Alcune settimane fa si è svolto il Real World Crypto Symposium 2026 a Taipei. Il Real World Crypto Symposium mira a riunire ricercatori nel campo della crittografia e sviluppatori che implementano tali tecnologie in sistemi reali, ed è uno dei convegni più importanti al mondo in materia di crittografia, soprattutto per chi è interessato all'applicazione pratica della crittografia.
Alla conferenza di quest'anno molti degli interventi si sono concentrati su Signal, mettendo in luce il ruolo di primo piano che Signal riveste nello sviluppo accademico e pratico della crittografia moderna. Sebbene tutti gli interventi siano disponibili su YouTube, sono inseriti in uno streaming che copre l'intera giornata; pertanto, per chi fosse interessato ai dettagli tecnici di Signal, abbiamo voluto fornire una breve panoramica con i risultati più importanti e i link diretti alle presentazioni pertinenti.
A Practical Wrapper Protocol for Metadata-Hiding in Messaging
Lea Thiemt (FAU Erlangen-Nürnberg), Paul Rösler (FAU Erlangen-Nürnberg), Alexander Bienstock (J.P. Morgan AI Research and J.P.
Morgan AlgoCRYPT CoE), Rolfe Schmidt (Signal Messenger), Yevgeniy Dodis (New York University)
Durante questo intervento è stata presentata e discussa una versione migliorata della funzione “Mittente sigillato” di Signal, sottolineando che Signal sta già lavorando all'implementazione di questi miglioramenti.
Sintesi in inglese:
End-to-end encryption in modern messengers ensures the confidentiality of user messages so that network observers or servers cannot learn the content of messages. Even if devices are ever temporarily compromised and encryption keys are leaked, e.g., by trojans or at airport security, the protocols guarantee that past and future communication remains confidential. While confidentiality of protocols has been studied intensively, comparatively little attention was given to the anonymity of protocols. That is, in protocols like Double Ratchet or MLS, not only the ciphertext is transmitted, but also attached metadata, like sender and receiver ID. A server which observes all incoming and outgoing traffic can analyze this metadata to reveal social networks and can ultimately even learn the identity of communicating parties. This is particularly threatening for vulnerable user groups: For instance, journalists who communicate with activists rely on guaranteed anonymity. In fact, the former NSA director, Michael Hayden, made the significance of metadata undoubtedly clear when he said, “We kill people based on metadata.”
The only widely used messenger, to the best of our knowledge, which currently implements measures to hide metadata is Signal. More concretely, Signal’s Sealed Sender protocol functions as a wrapper protocol around ciphertexts and metadata to provide sender anonymity. While this is a commendable development, Sealed Sender comes with drawbacks. First, the protocol relies on the receiver’s static long term keys. Considering that messaging sessions can last for months or years, it is likely that, at some point, the receiver keys become compromised. This immediately allows de-anonymization of all previous and future communication. Second, Sealed Sender is inefficient in group chats: Without Sealed Sender, the sender creates a constant-size ciphertext which all group members can decrypt. With Sealed Sender, the sender re-encrypts this ciphertext for each recipient, which means that the ciphertext size increases linearly in the number of group members.
In this talk, I present our practical anonymity wrapper protocol which fixes both these drawbacks of Sealed Sender and can be used to hide metadata of existing (group) messaging protocols. The key idea is that the communicating parties use the shared key material of the underlying messaging protocol to derive wrapper keys. In group communication, the resulting ciphertext size is constant. Moreover, our protocol provides strong anonymity guarantees such that, even if encryption secrets are ever compromised, past and future communication remains anonymous. We implement this approach and compare it to Signal’s Sealed Sender: The performance evaluation shows that the wire size of small 1:1 messages goes down from 441 bytes to 114 bytes. For a group of 100 members, it reduces the wire size of outgoing group messages from 7240 bytes to 155 bytes. We see similar improvements in computation time for encryption and decryption, but these improvements come with substantial storage costs for receivers. Yet, by using a Bloom Filter to compress the receiver state, we are able to make this approach practical: Our resulting protocol is efficient and has a storage overhead of only a few hundred bytes for the sender and a few kilobytes for the receiver. Since this significantly improves on the currently deployed Sealed Sender protocol, Signal considers employing this solution.
Signal Lost (Integrity): The Signal App is More than the Sum of its Protocols
Kien Tuong Truong (ETH Zurich), Noemi Terzo (Max-Planck Institute for Security and Privacy), Peter Schwabe (Max-Planck Institute for Security and Privacy), Kenneth Paterson (ETH Zurich)
In questo intervento è stato illustrato un attacco contro Signal in cui un server malintenzionato poteva inserire messaggi in una conversazione. Signal ha risolto il problema immediatamente, prima che i ricercatori rendessero pubblici i risultati delle loro ricerche.
Sintesi in inglese:
We present an attack against the integrity of conversations in Signal: we show that a malicious server can inject messages into a conversation between two honest users without them being aware of it. The attack does not require any key compromises. While the attack causes the honest users to receive a notification that their safety numbers have changed, those safety numbers remain consistent, so the attack cannot be detected by comparing them out-of-band. This attack naturally gives rise to a number of questions. How was this vulnerability introduced? How can such a vulnerability still be present after the extensive security analysis to which Signal’s protocols have been subjected? What wider lessons can be drawn in order to prevent similar issues arising in the future? We answer these questions in detail in our talk.
