Secret Key Recovery in a Global-Scale End-to-End Encryption System

Graeme Connell; Vivian Fang; Rolfe Schmidt; Emma Dauterman; Raluca Ada Popa

Paper 2024/887

Secret Key Recovery in a Global-Scale End-to-End Encryption System

Graeme Connell, Signal Messenger

Vivian Fang

, UC Berkeley

Rolfe Schmidt, Signal Messenger

Emma Dauterman

, UC Berkeley

Raluca Ada Popa

, UC Berkeley

Abstract

End-to-end encrypted messaging applications ensure that an attacker cannot read a user's message history without their decryption keys. While this provides strong privacy, it creates a usability problem: if a user loses their devices and cannot access their decryption keys, they can no longer access their account. To solve this usability problem, users should be able to back up their account information with the messaging provider. For privacy, this backup should be encrypted and the provider should not have access to users' decryption keys. To solve this problem, we present Secure Value Recovery 3 (SVR3), a secret key recovery system that distributes trust across different types of hardware enclaves run by different cloud providers in order to protect users' decryption keys. SVR3 is the first deployed secret key recovery system to split trust across heterogeneous enclaves managed by different cloud providers: this design ensures that a single type of enclave does not become a central point of attack. SVR3 protects decryption keys via rollback protection and fault tolerance techniques tailored to the enclaves' security guarantees. SVR3 costs \$0.0025/user/year and takes 365ms for a user to recover their key, which is a rare operation. A part of SVR3 has been rolled out to millions of real users in a deployment with capacity for over 500 million users, demonstrating the ability to operate at scale.

Metadata

Available format(s): PDF
Category: Implementation
Publication info: Published elsewhere. Major revision. USENIX Symposium on Operating Systems Design and Implementation (OSDI) 2024
Keywords: E2EE secure messaging Signal key recovery distributed trust
Contact author(s): gram @ signal org
v fang @ berkeley edu
rolfe @ signal org
edauterman @ berkeley edu
raluca popa @ berkeley edu
History: 2024-07-12: last of 3 revisions; 2024-06-03: received; See all versions
Short URL: https://ia.cr/2024/887
License: CC BY-NC-ND

BibTeX

@misc{cryptoeprint:2024/887,
      author = {Graeme Connell and Vivian Fang and Rolfe Schmidt and Emma Dauterman and Raluca Ada Popa},
      title = {Secret Key Recovery in a Global-Scale End-to-End Encryption System},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/887},
      year = {2024},
      url = {https://eprint.iacr.org/2024/887}
}