Group Chat Protocol
Technical specification of the Sender Keys protocol for efficient group encryption.
Overview
Group chats use Sender Keys protocol instead of pairwise encryption. Each sender generates a unique key that all group members receive via E2EE channels.
Efficiency
| Approach | Encryption Operations | Key Exchanges |
|---|---|---|
| Pairwise (n members) | O(n) per message | O(n²) total |
| Sender Keys | O(1) per message | O(n) per sender |
For a group of 100 members, Sender Keys reduces encryption operations from 100 per message to 1.
Sender Key Structure
Each group member generates their own Sender Key:
| Field | Type | Purpose |
|---|---|---|
| Sender ID | 32 bytes | Identifies key owner |
| Chain Key | 32 bytes | Derives message keys |
| Signature Key | Ed25519 | Authenticates messages |
| Iteration | uint32 | Current chain position |
Key Derivation
For each message:
MK, CK_new = HKDF(CK, iteration, "ZentalkSenderKey")
ciphertext = AES-256-GCM(MK, plaintext)
signature = Ed25519.Sign(SK, ciphertext)
CK = CK_new
iteration++Key Distribution
Sender Keys are distributed via existing E2EE sessions:
1. Alice creates group, generates her Sender Key (SK_A)
2. Alice sends SK_A to each member via pairwise E2EE:
- To Bob: E2EE(Alice→Bob, SK_A)
- To Carol: E2EE(Alice→Carol, SK_A)
- To Dave: E2EE(Alice→Dave, SK_A)
3. Bob, Carol, Dave each generate their Sender Keys
- Bob sends SK_B to Alice, Carol, Dave via E2EE
- Carol sends SK_C to Alice, Bob, Dave via E2EE
- etc.
4. Each member stores n-1 Sender Keys from other membersMessage Flow
| Step | Sender | Recipients |
|---|---|---|
| 1 | Encrypt with own Sender Key | - |
| 2 | Sign ciphertext | - |
| 3 | Broadcast to group | Receive ciphertext |
| 4 | - | Verify signature |
| 5 | - | Decrypt with sender’s key |
Group Operations
Adding Members
| Step | Action | Security |
|---|---|---|
| 1 | Existing member sends invite | E2EE channel |
| 2 | New member receives all Sender Keys | Via E2EE from each member |
| 3 | New member generates own Sender Key | Fresh key |
| 4 | New member distributes key | E2EE to all |
Forward Secrecy: New members cannot decrypt past messages (no key backfill).
Removing Members
| Step | Action | Purpose |
|---|---|---|
| 1 | Remove member from roster | Access revocation |
| 2 | All remaining members rotate keys | Forward secrecy |
| 3 | Distribute new keys via E2EE | Exclude removed member |
Rotation: All members must generate new Sender Keys when someone leaves.
Member Rotation Triggers
| Event | Action Required |
|---|---|
| Member joins | New member creates key, receives others |
| Member leaves | All members rotate keys |
| Member device compromise | Affected member rotates key |
| Key usage limit (1000 msgs) | Sender rotates key |
Group Metadata
Server Visibility
| Data | Server Sees |
|---|---|
| Group ID | Encrypted identifier |
| Member list | Encrypted, membership hidden |
| Message content | Encrypted blob |
| Sender | Hidden via anonymous routing |
Client-Side Storage
| Data | Storage |
|---|---|
| Group roster | IndexedDB, encrypted |
| Sender Keys (received) | IndexedDB, encrypted |
| Own Sender Key | IndexedDB, encrypted |
| Message history | IndexedDB, ciphertext |
Cryptographic Primitives
| Algorithm | Usage |
|---|---|
| X25519 | Sender Key distribution (via E2EE) |
| Ed25519 | Message signatures |
| AES-256-GCM | Message encryption |
| HKDF-SHA256 | Message key derivation |
Security Properties
| Property | Mechanism |
|---|---|
| Confidentiality | AES-256-GCM encryption |
| Integrity | GCM authentication tag |
| Authenticity | Ed25519 signatures |
| Forward Secrecy | Chain key ratcheting |
| Post-Compromise | Key rotation on events |
Message Format
┌─────────────────────────────────────────┐
│ Group ID (32 bytes, encrypted) │
├─────────────────────────────────────────┤
│ Sender Key ID (8 bytes) │
├─────────────────────────────────────────┤
│ Chain Iteration (4 bytes) │
├─────────────────────────────────────────┤
│ Nonce (12 bytes) │
├─────────────────────────────────────────┤
│ Ciphertext (variable) │
├─────────────────────────────────────────┤
│ Authentication Tag (16 bytes) │
├─────────────────────────────────────────┤
│ Signature (64 bytes, Ed25519) │
└─────────────────────────────────────────┘Limits
| Parameter | Value |
|---|---|
| Max group size | 1000 members |
| Key rotation threshold | 1000 messages |
| Max concurrent groups | Unlimited |
| Message size limit | 256 KB |
Related Documentation
- Protocol Specification - X3DH and Double Ratchet for pairwise E2EE
- Architecture - System components
- Features - Feature overview
Last updated on