[0xBeefFed]

I am not sure if this relates, but this past year at Blackhat there was a talk on Messaging Layer Security and they broughtup a concept called TreeKEM, where users share keys in a tree heirachy to reduce the number of shared secrets.

Again, not sure if this is applicable, but the comments made me think of this.

[0] https://www.blackhat.com/us-19/briefings/schedule/index.html... [1] https://i.blackhat.com/USA-19/Wednesday/us-19-Robert-Messagi...

[ccktlmazeltov]

This still uses a single shared secret for the whole group.

[0xBeefFed]

Thank you for verfiying that

[ccktlmazeltov]

To add to that, the only goal of TreeKEM is to avoid latency/complexity when adding and removing group member frequently/quickly. Which is really not the use-case of most groups (so not sure why they're doing this).

[est31]

Probably groups with 6 or so members are alright, but the more people your group has, the more joining/parting there is. And the larger the effort is to distribute a new set of keys. So if you want your method to be scalable (and some telegram rooms have tens of thousands of members!), you need strategies like this.

[ccktlmazeltov]

> some telegram rooms have tens of thousands of members

I'd say that at this point you can either:

* accept that there is no confidentiality anymore. It's just not realistic to have a "secret" group with that many members

* have the person who adds new members forward them the group key, and give up on key rotation

btw, I'm wondering how treeKEM manages malicious members when key rotation happens

[est31]

> accept that there is no confidentiality anymore. It's just not realistic to have a "secret" group with that many members

You do have a point, especially when it's a group where people are in their free time. However, if they are present for work they are less likely to leak information. Also, encryption should give a default level of privacy to build on.