Dr. Mike Pound is my favorite person that you have ever had on. His explanations are always very clear

Please do a video on how group conversations are encrypted :)

Mike should get his own BBC series.

Dr. Pound, thanks to you and your crew for all you do. You bring a lot of clarity to a subject that can be convoluted.

At some point, there needs to be an Alice and Bob wedding video. Unless it is done in complete secrecy of course.

I'm just writing a comment knowing that YT rates the videos with comments higher than those without, and Mr. Pence deserves every bit of attention he can get. Much love

Doctor Mike is my favorite doctor. My father will have to be content with only being the best father in the world. Sorry dad.

Thank you 😊🙏 This by far is the best channel. Alongside Numberphile of course 😜

Excellent information from Mike as always and great visuals to help show the ratchet in action. The visuals really helped me out

Always a pleasure to watch Dr. Mike Pound :)

Computerphile, we've entrusted you with the Earth's remaining supply of tractor fed paper for impact printers. Please consider using it more sparingly.

Great video, well explained and answered all my questions! Thanks Mike. Now it's time to watch the video

Really good graphics along with well explained content. Thanks for this. I've been reading up on Signal and this video helps a great deal.

Please keep up the messaging protocol content. Great stuff as usual!

I liked your video a lot. It has helped me study for a far too soon exam. Nevertheless, I find it worth mentioning, how the DH key pairs are changed in a ping-pong effect in the Signal Protocol. When A receives a message from B with a new public key e_B, A changes it's root key once, with the new K_DH=DH(d_A, e_B) key, the it re-initializes the read chain. After that, A creates a new DH key pair and then re-initializes the send chain. So when A sends a message again, it will come with A's new publih DH key and start the same procedure for B.

The world needed that animation. Wish I'd have had stuff like that in my university courses.

I am a simple man. I see Dr Mike Pound in the thumbnail, I click.

Yes!!! Dr Pound!!!

These encryption videos are wonderful! Can we have a video on initialization vectors plz?

Been curious about this for a while but too lazy to look into it myself, thanks!

Bloody genius! Can we get one on group messages in Signal?

Really reminds me of the wheels turning in an Enigma machine.

The starting at the same position and the synchronized ratcheting part strongly resemble (electro)mechanical cryptographic machines IMO. The Enigma for example would use a single set of ratchets for the send and recieve parts, because it was self-reciprocal, i.e. inputting the encoded message would output the cleartext message.

Please send my regards to Dr Mike, my dream is to study under this guy

You said that video packets are encrypted the same way. Since they can arrive out of order (hence the sequence numbers), how are they gonna sync the keys appropriately in order for the message to be decrypted?

@Michael Pound / @ Computerphile How does the KDF ratchet impact the entropy of the derived keys? Will it degrade over time if a new DH ratchet is not performed?

honestly cant believe this is free. AWESOMEEEEEEEEEEEEEEE

Hi I keep watching your (awesome) vedios again and again , but I still can't manage to answer about ssl attacks that I have to do ( as work sheet ) . How do I reach you in person. To get some help answering the questions?

Please do a video on why his hands look so strange when the view of the paper is rotated

Love your video!

That was an awesome explanation... THANKS!!!! Does any one know how to create those wheels for a demo purposes...??

I honestly can't wait for the video that talks about how this applies to more than 2 people.

I love this guy.

Love this guy

If you do DH on every message do you need the other key derivation ratchets anymore?

Please do a video on threshold cryptography!!

Can you guys do a video on how the TFA in USB security keys works? And is there an independent way to verify that all these apps and TFA's and ciphers etc are doing what they say they're doing? Or do we just "trust" them.

in your original DH vid, you mentioned in passing that if Eve can modify parts of the DH exchange then all bets were off. does this protocol do anything to ameliorate that problem? thanks for the vids, Mike.

Question: if someone finds out a key at some point, if they don't miss out on any messages, why can they still figure out the next messages? i.e. why doesn't the DH ratchet exclude the intruders from future communication if they have the current keys?

Did they make that "other video" i rly want to know how this works in a group chat.

KDF is gonna rock you

How does this work for conversations with more than two people?

I watch almost all of the videos on this channel and I have no idea what 99% of them are about. Still love it though. Everytime I get something out of that 1%.

Alice and Bob in chains

@Computerphile so if DH rtchet is being reset so often that means that endpoint device is either storing the history of the reset values or rather more worringsome unencrypted messages. Is it actually the case or am I missing something? PS Huge fan of all of the videos

I'm sorry, they *do* carry out a DH exchange on every message? So, by the time I went online and sent receipt acknowledgements, our ratchets have been updated? When are they incremented normally then, only while one of the parties is offline, for that chunk of messages? And in that case, only one attempt at DH is "in-flight", since the further "offline" messages don't yet have a completed DH result to use? Or in reality, both parties store a queue of incomplete DH exchanges, so each message sent can complete one exchange and begin another?

I see I'm a bit late in this conversation, but I'd like a bit of clarification about the DH ratchet: I use Signal app, and want to know how this correlates; would this be the operation of manually resetting the session, or am I way off? Thanks for your time and consideration. Also gave this channel a thumb and a sub!

Very cool

Why would you not use a different KDF on the output of the ratchet, so that you can never know the state of the ratchet even if you have the message key?

Ho does group chats work then? Do they use multiple keys for each pair or one single key for a group? @computerphile

Is there the video for the group chat encryption?

If the keys are deleted as soon as the message is decrypted, how do you read messages from a long time ago? Are they encrypted on disk using a different mechanism?

and how are the keys are communicated? how is the first key communicated?

HI All, somehow it's not clear to me ,when the Diffie hellman ratchet forwards !Any thoughts ?

