Secret Key Recovery in a Global-Scale End-to-End Encryption System

End-to-end encrypted messaging applications ensure that an attacker cannot read a user’s message history without their decryption keys. While end-to-end encryption provides strong privacy, it creates a usability problem: if a user loses their devices and cannot access their decryption keys, they can no longer access their message history. To solve this usability problem, users should be able to back up their decryption keys with the messaging provider. For privacy, the provider should not have access to users’ decryption keys. To solve this problem, we present Secure Value Recovery 3 (SVR3), a secret key recovery system that distributes trust across different types of hardware enclaves run by different cloud providers in order to enable users to back up their decryption keys while protecting the decryption keys from the messaging provider. SVR3 is the first deployed secret key recovery system to split trust across heterogeneous enclaves managed by different cloud providers: this design ensures that a single type of enclave does not become a central point of attack. SVR3 protects decryption keys via rollback protection and fault tolerance techniques tailored to the enclaves’ security guarantees. SVR3 costs $0.0015/user/year and takes 321ms for a user to recover their key, which is a rare operation. A part of SVR3 has been rolled out to millions of real users in a deployment with capacity for over 500 million users, demonstrating the ability to operate at scale.


Graeme Connell*, Vivian Fang*, Rolfe Schmidt*, Emma Dauterman, Raluca Ada Popa