[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Paul Wouters paul at cypherpunks.ca
Fri May 29 11:49:20 EDT 2020

On Tue, 26 May 2020, other.arkitech via cryptography wrote:

> I wonder why not using the same secp256k1 used by Bitcoin. It is bullet proof as it is publicly able to keep safe billions in capitalization.
> I wonder why this is not the cypher suite of choice today.

The problems are completely different. bitcoin is only about publishing
data everyone can always read. A group conference call is about a group
of X members sharing some private symmetric keys to encrypt video
streams, and then changing the keys when a participant is removed from
the group so they can no longer decrypt the stream. Then doing that
for a large always changing membership.

I haven't looked at the zoom spec. I'm a little sceptical because people
from OTR, Signal and MLS have been working on this problem for a long
time. Similarly, multicast support in IPsec is another instance of this
problem. It invariable has some kind of binary tree where leaves have
their own symmetric key and if someone leaves, only that lower branch
needs to be given a new crypto key. For IPsec, there is something called
group doi (RFC 5374) which is now being resurrected for IKEv2 in

It's a hard problem. I assume Zoom limits the problem set to "the leader
controls the group memberships", where as for chat protocols like OTR
and Signal, you would need some group agreement before allowing a group
change or someone could sneak in a fake user to get access to the
encrypted group chat.


More information about the cryptography mailing list