Formosa Crypto: End-to-end formally verified crypto software
José Bacelar Almeida (Universidade do Minho and INESC TEC) and others
In questa presentazione è stata illustrata la suite di strumenti Formosa Crypto, utilizzabile per lo sviluppo di software crittografico verificato formalmente, e il modo in cui è stata impiegata nello sviluppo di Signal.
Sintesi in inglese:
In this talk we will present the Formosa Crypto toolchain for end-to-end formally verified crypto software. As a running example we will present a highly optimized implementation of ML-KEM that features computer-verified proofs all the way from assembly to the IND-CCA security notion, together with extensive principled protections against various classes of microarchitectural attacks. We report on the deployment of this ML-KEM software in the backend infrastructure of the Signal secure messenger.
We furthermore report on a separate effort that uses the Formosa toolchain to build high-assurance crypto software for Signal’s infrastructure, namely an implementation of oblivious RAM (ORAM). This effort provided additional motivation to expedite the integration of Formosa software in Signal, as it discovered a timing vulnerability in the existing C implementation of ORAM in Signal. We will provide details of how this vulnerability was discovered and how the Formosa toolchain systematically protects against such vulnerabilities in a future-proof way.
XHMQV: Better Efficiency and Stronger Security for Signal’s Initial Handshake based on HMQV
Rune Fiedler (Technische Universität Darmstadt), Felix Günther (IBM Research Europe – Zurich), Jiaxin Pan (University of Kassel), Runzhi Zeng (University of Kassel), Rolfe Schmidt (Signal Messenger)
In questa presentazione sono state illustrate alcune idee per migliorare l'handshake iniziale di Signal, al fine di renderlo più efficiente pur mantenendone le caratteristiche di sicurezza.
Link al video su YouTube (poiché non è possibile inserirlo direttamente)
Sintesi in inglese:
Signal’s initial handshake protocol X3DH/PQXDH allows parties to asynchronously derive a shared session key without the need to be online simultaneously, while providing implicit authentication, forward secrecy, and a form of offline deniability. Extensively studied in the cryptographic literature, it is acclaimed for its strong “maximum-exposure” security guarantees, hedging against compromises of users’ long-term keys and medium-term keys but also the ephemeral randomness used in the handshake. Remarkably, Signal’s current approach of concatenating plain DH combinations is however sub-optimal, both in terms of maximum-exposure security and performance.
In this talk, we will present XHQMV, a carefully adapted variant of Krawczyk’s well-known HMQV protocol (Crypto ’05), which enables both stronger security and better efficiency while matching the constraints of Signal’s initial handshake. Notably, HMQV does not work as a drop-in replacement for X3DH due to the the latter’s asynchronicity requirements and the need to handle cases where one party runs out of ephemeral keys (pre-uploaded to the Signal server). We will show how to augment HQMV with the necessary medium-term keys, enabling security in 1-2 additional compromise scenarios compared to X3DH while using more efficient group operations. Signal plans to adopt XHQMV and in our talk, we will explain how Signal’s transition to a fully hybrid traditional/quantum-safe protocol opens a window of opportunity to improve on such a core cryptographic component, and discuss the engineering trade-offs involved.
A Call to Action: Transitioning Signal’s Private Group System to Quantum-Safe
Graeme Connell (Signal Messenger), Sebastian Faller (IBM Research – Zurich, ETH Zurich), Felix Günther (IBM Research – Zurich), Julia Hesse (IBM Research – Zurich), Vadim Lyubashevsky (IBM Research – Zurich), Rolfe Schmidt (Signal Messenger)
In questo intervento sono stati illustrati i lavori attualmente in atto volti a migliorare il sistema dei gruppi privati di Signal e a renderlo sicuro contro potenziali attacchi da parte di computer quantistici.
Link al video su YouTube (poiché non è possibile inserirlo direttamente)
Sintesi in inglese:
Today’s real-world cryptographic systems face the challenge of transitioning to quantum-safe, both quickly and efficiently. But what if a system’s cryptography is so complex that no fully quantum-safe solution exists today, yet the quantum threat of Harvest-Now-Decrypt-Later (HNDL) attacks is already pressing? In this talk, we study such a deployment, Signal’s Private Group System, and discuss how a careful design analysis can enable transitioning the most vulnerable components first, while maintaining both efficiency and a pathway to full quantum safety.
Signal’s so-called Private Group System allows users to manage groups (creation, adding/removing members, etc.) in a privacy-preserving manner, i.e., such that the server never learns the members of the group while simultaneously being able to check the legitimacy of these operations. Signal’s current system uses an elaborate combination of classical primitives (zero-knowledge proofs, verifiable encryption, oblivious pseudorandom functions, etc.), combined in complex and non-black-box ways. This makes transitioning to quantum-safe challenging, yet such transition is urgent: social graph information and group membership data is highly privacy-sensitive, making Signal’s Private Group System a primary target for HNDL attacks.
In this talk, we will present ongoing work on transitioning Signal’s Private Group System. We propose to carefully rethink the design of complex cryptographic systems to focus on countering the HNDL threat first, while keeping a pathway to a fully quantum-safe system open. Our approach reduces the need for advanced building blocks as much as possible and avoids non-black-box use of primitives, e.g., by shifting some responsibilities from the server to the clients. At the example of Signal’s Private Group System, we will discuss lessons learned and quantum-safe migration strategies that are applicable more broadly to today’s real-world cryptographic systems.
Resta informato
Vuoi rimanere aggiornato sulle ultime novità Signal notizie, suggerimenti e aggiornamenti? Seguici su Threads, Bluesky o Mastodon.
