From ad1e16fd79fd8dd499a93c730f2bad094f14104f8e45a74e8bfe54ca8f9fc3e7 Mon Sep 17 00:00:00 2001
From: Nadim Kobeissi <nadim@symbolic.software>
Date: Fri, 27 Jun 2025 16:15:06 +0200
Subject: [PATCH] Slides 2.3: Cover WhatsApp sender keys

---
 slides/2-3.tex                 | 66 ++++++++++++++++++++++++++++++++--
 slides/images/sender_keys.png  |  3 ++
 website/index.html             |  2 ++
 website/papers/sender-keys.pdf |  3 ++
 4 files changed, 71 insertions(+), 3 deletions(-)
 create mode 100644 slides/images/sender_keys.png
 create mode 100644 website/papers/sender-keys.pdf

diff --git a/slides/2-3.tex b/slides/2-3.tex
index dec3e09..d7bd530 100644
--- a/slides/2-3.tex
+++ b/slides/2-3.tex
@@ -1802,7 +1802,7 @@
 \begin{frame}{The Group Messaging Problem}
 	\begin{columns}[c]
 		\begin{column}{0.5\textwidth}
-			\textbf{Two-party protocols work great for... two parties}
+			\textbf{Two-party protocols work great for\ldots two parties}
 			\begin{itemize}
 				\item Signal Protocol: Alice $\leftrightarrow$ Bob
 				\item OTR: Real-time 1-on-1 chat
@@ -1845,6 +1845,68 @@
 	\end{itemize}
 \end{frame}
 
+\begin{frame}{WhatsApp's approach: sender keys}
+	\begin{columns}[c]
+		\begin{column}{0.5\textwidth}
+			\textbf{How Sender Keys Work:}
+			\begin{itemize}
+				\item Each group member has a ``sender key''
+				\item Shared with all other members
+				\item One encryption per message (not per recipient!)
+			\end{itemize}
+			\textbf{Sender Key Components:}
+			\begin{itemize}
+				\item $SK = (spk, ck)$
+				\item $spk$: Public signature key
+				\item $ck$: Symmetric chain key
+				\item Chain key ratchets forward
+			\end{itemize}
+		\end{column}
+		\begin{column}{0.5\textwidth}
+			\textbf{Sending a Message:}
+			\begin{enumerate}
+				\item Derive message key: $mk = H_1(ck)$
+				\item Encrypt: $c = \func{enc}{mk, m}$
+				\item Sign: $\sigma = \func{sign}{ssk, c}$
+				\item Erase $mk$ immediately
+				\item Ratchet: $ck_{new} = H_2(ck)$
+			\end{enumerate}
+			\textbf{Benefits:}
+			\begin{itemize}
+				\item $O(1)$ encryptions per message
+				\item Handles out-of-order delivery
+				\item Scales to large groups
+			\end{itemize}
+		\end{column}
+	\end{columns}
+\end{frame}
+
+\begin{frame}{WhatsApp's approach: sender keys}
+	\bigimagewithcaption{sender_keys.png}{Source: David Balbás, Daniel Collins and Phillip Gajland, \textit{WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs}, IACR Asiacrypt, 2023.}
+\end{frame}
+
+\begin{frame}{Sender keys: trade-offs}
+	\begin{columns}[c]
+		\begin{column}{0.5\textwidth}
+			\textbf{What we gain:}
+			\begin{itemize}
+				\item \textbf{Efficiency}: Single encryption
+				\item \textbf{Scalability}: Works for 256+ members\footnote{Recently increased to 1,024.}
+				\item \textbf{Battery life}: Less crypto work
+				\item \textbf{Bandwidth}: Constant message size
+			\end{itemize}
+		\end{column}
+		\begin{column}{0.5\textwidth}
+			\textbf{What we lose:}
+			\begin{itemize}
+				\item Weaker forward secrecy
+				\item Weaker post-compromise security
+				\item Malicious server can add/remove parties
+			\end{itemize}
+		\end{column}
+	\end{columns}
+\end{frame}
+
 \begin{frame}{Enter MLS: Messaging Layer Security}
 	\begin{columns}[c]
 		\begin{column}{0.5\textwidth}
@@ -1867,8 +1929,6 @@
 	\end{columns}
 \end{frame}
 
