Better Encrypted Group Chat

Author here. Happy to answer questions!

That was a great article. I learned a lot about encryption in group chats, which I've always been curious about.

I think you missed a solution, which is a variant of #2.<p>To simplify things, consider a single global chat room, on an enormous server (probably in Salt Lake City), where every person on earth is connected and have a public&#x2F;private key-pair, and every person on Earth can read everything anyone posts. You can post publicly ( anonymously or with a signature), or privately (pair key) to any individual on Earth. From this starting point, how do you make private group chats? (This starting point factors out a lot things we shouldn&#x27;t worry about, and I think is simpler&#x2F;nicer than a story about a Slack admin).<p>Your solution #1, pairwise encryption, clearly doesn&#x27;t scale for the sender (as you point out). It is also aesthetically displeasing.<p>I feel like your solution #2, though, isn&#x27;t what I would do, and I&#x27;m honestly surprised that&#x27;s how WhatsApp, etc. works.<p>My first thought is that a person who wants a shared room creates a (symmetric) key K for the room, and then distributes K to all invited participants privately. To remove a user you generate a new K for the room, and send it to N-1 participants. They all agree to post using the new K (and a signature).<p>I don&#x27;t see a performance issue with this solution. Consider that <i>every</i> message to the &quot;room&quot; causes O(N) fanout. If the rate of &quot;normal&quot; message addition is <i>much less</i> than the rate of participant addition&#x2F;subtraction, well, that&#x27;s performant enough. (Especially considering a new key for the room is some relatively small fixed size.)<p>(In a situation where you have a huge, passive audience and a single emitter, then yes my proposal will generate a lot of extra unnecessary traffic as people enter or leave. However, I&#x27;d argue that communication like this is probably better secured through more traditional centrally controlled means, e.g. a server process with ordinary user accounts that have a connection status.)<p>EDIT: There <i>is</i> a coordination problem with my solution, in that you can&#x27;t guarantee members will use the new K; it might be useful to have a bot or something remind anyone who posts using the old K to use the new one instead.

Would just deriving a new pub&#x2F;private key each time someone entered&#x2F;left the chat be simpler? I&#x27;m assuming there is a reason why this wouldn&#x27;t work.

Balanced binary trees usually have some kind of rotations to maintain their properties like left-leaningness. In this application this is to be avoided in order to not not send so many messages.<p>I understood that all participating clients know about the structure of the tree, so could not all the clients do the rotations in this kind of mass removal without sending messages?<p>I mean that in the last example, the tree is not left leaning, but can be made so by promoting every Zayne to their ancestor nodes.