Een paar weken geleden vond het Real World Crypto Symposium 2026 plaats in Taipei. Het Real World Crypto Symposium heeft als doel cryptografieonderzoekers samen te brengen met ontwikkelaars die cryptografie in echte systemen implementeren, en het is een van de belangrijkste cryptografieconferenties wereldwijd, vooral als je geïnteresseerd bent in de praktische relevantie van encryptie.
Op de conferentie van dit jaar richtten veel van de presentaties zich op Signal, waarbij de leidende rol werd getoond die Signal speelt in de academische en praktische ontwikkeling van moderne cryptografie. Hoewel alle presentaties vrij beschikbaar zijn op YouTube, zijn ze verborgen in een daglange stream, dus voor degenen die geïnteresseerd zijn in de technische details van Signal wilden we een beknopt overzicht geven met de belangrijkste bevindingen en directe links naar de relevante presentaties.
Een praktisch wrapperprotocol voor het verbergen van metadata in berichtendiensten
Lea Thiemt (FAU Erlangen-Nürnberg), Paul Rösler (FAU Erlangen-Nürnberg), Alexander Bienstock (J.P. Morgan AI Research en J.P.
Morgan AlgoCRYPT CoE), Rolfe Schmidt (Signal Messenger), Yevgeniy Dodis (New York University)
Deze presentatie introduceerde en besprak een verbeterde versie van de Sealed Sender-functie van Signal en merkte op dat Signal al werkt aan de implementatie van deze verbeteringen.
English summary:
End-to-end encryption in modern messengers ensures the confidentiality of user messages so that network observers or servers cannot learn the content of messages. Even if devices are ever temporarily compromised and encryption keys are leaked, e.g., by trojans or at airport security, the protocols guarantee that past and future communication remains confidential. While confidentiality of protocols has been studied intensively, comparatively little attention was given to the anonymity of protocols. That is, in protocols like Double Ratchet or MLS, not only the ciphertext is transmitted, but also attached metadata, like sender and receiver ID. A server which observes all incoming and outgoing traffic can analyze this metadata to reveal social networks and can ultimately even learn the identity of communicating parties. This is particularly threatening for vulnerable user groups: For instance, journalists who communicate with activists rely on guaranteed anonymity. In fact, the former NSA director, Michael Hayden, made the significance of metadata undoubtedly clear when he said, “We kill people based on metadata.”
The only widely used messenger, to the best of our knowledge, which currently implements measures to hide metadata is Signal. More concretely, Signal’s Sealed Sender protocol functions as a wrapper protocol around ciphertexts and metadata to provide sender anonymity. While this is a commendable development, Sealed Sender comes with drawbacks. First, the protocol relies on the receiver’s static long term keys. Considering that messaging sessions can last for months or years, it is likely that, at some point, the receiver keys become compromised. This immediately allows de-anonymization of all previous and future communication. Second, Sealed Sender is inefficient in group chats: Without Sealed Sender, the sender creates a constant-size ciphertext which all group members can decrypt. With Sealed Sender, the sender re-encrypts this ciphertext for each recipient, which means that the ciphertext size increases linearly in the number of group members.
In this talk, I present our practical anonymity wrapper protocol which fixes both these drawbacks of Sealed Sender and can be used to hide metadata of existing (group) messaging protocols. The key idea is that the communicating parties use the shared key material of the underlying messaging protocol to derive wrapper keys. In group communication, the resulting ciphertext size is constant. Moreover, our protocol provides strong anonymity guarantees such that, even if encryption secrets are ever compromised, past and future communication remains anonymous. We implement this approach and compare it to Signal’s Sealed Sender: The performance evaluation shows that the wire size of small 1:1 messages goes down from 441 bytes to 114 bytes. For a group of 100 members, it reduces the wire size of outgoing group messages from 7240 bytes to 155 bytes. We see similar improvements in computation time for encryption and decryption, but these improvements come with substantial storage costs for receivers. Yet, by using a Bloom Filter to compress the receiver state, we are able to make this approach practical: Our resulting protocol is efficient and has a storage overhead of only a few hundred bytes for the sender and a few kilobytes for the receiver. Since this significantly improves on the currently deployed Sealed Sender protocol, Signal considers employing this solution.
Signal Lost (Integriteit): De Signal-app is meer dan de som van zijn protocollen
Kien Tuong Truong (ETH Zürich), Noemi Terzo (Max-Planck Instituut voor Beveiliging en Privacy), Peter Schwabe (Max-Planck Instituut voor Beveiliging en Privacy), Kenneth Paterson (ETH Zürich)
Deze presentatie toonde een aanval op Signal waarbij een kwaadaardige server berichten in een gesprek kon injecteren. Signal loste het probleem onmiddellijk op voordat de onderzoekers hun bevindingen openbaar maakten.
English summary:
We present an attack against the integrity of conversations in Signal: we show that a malicious server can inject messages into a conversation between two honest users without them being aware of it. The attack does not require any key compromises. While the attack causes the honest users to receive a notification that their safety numbers have changed, those safety numbers remain consistent, so the attack cannot be detected by comparing them out-of-band. This attack naturally gives rise to a number of questions. How was this vulnerability introduced? How can such a vulnerability still be present after the extensive security analysis to which Signal’s protocols have been subjected? What wider lessons can be drawn in order to prevent similar issues arising in the future? We answer these questions in detail in our talk.
