Group chat with end-to-end encryption

In a two-person conversation, end-to-end encryption works by standard asymmetric crypto. Alice and Bob each generate their own keypairs, then they exchange public keys, then Bob sends each message encrypted with Alice’s public key. How does this two-person encryption scheme extend to multi-person group chat? In a group chat, when Bob sends a message, whose public key does he encrypt the message with?

One scheme is for Bob to encrypt the message with every participant’s key in turn. In a group chat with 30 other participants, Bob sends the message 30 times, encrypting each message for the one intended reader. In effect, this approach represents a group chat using lots of two-person private chats.

The above scheme can be called “client-side fan-out”. An advantage of client-side fan-out is that it re-uses the same protocol used for two-person conversations. But one disadvantage is that the fan-out can use a lot of the client’s network bandwidth. This cost can be prohibitive if the group is big or the network bandwidth is small.

Can we provide server-side fan-out, and still keep end-to-end encryption? The sender will need to encrypt a single message with a key which all the group members possess. This is possible with a shared secret and symmetric encryption. The sender encrypts the message once with the shared secret, and sends the ciphertext to the server. The server does fan-out on the ciphertext, but can’t read the message. Each recipient can decrypt the message with the shared secret.

This requires a mechanism to distribute the group shared secret. For this, we can fall back on the “client-side fan-out” scheme! Someone decides on the group’s shared secret, then sends the secret to each member by encrypting it with that member’s public key.

Who decides on the group’s shared secret? Because no one except the group members can know the secret, the secret must be decided by a group member. A natural option is for the group creator to decide on the secret.

Tagged #programming, #crypto.
👋 I'm Jim, a full-stack product engineer. Want to build an amazing product and a profitable business? Read more about me or Get in touch!

Similar posts

How to hash multiple values
Methods for hashing multiple values, including hash-then-XOR, concat-then-hash, and serialize-then-hash. The only method that’s collision-resistant is serialize-then-hash! 2018-01-09
Forward secrecy with hash ratchets
A “hash ratchet” ensures that a compromise of the current key does not allow decryption of past messages. Each message’s encryption key is derived from the previous key using a hash function. 2017-10-27
Making a stream cipher
A stream cipher in Go that generates an infinite keystream from a shared key using SHA-256. 2018-01-01
Asymmetric encryption with the Web Cryptography API
Generating ECDH keys and deriving a shared AES key. 2017-11-03
Symmetric encryption with the Web Cryptography API
Generating a key, encrypting and decrypting text, and explaining the implementation. 2017-11-02
Signing a string with HMAC using the Web Crypto API
A web page that allows you to sign a string using the HMAC algorithm with SHA-256, implemented using the Web Crypto API. 2017-10-31

Similar posts

How to hash multiple values
Methods for hashing multiple values, including hash-then-XOR, concat-then-hash, and serialize-then-hash. The only method that’s collision-resistant is serialize-then-hash! 2018-01-09
Forward secrecy with hash ratchets
A “hash ratchet” ensures that a compromise of the current key does not allow decryption of past messages. Each message’s encryption key is derived from the previous key using a hash function. 2017-10-27
Asymmetric encryption with the Web Cryptography API
Generating ECDH keys and deriving a shared AES key. 2017-11-03
Symmetric encryption with the Web Cryptography API
Generating a key, encrypting and decrypting text, and explaining the implementation. 2017-11-02
Signing a string with HMAC using the Web Crypto API
A web page that allows you to sign a string using the HMAC algorithm with SHA-256, implemented using the Web Crypto API. 2017-10-31
Hashing a string with the Web Cryptography API
The Web Cryptography API provides low-level crypto primitives in JavaScript, including hashing strings using SHA-256. 2017-10-30

More by Jim

What does the dot do in JavaScript?
foo.bar, foo.bar(), or foo.bar = baz - what do they mean? A deep dive into prototypical inheritance and getters/setters. 2020-11-01
Smear phishing: a new Android vulnerability
Trick Android to display an SMS as coming from any contact. Convincing phishing vuln, but still unpatched. 2020-08-06
A probabilistic pub quiz for nerds
A “true or false” quiz where you respond with your confidence level, and the optimal strategy is to report your true belief. 2020-04-26
Time is running out to catch COVID-19
Simulation shows it’s rational to deliberately infect yourself with COVID-19 early on to get treatment, but after healthcare capacity is exceeded, it’s better to avoid infection. Includes interactive parameters and visualizations. 2020-03-14
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the “scroll jail” that traps the user in a fake browser. 2019-04-27
The hacker hype cycle
I got started with simple web development, but because enamored with increasingly esoteric programming concepts, leading to a “trough of hipster technologies” before returning to more productive work. 2019-03-23
Project C-43: the lost origins of asymmetric crypto
Bob invents asymmetric cryptography by playing loud white noise to obscure Alice’s message, which he can cancel out but an eavesdropper cannot. This idea, published in 1944 by Walter Koenig Jr., is the forgotten origin of asymmetric crypto. 2019-02-16
How Hacker News stays interesting
Hacker News buried my post on conspiracy theories in my family due to overheated discussion, not censorship. Moderation keeps the site focused on interesting technical content. 2019-01-26
My parents are Flat-Earthers
For decades, my parents have been working up to Flat-Earther beliefs. From Egyptology to Jehovah’s Witnesses to theories that human built the Moon billions of years in the future. Surprisingly, it doesn’t affect their successful lives very much. For me, it’s a fun family pastime. 2019-01-20
The dots do matter: how to scam a Gmail user
Gmail’s “dots don’t matter” feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails. 2018-04-07
The sorry state of OpenSSL usability
OpenSSL’s inadequate documentation, confusing key formats, and deprecated interfaces make it difficult to use, despite its importance. 2017-12-02
I hate telephones
I hate telephones. Some rational reasons: lack of authentication, no spam filtering, forced synchronous communication. But also just a visceral fear. 2017-11-08
The Three Ts of Time, Thought and Typing: measuring cost on the web
Businesses often tout “free” services, but the real costs come in terms of time, thought, and typing required from users. Reducing these “Three Ts” is key to improving sign-up flows and increasing conversions. 2017-10-26
Granddad died today
Granddad died. The unspoken practice of death-by-dehydration in the NHS. The Liverpool Care Pathway. Assisted dying in the UK. The importance of planning in end-of-life care. 2017-05-19
How do I call a program in C, setting up standard pipes?
A C function to create a new process, set up its standard input/output/error pipes, and return a struct containing the process ID and pipe file descriptors. 2017-02-17
Your syntax highlighter is wrong
Syntax highlighters make value judgments about code. Most highlighters judge that comments are cruft, and try to hide them. Most diff viewers judge that code deletions are bad. 2014-05-11

This page copyright James Fisher 2017. Content is not associated with my employer. Found an error? Edit this page.

Jim Fisher
CV
Speaking
Blogroll
RSS
TigYog
Kickabout