2021 – 2025
Secure Group Messaging in Practice
Despite Matrix and WhatsApp having provided end-to-end encryption in their group messaging offerings as early as 2014, there was a lack of understanding regarding how these systems really work, and what security they actually provide.
To fill this gap, we investigated the state of secure group messaging as deployed by Matrix and WhatsApp, studying both their specifications and implementations.
This was the primary subject of my PhD, in which I, along with my collaborators, studied secure group messaging in the multi-device setting. We focused our attention on Matrix and WhatsApp, two widely-used multi-device group messaging applications. We wanted to find out:
- What happens when I sign into WhatsApp from my laptop?
…And how do these two devices initiate a secure connection? - How will my friends’ devices find out?
…And is there a guarantee that they will find out when I remove a device? - How do my own devices even find out about the new device?
- How does my message history move to the new device?
…And what does that mean for forward and post-compromise security?
-
Practically-Exploitable Cryptographic Vulnerabilities in Matrix
Our security analysis of Matrix led us to discover numerous cryptographic vulnerabilities, both in its specification and in implementations throughout its ecosystem. We built full proof-of-concept attacks based on these vulnerabilities in order to demonstrate their practicality. Our disclosure of these vulnerabilities led to the issuing of approximately 10 CVEs across the wider Matrix ecosystem.
We presented this work at IEEE S&P 2023 for which we received a Distinguished Paper Award. For a thorough presentation of this work that avoids digging too deep into the messy details, I would recommend watching our Blackhat Europe talk from 2022. For a more casual discussion on the work and its broader context, have a listen to our episode on Security, Cryptography, Whatever (SCW).
-
Device-Oriented Group Messaging: A Formal Analysis of Matrix' Cryptographic Core
Keen to understand what security the Matrix protocol can provide once the aforementioned vulnerabilities have been fixed, we developed the first cryptographic model to capture multi-device group messaging. We used our new formalism, and a detailed description built upon our prior work analysing Matrix’s specification and implementation, to derive and prove its security guarantees.
We presented this work at IEEE S&P 2024. I have been meaning to upload a longer form presentation describing this work in more detail. If this is something you’d like to see, do reach out! (It might give me the final push me to record it).
-
Formal Analysis of Multi-Device Group Messaging in WhatsApp
Feeling that it is important to understand how a messaging application used by over 2 billion people actually works, we reverse-engineered WhatsApp to derive and prove its security in our new model, too. This was the first analysis of WhatsApp that was checked against the client implementation (in contrast to previous analyses that relied on the whitepaper, observed client behaviour, third-party reimplementations, or some combination thereof).
The analysis required us to make a tweak to our model in order to capture WhatsApp’s addition of cryptographic device revocation, an important feature that is missing from Matrix’s design.
We presented this work at Eurocrypt 2025.
-
Secure Group Messaging in Practice
Take a look a my thesis! It aims to synthesize what we learnt throughout this project and present what we learnt in a cohesive manner. It also allowed me to include lots of extra explanatory details, to clarify previous bits of confusion, and, more generally, to clean-up and polish this final work. This resulted in a more accessible version of the works above, albeit quite a bit longer.