Paper 2023/485

Practically-exploitable Cryptographic Vulnerabilities in Matrix

Martin R. Albrecht, King's College London
Sofía Celi, Brave Software
Benjamin Dowling, University of Sheffield
Daniel Jones, Royal Holloway University of London

We report several practically-exploitable cryptographic vulnerabilities in the Matrix standard for federated real-time communication and its flagship client and prototype implementation, Element. These, together, invalidate the confidentiality and authentication guarantees claimed by Matrix against a malicious server. This is despite Matrix’ cryptographic routines being constructed from well-known and -studied cryptographic building blocks. The vulnerabilities we exploit differ in their nature (insecure by design, protocol confusion, lack of domain separation, implementation bugs) and are distributed broadly across the different subprotocols and libraries that make up the cryptographic core of Matrix and Element. Together, these vulnerabilities highlight the need for a systematic and formal analysis of the cryptography in the Matrix standard.

Available format(s)
Attacks and cryptanalysis
Publication info
Published elsewhere. 44th IEEE Symposium on Security and Privacy, S&P 2023
secure messagingend-to-end encryptionattacksprotocolsreal-world cryptographysecure group messaging
Contact author(s)
martin albrecht @ kcl ac uk
cherenkov @ riseup net
b dowling @ sheffield ac uk
dan jones @ rhul ac uk
2023-04-05: approved
2023-04-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Martin R. Albrecht and Sofía Celi and Benjamin Dowling and Daniel Jones},
      title = {Practically-exploitable Cryptographic Vulnerabilities in Matrix},
      howpublished = {Cryptology ePrint Archive, Paper 2023/485},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.