End-to-End encryption is no doubt the crown for software security and privacy, how much of a service is end-to-end encrypted, how strong is the end-to-end encryption, all determines the security of the service. The future of the Internet is encryption and privacy, nowadays all popular services have been or are ongoing at E2EE their software, from the dominant WhatsApp to Signal, from Google Duo to Zoom, and Firefox Sync. All the efforts converge into an unstoppable river into the sea of the future.

The Problem

Almost all popular services are encrypted in some level, e.g. the HTTPS, which will encrypt the data transferred between your browser or app and the server, but that’s not E2EE, because after your data transferred to the server, all the people who have access to that server, including staffs, cloud providers, hackers, and even the government, could read your data.

If you share some photos to a friend, they can learn a lot more than you could think, e.g. your exact location, your phone model, the people in the photo, the things and brands in the photo, your face to unlock your phone, maybe even your iris or fingerprint, and your photo may be kept forever in the server and they would be capable of mining out more data from that photo due to the technology evolvement in the future. They have the abilities to do many kind of bad things on you and your friend with these data.

Zoom is a popular video conferencing service which claimed it’s E2EE, but people have proved that is not the truth, because their servers are capable of decoding all video streams.

What’s E2EE?

E2EE fixes these problems by math, apps still connect to servers to transfer data, but the sender app has an mechanism to derive some shared passwords with the recipient app, this mechanism is proved in mathematics to be secure that the server won’t know the password in the procedure, and the password derived is impossible to be guessed by any computers existing.

if you share a photo to a friend, through an E2EE service, your app will compute a very secret password with your friend’s app, this password can not be read by anyone in the world except both of you, then your app encrypts the photo with that password and sends out the encrypted data to the server, the server is not able to decrypt that data because it doesn’t know the password, then the server forwards the encrypted data to your friend’s app, and finally your friend’s app can decrypt the data with the password, to a normal photo.

With E2EE built into all apps, you will find most annoying privacy problems disappeared because people never have the ability to abuse you, not because they don’t want to hurt you any more.

The Math

E2EE is trustworthy and beautiful because its simplicity in math. I won’t dig into the proof of the math, but outline the basic concept. Elliptic Curve is the core of the modern E2EE algorithm, and it is used as a kind of asymmetric cryptography. And the beauty of EC math is many operations about natural numbers also apply to EC points.

A Elliptic Curve is defined by a generator, your may think that an EC is just a very large number G. Assume we have two users, one picks a very large random number a and another picks b.

1. a and b are called private key in EC.
2. A=aG is the public key of a, you can treat it as a multiply G.
3. B=bG is the public key of b.
4. Private key a and b should be kept local secretly.
5. Public key A and B would be shared among each other.

Now the secret password is calculated by as follow:

1. Define s = aB, i.e. secret s is a multiply B.
2. Because B=bG, so s=abG=baG.
3. Because A=aG, so s=baG=bA.
4. So aB=bA.

That says if two users share their public keys with each other, then they would calculate the shared secret by themselves and their calculated secrets are identical. And because users only shared the public keys, and their secret keys live in their devices locally, nobody besides them is able to calculate the same secret without a secret key.

References List

1. Wikipedia: Elliptic-curve Diffie–Hellman
2. Using Zoom? Here are the privacy issues you need to be aware of
3. Zoom End-to-End Encryption Whitepaper