Paper 2023/1385

WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs

David Balbás, IMDEA Software Institute, Universidad Politécnica de Madrid
Daniel Collins, École Polytechnique Fédérale de Lausanne
Phillip Gajland, Max Planck Institute for Security and Privacy, Ruhr University Bochum

Developing end-to-end encrypted instant messaging solutions for group conversations is an ongoing challenge that has garnered significant attention from practitioners and the cryptographic community alike. Notably, industry-leading messaging apps such as WhatsApp and Signal Messenger have adopted the Sender Keys protocol, where each group member shares their own symmetric encryption key with others. Despite its widespread adoption, Sender Keys has never been formally modelled in the cryptographic literature, raising the following natural question: What can be proven about the security of the Sender Keys protocol, and how can we practically mitigate its shortcomings? In addressing this question, we first introduce a novel security model to suit protocols like Sender Keys, deviating from conventional group key agreement-based abstractions. Our framework allows for a natural integration of two-party messaging within group messaging sessions that may be of independent interest. Leveraging this framework, we conduct the first formal analysis of the Sender Keys protocol, and prove it satisfies a weak notion of security. Towards improving security, we propose a series of efficient modifications to Sender Keys without imposing significant performance overhead. We combine these refinements into a new protocol that we call Sender Keys+, which may be of interest both in theory and practice.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in ASIACRYPT 2023
Secure MessagingGroup MessagingWhatsAppSignalSender KeysPost-Compromise Security
Contact author(s)
david balbas @ imdea org
daniel collins @ epfl ch
phillip gajland @ mpi-sp org
2023-09-18: approved
2023-09-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {David Balbás and Daniel Collins and Phillip Gajland},
      title = {WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1385},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.