[Alex3917]

> I imagine that the API-based uploads of the recent decrypts from the user being reported can also be faked, so I'm not sure that this is a very important distinction.

That assumes that the decrypted messages aren't signed (e.g. via HMAC), no?

[CodesInChaos]

End-to-end MACs don't help because the recipient knows the key and thus can generate a valid MAC on a fake message.

But there are plenty of other ways to implement this. Digital signatures. Or if facebook stores the ciphertext, the recipient could simply reveal the decryption key for the message. Or facebook could compute a MAC over the ciphertext with a key neither participant knows, then the recipient could reveal the ciphertext and decryption key, and facebook could verify the outer MAC to verify authenticity.

[sneak]

I somehow don't think FB's world class engineers would fall for the cryptographic doom principle, so this would imply MAC-then-Encrypt-then-MAC, no? :D

[CodesInChaos]

While there is certainly a MAC using a key shared between sender and receiver using either an integrated authenticated encryption algorithm or encrypt-then-MAC this key will be known to the recipient and is thus useless for proving authenticity to a third party. But facebook could add an additional MAC using a key only known to them over the already authenticated ciphertext.