Skip to main content

26 May 2021 - Melissa Chase


Melissa Chase



Identity in E2E encrypted messaging: "My messages are encrypted, but who am I talking to?"



In end-to-end (E2E) encrypted messaging, a user's messages are encrypted on their device with a key not known to the service provider and not decrypted until they arrive at the recipient's device. This is considered to provide strong privacy guarantees, even against a corrupt or compromised service provider. There has been a successful line of work looking at how best to allow the two users to derive the keys used to encrypt these messages. However, most works assume that the parties begin with one another's public key and omit the question of how the users obtain and verify these keys. Note that this is crucially important - if a corrupt service provider can replace each user's public key with one for which it knows the secret key, it can undetectably man-in-the middle all of the communication between the two parties.

In this talk I will first survey the current state of identity in these messaging services and then present two recent results. The first result shows how the service provider can host a privacy preserving and transparent public key directory which allows the user (or more accurately their device) to verify that correct keys are given out on their behalf. The second result considers the group setting and shows how groups of users can view and manage the list of group members without the service provider learning which (if any) groups any user belongs to.