That means that you’re not safe to store known files your local dictator doesn’t like, isn’t it? Wouldn’t a sort of per-user salt allow the same functionality and give more confidentially?
If there is a "Revolution Plan (WIP)" document shared amongst a few agitators, and someone in power gets their hand on it (and its "checksum" or whatever), then can they figure out _who else_ has it?
More or less, yes. Apple could search for a list of iCloud users with that hash in their account and single them out without breaking the encryption (not that they can't do that too).
My understanding of how E2E encrypted iMessage works is that in group chats it does indeed send 30 copies of your messages, individual encrypted for each recipient in the group.
Perhaps they're doing multi-recipient encryption, ie. the data is wrapped with one key, and that private key is then encrypted with the public key of each recipient, so everyone ends up using the same private key to decrypt the file data itself. This means the actual file data isn't sent 20+ times (although the data is indeed stored in everyone's Messages backups separately; if Apple is doing de-dupe based on file data+filename, they're probably benefiting from deduping group message images).
> APNs can only relay messages up to 4 or 16KB in size, depending on the iOS or iPadOS version. If the message text is too long or if an attachment such as a photo is included, the attachment is encrypted using AES in CTR mode with a randomly generated 256-bit key and uploaded to iCloud.
Only the attachment encryption key and URL need to be encrypted to each recipient.
