Paper 2023/1300

Device-Oriented Group Messaging: A Formal Cryptographic Analysis of Matrix’ Core

Martin R. Albrecht, King's College London
Benjamin Dowling, University of Sheffield
Daniel Jones, Royal Holloway University of London

Focusing on its cryptographic core, we provide the first formal description of the Matrix secure group messaging protocol. Observing that no existing secure messaging model in the literature captures the relationships (and shared state) between users, their devices and the groups they are a part of, we introduce the Device-Oriented Group Messaging model to capture these key characteristics of the Matrix protocol. Utilising our new formalism, we determine that Matrix achieves the basic security notions of confidentiality and authentication, provided it introduces authenticated group membership. On the other hand, while the state sharing functionality in Matrix conflicts with advanced security notions in the literature – forward and post-compromise security – it enables features such as history sharing and account recovery, provoking broader questions about how such security notions should be conceptualised.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. 45th IEEE Symposium on Security and Privacy, S&P 2024 (to appear).
secure messaginggroup messagingforward securitypost-compromise securityhistory sharingdevice management
Contact author(s)
martin albrecht @ kcl ac uk
b dowling @ sheffield ac uk
dan jones @ rhul ac uk
2023-09-02: approved
2023-08-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Martin R. Albrecht and Benjamin Dowling and Daniel Jones},
      title = {Device-Oriented Group Messaging: A Formal Cryptographic Analysis of Matrix’ Core},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1300},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.