-% Sender keys, etc.
-
 \begin{frame}{TreeKEM}
 	\bigimagewithcaption{treekem.pdf}{Source: Joy of Cryptography}
 \end{frame}
diff --git a/slides/images/sender_keys.png b/slides/images/sender_keys.png
new file mode 100644
index 0000000..ec1a65d
--- /dev/null
+++ b/slides/images/sender_keys.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e523aebfd2be5699f98fc0de22a03c23ce75f7ef9529f32b0704b1c44bb79b27
+size 88380
diff --git a/website/index.html b/website/index.html
index 2e3ad93..494d00a 100755
--- a/website/index.html
+++ b/website/index.html
@@ -241,6 +241,7 @@
 							<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti and Pierre-Yves Strub, <a href="papers/#triple-handshakes"><em>Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS</em></a>, IEEE Symposium on Security and Privacy, 2014.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, <a href="papers/#triple-ratchet"><em>Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol</em></a>, IACR Eurocrypt, 2025.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Bruno Blanchet and Nadim Kobeissi, <a href="papers/#tls13-verif"><em>Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate</em></a>, IEEE Symposium on Security and Privacy, 2017.</li>
+							<li><i class="icon ph-duotone ph-scroll"></i>David Balbás, Daniel Collins and Phillip Gajland, <a href="papers/#sender-keys"><em>WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs</em></a>, IACR Asiacrypt, 2023.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Scott Fluhrer, Istik Mantin and Adi Shamir, <a href="papers/#rc4-ksa"><em>Weaknesses in the Key Scheduling Algorithm for RC4</em></a>, Selected Areas in Cryptography, 2001.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Alma Whitten and J. D. Tygar, <a href="papers/#johnny-cant"><em>Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0</em></a>, Security and Usability: Designing Secure Systems that People Can Use, O'Reilly, 2005.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons, <a href="papers/#johnny-still"><em>Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client</em></a>, arXiv, 2015.</li>
@@ -523,6 +524,7 @@
 								<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen and Igors Stepanovs, <a href="papers/#telegram-exchange"><em>Analysis of the Telegram Key Exchange</em></a>, IACR Eurocrypt, 2025.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Benjamin Dowling and Daniel Jones, <a href="papers/#whatsapp-groups"><em>Formal Analysis of Multi-Device Group Messaging in WhatsApp</em></a>, IACR Eurocrypt, 2025.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Paul Rösler, Christian Mainka and Jörg Schwenk, <a href="papers/#group-chats"><em>More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema</em></a>, IEEE European Symposium on Security and Privacy, 2018.</li>
+								<li><i class="icon ph-duotone ph-scroll"></i>David Balbás, Daniel Collins and Phillip Gajland, <a href="papers/#sender-keys"><em>WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs</em></a>, IACR Asiacrypt, 2023.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Felix Linker, Ralf Sasse and David Basin, <a href="papers/#pq3-analysis"><em>A Formal Analysis of Apple’s iMessage PQ3 Protocol</em></a>, USENIX Security Symposium, 2025.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Théophile Wallez, <a href="papers/#wallez-thesis"><em>A Verification Framework for Secure Group Messaging</em></a>, PSL Université Paris, 2025.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, <a href="papers/#pqxdh-analysis"><em>Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging</em></a>, USENIX Security Symposium, 2024.</li>
diff --git a/website/papers/sender-keys.pdf b/website/papers/sender-keys.pdf
new file mode 100644
index 0000000..2d147fc
--- /dev/null
+++ b/website/papers/sender-keys.pdf
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0af8a7fb57350f982c902dcae8e9f3d4b51591866c3203a5c9fe6bfc2a05d87d
+size 773933