diff --git a/slides/2-3.tex b/slides/2-3.tex
index dec3e09..d7bd530 100644
--- a/slides/2-3.tex
+++ b/slides/2-3.tex
@@ -1802,7 +1802,7 @@
\begin{frame}{The Group Messaging Problem}
\begin{columns}[c]
\begin{column}{0.5\textwidth}
- \textbf{Two-party protocols work great for... two parties}
+ \textbf{Two-party protocols work great for\ldots two parties}
\begin{itemize}
\item Signal Protocol: Alice $\leftrightarrow$ Bob
\item OTR: Real-time 1-on-1 chat
@@ -1845,6 +1845,68 @@
\end{itemize}
\end{frame}
+\begin{frame}{WhatsApp's approach: sender keys}
+ \begin{columns}[c]
+ \begin{column}{0.5\textwidth}
+ \textbf{How Sender Keys Work:}
+ \begin{itemize}
+ \item Each group member has a ``sender key''
+ \item Shared with all other members
+ \item One encryption per message (not per recipient!)
+ \end{itemize}
+ \textbf{Sender Key Components:}
+ \begin{itemize}
+ \item $SK = (spk, ck)$
+ \item $spk$: Public signature key
+ \item $ck$: Symmetric chain key
+ \item Chain key ratchets forward
+ \end{itemize}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+ \textbf{Sending a Message:}
+ \begin{enumerate}
+ \item Derive message key: $mk = H_1(ck)$
+ \item Encrypt: $c = \func{enc}{mk, m}$
+ \item Sign: $\sigma = \func{sign}{ssk, c}$
+ \item Erase $mk$ immediately
+ \item Ratchet: $ck_{new} = H_2(ck)$
+ \end{enumerate}
+ \textbf{Benefits:}
+ \begin{itemize}
+ \item $O(1)$ encryptions per message
+ \item Handles out-of-order delivery
+ \item Scales to large groups
+ \end{itemize}
+ \end{column}
+ \end{columns}
+\end{frame}
+
+\begin{frame}{WhatsApp's approach: sender keys}
+ \bigimagewithcaption{sender_keys.png}{Source: David Balbás, Daniel Collins and Phillip Gajland, \textit{WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs}, IACR Asiacrypt, 2023.}
+\end{frame}
+
+\begin{frame}{Sender keys: trade-offs}
+ \begin{columns}[c]
+ \begin{column}{0.5\textwidth}
+ \textbf{What we gain:}
+ \begin{itemize}
+ \item \textbf{Efficiency}: Single encryption
+ \item \textbf{Scalability}: Works for 256+ members\footnote{Recently increased to 1,024.}
+ \item \textbf{Battery life}: Less crypto work
+ \item \textbf{Bandwidth}: Constant message size
+ \end{itemize}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+ \textbf{What we lose:}
+ \begin{itemize}
+ \item Weaker forward secrecy
+ \item Weaker post-compromise security
+ \item Malicious server can add/remove parties
+ \end{itemize}
+ \end{column}
+ \end{columns}
+\end{frame}
+
\begin{frame}{Enter MLS: Messaging Layer Security}
\begin{columns}[c]
\begin{column}{0.5\textwidth}
@@ -1867,8 +1929,6 @@
\end{columns}
\end{frame}
-% Sender keys, etc.
-
\begin{frame}{TreeKEM}
\bigimagewithcaption{treekem.pdf}{Source: Joy of Cryptography}
\end{frame}
diff --git a/slides/images/sender_keys.png b/slides/images/sender_keys.png
new file mode 100644
index 0000000..ec1a65d
--- /dev/null
+++ b/slides/images/sender_keys.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e523aebfd2be5699f98fc0de22a03c23ce75f7ef9529f32b0704b1c44bb79b27
+size 88380
diff --git a/website/index.html b/website/index.html
index 2e3ad93..494d00a 100755
--- a/website/index.html
+++ b/website/index.html
@@ -241,6 +241,7 @@
Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti and Pierre-Yves Strub, Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS, IEEE Symposium on Security and Privacy, 2014.
Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol, IACR Eurocrypt, 2025.
Karthikeyan Bhargavan, Bruno Blanchet and Nadim Kobeissi, Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate, IEEE Symposium on Security and Privacy, 2017.
+ David Balbás, Daniel Collins and Phillip Gajland, WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs, IACR Asiacrypt, 2023.
Scott Fluhrer, Istik Mantin and Adi Shamir, Weaknesses in the Key Scheduling Algorithm for RC4, Selected Areas in Cryptography, 2001.
Alma Whitten and J. D. Tygar, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0, Security and Usability: Designing Secure Systems that People Can Use, O'Reilly, 2005.
Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons, Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client, arXiv, 2015.
@@ -523,6 +524,7 @@
Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen and Igors Stepanovs, Analysis of the Telegram Key Exchange, IACR Eurocrypt, 2025.
Martin R. Albrecht, Benjamin Dowling and Daniel Jones, Formal Analysis of Multi-Device Group Messaging in WhatsApp, IACR Eurocrypt, 2025.
Paul Rösler, Christian Mainka and Jörg Schwenk, More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema, IEEE European Symposium on Security and Privacy, 2018.
+ David Balbás, Daniel Collins and Phillip Gajland, WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs, IACR Asiacrypt, 2023.
Felix Linker, Ralf Sasse and David Basin, A Formal Analysis of Apple’s iMessage PQ3 Protocol, USENIX Security Symposium, 2025.
Théophile Wallez, A Verification Framework for Secure Group Messaging, PSL Université Paris, 2025.
Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging, USENIX Security Symposium, 2024.
diff --git a/website/papers/sender-keys.pdf b/website/papers/sender-keys.pdf
new file mode 100644
index 0000000..2d147fc
--- /dev/null
+++ b/website/papers/sender-keys.pdf
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0af8a7fb57350f982c902dcae8e9f3d4b51591866c3203a5c9fe6bfc2a05d87d
+size 773933