2025-10-17 –, Alan Turing
Access control is the core of any system's security, but usually provided by a single, centralized server. However, access control in a Matrix room is decentralized: every participating server independently decides who is authorized to send and receive which events, without consulting any other server. To the surprise of many, these decisions are still eventually consistent even if all but one server is malicious, but seeing why requires a new way of thinking about access control. I will explain the necessary design patterns from decentralized systems science, and show how they can be weaved together for a practical explanation of what Matrix is, and why Matrix can reach its astonishing levels of security and resilience.
In this talk, I provide a primer on design patterns from decentralized systems theory, and explain what they mean for the current and future design of Matrix in practice. I will start with concurrency as the root of all problems in decentralized systems, and how network partitions and arbitrarily malicious servers stand in the way of consistency. Based on these problems, I will explain conflict-free replicated data types (CRDTs) and hash linking as the solution to still make a Matrix room eventually converge at all benevolent servers. Finally, I will show you my access control to the best of knowledge and belief way of thinking about eventually consistent access control in Matrix – you need to think in two authorization decisions per event, of which one is final on receiving the event, while the other one may ever be changing on receiving new concurrent events.
Florian Jacob started to pursue his Ph.D. on the scientific foundations of Matrix at the Karlsruhe Institute of Technology in 2019, and has since worked there as a scientific staff member in the Decentralized Systems and Network Services research group. His research interests are the security and resilience of decentralized communication and collaboration systems like Matrix, specifically in formalizing and verifying the properties of event authorization and dissemination in the systems' replicated data structures.