"You must never break the chain." -Stevie Nicks

I wonder if the ultimate potential for this is to integrate it with a blockchain like an Ethereum DAPP or put it on the IPFS, that way all the "server" computation is both decentralized and open to audit

9:05 I can just imagine the debug log: user:alice: "well that's, not right".

Does Viber also use a double ratchet?

attacking using ss7 will allow you to control the phone as if you was admin , you can then see all messages

It's like an enigma machine.

Can you maybe do video on quantum computers but more in a way to how it’s related to breaking asymmetric encryption? And how Shor’s algorithm would would do this?

Who else is watching this in 2021? suddenly super relevant!

Could you do a video on Telegram? Is it different? If I remember correctly, they got a lot of flak for implementing their own algorithm, but as far as I know, nobody could yet prove their implementation to be insecure.

6:30 - If Bob sends a new Diffie Hellman PK to make Alice's DH ratchet turn, can this PK not be copied by someone who is snooping, to turn their own DH ratchet, thus keeping in sync with Alice?

How about images? How are those incorporated in the e2ee? Because you can download older images.

Why not derive 2 keys with kdf first one use as input for the next round and second one as encryption key. So even encryption key is compromised the attatacker can not caculate the next key? Sure dh should be done in intervals too.

Danke

"in practice they [the DH ratchets] are sent every message" but why would one need the other ratchets then, if they get reset on each message? just so Alice goes through more than one key even though Bob never sent her a new DH one because his phone was off/he wasn't replying/etc?

Just curious. If people tend to tick Diffie Hellman Ratchet every message, and everything gets reset every message, why don't they just use the Diffie Hellman Ratchet?

*_...is he sending color-coded messages [_**_00:11_**_] red vs green [_**_00:31_**_]..._*

I think I'm a Mike Pound phile.

What about using multiple devices then? E.g. with Whatsapp you can use desktop app but you have to scan the QR from your mobile device, does it mean that's the moment when keys synchronization happens?

So forward secrecy is still broken if the DH gets revealed?

Maybe I'm misunderstanding this, but if the diffie-helman exchange is done for every message, doesn't that sort of make everything else redundant? The original goal of the ratchet algorithm was to make sure breaking a key didn't give access to all the past keys but that's not possible anyway if we keep resetting the ratchets everytime with a DH exchange right? Could someone please clarify this for me?

Hang on. If DH is getting done with each message, how can one end 'catch up' if it recognises that some messages from the other party have been lost? The end that hasn't received messages can't do the DH exchanges for those lost messages can it? And how can the sender create new KDF keys using DH each time if the remote isn't about to dl the DH exchange with? DH is an exchange isn't it? I must be missing something.

Why do u need a send and rec rachet, when u sent a DH with every Massage? Isnt it allrdy encrypted (enough) with a DH send?

what about telegram and it's mtproto protocol?

Can someone please, please tell me how homomorphic encryption works (databases)

9:15 so when a message gets sent by bob that says "ok this is message number 9 in the chain" and alice's chain is only 2 ticks long, she goes forward 7 ticks without DH exchanges? what if i send 100 messages while alice is offline and someone captures the first packet?

What if somebody cracks the private key of the DH ratchet? How is it future proof after that?

nice!

How can we know if what's app is actually doing all the encryption? I know we had the out of band number from the last episode, but how do we know they aren't just sending random numbers? Basically, can we prove they're doing encryption, or do we just have to take their word for it?

how do im applications that allow you to use multiple devices keep data secure? or do they just use have the server able to decrpyt it? eg i can send someone an im with facebook messenger on my phone, and then see there reply on my laptop?

Vs traditional PGP who wins?

transcriber is not enabled, what a pity!

Aren’t ratchet functions and trapdoor functions the same beast really? Cheers!

If you have a decent production team and the subject is sitting. it may be a good idea to use mmanual focus and just sit the subject in the plane of focus. Your video has some f focus hunting in the beginning. Hope that helps...

If I deleted the app in my device, does that mean I won't be able to read my previous messages even if I reinstall the app?

drink every time Dr. Mike Pound says diffie helman

So, is messenger more secure than the NSA messaging app?

Is this ratchet logic the reason why newly added participants to groups cannot usually see group message history?

How dose diffie hellman work in i grupp chat ?

I mean Mike Pound is great at explaining stuff but he does look a bit like a super villain.

christmas came early!

oh god he put Diffie-Hellman on the screen instead of just saying it, i've thought it was "Tiffy Hellman" this whole time

Whatsapp's backup and sync "feature" removes all the encryption and backs up the messages on their servers in plain text. So what's the point of their encryption, since pretty much everyone will have backup on by default, so even the messages you sent in Whatsapp will be backed up by the person you sent it to?

Damn that's smart

Signal Instant Messenger is by far the best choice. Whatsapp, Telegram, Viber -- these are not as good, even though at least one of them also use the same double ratchet (called the Signal protocol in fact). For one thing, Signal doesn't record metadata about the messages. The servers only record two pieces of information per user: The datetime when the user signed up for the service, and the datetime of the most recent message send/receive by the user--not even to/from data. So no malicious government/hacker/corporation can ever get more than minimal information. Whatsapp stores full metatdata. They know who talks to who and when, even if they don't know what's being said (which they might, if they alter the app on some seemingly innocuous update such that it ignores the double-ratchet). And they can correlate the metadata with all their other social graph info from Facebook/Instagram/Etc. Definitely a bad choice.

What I always wonder is: Are there any possibilities for the company (e.g. WhatsApp) to create a backdoor for secret services or anything like that?

Funny how it’s similar to how the Enigma works on a physical level.