Formosa Crypto: End-to-end formeel geverifieerde cryptografiesoftware
José Bacelar Almeida (Universidade do Minho en INESC TEC) en anderen
Deze presentatie ging over de Formosa Crypto-toolchain, die gebruikt kan worden om formeel geverifieerde cryptografiesoftware te ontwikkelen, en hoe deze is toegepast in de ontwikkeling van Signal.
English summary:
In this talk we will present the Formosa Crypto toolchain for end-to-end formally verified crypto software. As a running example we will present a highly optimized implementation of ML-KEM that features computer-verified proofs all the way from assembly to the IND-CCA security notion, together with extensive principled protections against various classes of microarchitectural attacks. We report on the deployment of this ML-KEM software in the backend infrastructure of the Signal secure messenger.
We furthermore report on a separate effort that uses the Formosa toolchain to build high-assurance crypto software for Signal’s infrastructure, namely an implementation of oblivious RAM (ORAM). This effort provided additional motivation to expedite the integration of Formosa software in Signal, as it discovered a timing vulnerability in the existing C implementation of ORAM in Signal. We will provide details of how this vulnerability was discovered and how the Formosa toolchain systematically protects against such vulnerabilities in a future-proof way.
XHMQV: Betere efficiëntie en sterkere beveiliging voor Signal’s initiële handshake gebaseerd op HMQV
Rune Fiedler (Technische Universität Darmstadt), Felix Günther (IBM Research Europe – Zürich), Jiaxin Pan (Universiteit van Kassel), Runzhi Zeng (Universiteit van Kassel), Rolfe Schmidt (Signal Messenger)
Deze presentatie introduceerde ideeën om de initiële handshake van Signal te verbeteren, zodat deze efficiënter wordt terwijl de beveiligingseigenschappen behouden blijven.
Link naar video op YouTube (kan hier niet direct worden opgenomen)
English summary:
Signal’s initial handshake protocol X3DH/PQXDH allows parties to asynchronously derive a shared session key without the need to be online simultaneously, while providing implicit authentication, forward secrecy, and a form of offline deniability. Extensively studied in the cryptographic literature, it is acclaimed for its strong “maximum-exposure” security guarantees, hedging against compromises of users’ long-term keys and medium-term keys but also the ephemeral randomness used in the handshake. Remarkably, Signal’s current approach of concatenating plain DH combinations is however sub-optimal, both in terms of maximum-exposure security and performance.
In this talk, we will present XHQMV, a carefully adapted variant of Krawczyk’s well-known HMQV protocol (Crypto ’05), which enables both stronger security and better efficiency while matching the constraints of Signal’s initial handshake. Notably, HMQV does not work as a drop-in replacement for X3DH due to the the latter’s asynchronicity requirements and the need to handle cases where one party runs out of ephemeral keys (pre-uploaded to the Signal server). We will show how to augment HQMV with the necessary medium-term keys, enabling security in 1-2 additional compromise scenarios compared to X3DH while using more efficient group operations. Signal plans to adopt XHQMV and in our talk, we will explain how Signal’s transition to a fully hybrid traditional/quantum-safe protocol opens a window of opportunity to improve on such a core cryptographic component, and discuss the engineering trade-offs involved.
Een oproep tot actie: Het overzetten van Signal’s private groepssysteem naar quantum-veilige technologie
Graeme Connell (Signal Messenger), Sebastian Faller (IBM Research – Zürich, ETH Zürich), Felix Günther (IBM Research – Zürich), Julia Hesse (IBM Research – Zürich), Vadim Lyubashevsky (IBM Research – Zürich), Rolfe Schmidt (Signal Messenger)
Deze presentatie behandelde het lopende werk om het Private Group System van Signal te verbeteren en veilig te maken tegen mogelijke aanvallen door quantumcomputers.
Link naar video op YouTube (kan hier niet direct worden opgenomen)
English summary:
Today’s real-world cryptographic systems face the challenge of transitioning to quantum-safe, both quickly and efficiently. But what if a system’s cryptography is so complex that no fully quantum-safe solution exists today, yet the quantum threat of Harvest-Now-Decrypt-Later (HNDL) attacks is already pressing? In this talk, we study such a deployment, Signal’s Private Group System, and discuss how a careful design analysis can enable transitioning the most vulnerable components first, while maintaining both efficiency and a pathway to full quantum safety.
Signal’s so-called Private Group System allows users to manage groups (creation, adding/removing members, etc.) in a privacy-preserving manner, i.e., such that the server never learns the members of the group while simultaneously being able to check the legitimacy of these operations. Signal’s current system uses an elaborate combination of classical primitives (zero-knowledge proofs, verifiable encryption, oblivious pseudorandom functions, etc.), combined in complex and non-black-box ways. This makes transitioning to quantum-safe challenging, yet such transition is urgent: social graph information and group membership data is highly privacy-sensitive, making Signal’s Private Group System a primary target for HNDL attacks.
In this talk, we will present ongoing work on transitioning Signal’s Private Group System. We propose to carefully rethink the design of complex cryptographic systems to focus on countering the HNDL threat first, while keeping a pathway to a fully quantum-safe system open. Our approach reduces the need for advanced building blocks as much as possible and avoids non-black-box use of primitives, e.g., by shifting some responsibilities from the server to the clients. At the example of Signal’s Private Group System, we will discuss lessons learned and quantum-safe migration strategies that are applicable more broadly to today’s real-world cryptographic systems.
Blijf op de hoogte
Wil je op de hoogte blijven van het laatste Signal-nieuws en updates, volg ons dan op Bluesky of Mastodon.
