What technical papers or patents describe Snapchat’s My Eyes Only encryption and key‑derivation methods?
Executive summary
No public, peer‑reviewed technical paper or granted patent in the provided reporting explicitly documents the cryptographic algorithms or key‑derivation routines used by Snapchat’s “My Eyes Only” (MEO); Snapchat’s public materials describe client‑side encryption and a user passcode but stop short of publishing precise schemes, while independent forensic writeups and community code snippets infer practices like bcrypt for PIN storage and recoverability caveats [1] [2] [3] [4].
1. What the company says: client‑side encryption, passcode gate, no published algorithm
Snapchat’s public-facing descriptions of MEO emphasize that the feature encrypts saved Snaps and is protected by a user‑chosen password or PIN, and they claim even the company cannot view the contents without that passcode, but Snapchat does not publish the exact cryptographic primitives or key‑derivation details in the materials in this report [1] [2].
2. Forensic and community observations: practical behavior, caches and recoverability
Forensic practitioners and forums report that MEO behaves as client‑side encrypted storage whose contents may be recoverable under certain conditions—for example, if snaps were viewed locally and remain in the app cache—and that commercial forensic tools (AXIOM) and extraction appliances (GrayKey) have been updated to support recovering and decrypting MEO artifacts in many cases, implying practical implementation details that leak in device artifacts even if algorithms aren’t published [4].
3. Specific technical signals reported by researchers and hobbyists: PIN storage and bcrypt
Third‑party code and writeups claim Snapchat stores the 4‑digit MEO PIN hashed with bcrypt inside an Android database path (/data/data/com.snapchat.android/databases/memories.db), and community projects have automated brute‑force attempts against that storage on rooted Android devices, which suggests Snapchat uses established password hashing for the PIN but does not equate that to the full content encryption scheme or the key‑derivation function protecting the media itself [3].
4. Speculation in guides and blog posts: AES and symmetric schemes, but no authoritative confirmation
Several tutorials and security blogs reasonably speculate that MEO likely uses symmetric cryptography such as AES (CBC or GCM) and that keys are derived from the user’s passcode on the client, but these are inferences rather than citations of a Snapchat whitepaper or patent—Snapchat’s own docs and the collected reporting here do not provide a definitive algorithmic specification or KDF claim [5] [6] [7].
5. Broader context: company‑level encryption posture and limited public disclosure
Snapchat has discussed and demonstrated limited use of end‑to‑end encryption for certain snaps and has presented at security conferences about encryption strategy, but public materials and secondary reporting indicate Snapchat has not released a formal technical paper or patent in the sources provided that details MEO’s encryption primitives or key‑derivation math; the available evidence is a mixture of company marketing, forensic practice notes, and community reverse‑engineering [8] [9] [4].
6. What’s missing and what that means for researchers and litigators
No patent filings or academic/industry technical papers describing the exact MEO cryptosystem or KDF appear in the supplied reporting, which means researchers must rely on device artifacts, forensic tool disclosures, and constrained vendor statements to infer behavior; absent a Snapchat whitepaper or patent disclosure in these sources, definitive claims about algorithm names, modes, or iterations are unsupported by the provided record [1] [4] [3].