Signal, the maker of the encrypted messaging app of the same name, is working on a new system that allows people to set up private groups with administrators and access control while storing the membership information on a central server rather than on each individual device.
The private group feature is simple in concept but proves to be quite complicated to implement. Signal, like many other messaging apps, provides people with the ability to create their own ad hoc groups. Right now, the private group feature in Signal uses a distributed architecture in which the list of members and the state of the group is stored on each group member’s device. The main advantage of this design is that it prevents Signal from having to store any of the group’s information in plaintext on a central server that could be subject to attack or law enforcement action. Signal is built to minimize the amount of information that the service has on any user, and its private group feature was designed with that in mind.
“The group conversation scheme that we introduced in 2014 was built on the existing pairwise encrypted channels that are already used in one-on-one Signal conversations. Clients send group messages to each other tagged with a Group ID (a random 128-bit secret that cannot be guessed), and they also exchange group state updates – such as the group’s name, attributes, and membership – via the same method. Clients never tell the service which messages are group messages or individual messages, or who is in the group. Instead, clients tell each other what they need to know,” Jim O’Leary, vice president of engineering at Signal, wrote in a post explaining the new feature.
That approach has some limitations in terms of controlling access to groups and controlling the amount of authority a given group member has. So Signal is working on a new system that stores information about the group’s members and the state of the group in encrypted form on a server but still allows members to authenticate and prove membership without revealing their identities. Signal’s approach to the problem of allowing a user to prove her identity without the service knowing her identity is to use a modified anonymous credential called a keyed-verification anonymous credential (KVAC).
The concept of a KVAC was introduced in a 2013 paper by researchers from Microsoft Research and the University of California at San Diego and is designed to address the problem of one party both issuing and verifying user credentials. Their approach uses message authentication codes (MAC) and Signal engineers worked with two of the paper’s authors to develop a modified version of their scheme that also supports the ability to prove that a credential matches some encrypted plaintext.
“Using these encryption-compatible KVACs, group members can be issued authentication credentials by the service for their user identity (UID), and can then authenticate by proving to the server they have an auth credential issued over the same user identity (UID) as some encrypted group membership entry, without revealing their UID or anything else,” O’Leary said.
In practice, Signal’s new scheme allows one person to be an administrator of a given group and exert some control over who can join the group. The Signal server stores an encrypted list for the group and each entry in that list is the UID encrypted with the GroupMasterKey. For the administrator to add someone new, she gives the server a proof that she owns an AuthCredential for a specific entry in the list.
“We call this a ‘presentation’ of the AuthCredential, but it’s more complicated than just sending the AuthCredential; if Alice did that, the server would be able to correlate the received AuthCredential with the AuthCredential that it issued. Instead, Alice presents a randomized form of the credential and uses some ‘Schnorr’ and ‘Fiat-Shamir’ magic to prove a relationship to the ciphertext without revealing anything else,” O’Leary said.
With that done, the administrator can then add a new member of the group by sending the server the member’s encrypted UID. In an enterprise setting, this system could be quite useful for setting up secure communications for distributed teams.