[lmm]

> However. Does anyone else feel uneasy about Matrix end-to-end encryption and how some people justify its provenance by asserting it is the same encryption as Signal despite the homebrew implementation by Matrix having obvious differences to attempt to accommodate multi-device support among other features?

Signal's implementation (assuming it's what they say it is) is equally "homebrew"; it was derived from OTR but it's not the same protocol, and things like the server-assisted initial key exchange are both bolted-on and often omitted from security analysis in a way that I find very dubious.

(Frankly the only crypto protocols mature enough that I really trust them are PGP, TLS, and maybe SSH, but I don't think any of them are suitable for a use case where you want to avoid non-repudiable signatures)

[palata]

> and things like the server-assisted initial key exchange are both bolted-on and often omitted from security analysis in a way that I find very dubious.

You mean the Extended Triple Diffie-Hellman? What do you mean by "bolted-on"? Would you consider it "bolted-on" too, if it was just a normal Diffie-Hellman (hence not asynchronous)?