Signal: operations that involve sending your contacts (like contact discovery) use a pattern Signal invented where the client can validate the software running on the server. The server runs inside the SGX secure enclave. Before your client sends any data, it performs remote attestation on the running server code to ensure it matches the published open source code.
Keep in mind that SGX is not as secure as advertised[1][2].
Also whole security dangles on Intel to be trusted to not give its private keys to anyone. Which is a big ask for any company. NSA/CIA likely can get those keys legally via FISA court order or illegaly via hacking and/or insider.
Sure, but the question wasn't "does the NSA have access to data", it was "how do we know that information isn't stored."
The answer is that signal includes an industry-leading attestation process using CPU security features.
It's true that if the CPU manufacturer is compromised that would compromise anything running on it, including attestation. But that's not really to do with Signal's implementation, and it is out of scope of the question.
Sure, but the question wasn't "does the NSA have access to data", it was "how do we know that information isn't stored."
The answer is that signal includes an industry-leading attestation process using CPU security features. If the CPU manufacturer is compromised that would compromise anything running on it, including attestation. But that's not a flaw in Signal's implementation, and it is out of scope of the question.
See the full explanation at https://signal.org/blog/private-contact-discovery/ (starts part way down, with "trust but verify"). Or check the client source code yourself!
Telegram: I dunno, they.re closed source, don't encrypt by default, and have shady ownership. I don't trust them at all, personally.