys deleted) + break-in recovery (DH step refreshes on compromise).
**X3DH**: four DH operations for initial key agreement. Supports async messaging (receiver offline). Provides mutual authentication and deniability.
**Sealed Sender**: sender identity encrypted inside message. Server sees only recipient - cannot determine communication patterns.
**Sender Keys**: group efficiency. One encryption per message vs O(n). Forward secrecy weaker than pure Double Ratchet.

Вопросы для размышления

If Alice loses her phone and Signal key material, which previously received messages can she no longer decrypt, and why?
Signal's Sealed Sender hides the sender from Signal's server but not from network-level metadata. What additional protection would be needed?
When a group member is removed from a Signal group, why must all remaining members redistribute their Sender Keys?

Связанные уроки

net-23-https-tls

Double Ratchet: New Key Per Message

WhatsApp, Signal, Google Messages (RCS), and iMessage (with Contact Key Verification) use Double Ratchet. The Sesame algorithm from Signal Research extends it to multi-device delivery.

What two security properties does Double Ratchet provide simultaneously?

X3DH: First Exchange with a New Contact

Why does X3DH use four DH operations instead of one?

Sealed Sender: Sender Anonymity

What metadata does Sealed Sender hide from the Signal server?

Group Messaging: Sender Keys

What is the computational complexity advantage of Sender Keys over individual Double Ratchet for group messages?

Key Ideas

**Double Ratchet**: symmetric + DH ratchet. Forward secrecy (past keys deleted) + break-in recovery (DH step refreshes on compromise).

**X3DH**: four DH operations for initial key agreement. Supports async messaging (receiver offline). Provides mutual authentication and deniability.

**Sealed Sender**: sender identity encrypted inside message. Server sees only recipient - cannot determine communication patterns.

**Sender Keys**: group efficiency. One encryption per message vs O(n). Forward secrecy weaker than pure Double Ratchet.

Signal Protocol

Double Ratchet: New Key Per Message

X3DH: First Exchange with a New Contact

Sealed Sender: Sender Anonymity

Group Messaging: Sender Keys

Key Ideas

Related Topics

Вопросы для размышления

Связанные уроки

Signal Protocol

Double Ratchet: New Key Per Message

X3DH: First Exchange with a New Contact

Sealed Sender: Sender Anonymity

Group Messaging: Sender Keys

Key Ideas

Related Topics

Вопросы для размышления

Связанные уроки