[kawera]

How could then sync end-to-end encrypted messages?

[motoboi]

Sender encrypts same message several times, one for each receiver device.

Store them the same way they store today.

When the first device picks up the message, mark as delivered, when the user reads it, mark as read.

Something along those lines, I guess.

EDIT: message is encrypted, but not it's metadata, as the server must know where it came from and where it is going to.

[camillomiller]

Considering how much information about a subject is inferrable by means of metadata only, I'd say this is a much better solution, security wise.

[kobayashi]

Same way iMessage does

[dmix]

The same way Signal does is probably a better example.

[microtonal]

Keep in mind that Whatsapp still supports pretty old devices (Nokia S40/60), where you may not want to encrypt every image N times.

Edit: remove some stuff.

[kccqzy]

Actually iMessage doesn't encrypt each image N times. It encrypts once, upload it to a server, then encrypts the image encryption key N times.

[microtonal]

A possible procedure is described by Moxie here:

https://moderncrypto.org/mail-archive/messaging/2014/001022....