Technology Preview: Signal Private Group System

Groups are inherently social, and Signal is a social app. Whether you ’ re planning a storm party, discussing end night ’ mho book club merging, exchanging photos with your syndicate, or organizing something authoritative, group messaging has constantly been a key feature of Signal. Signal provides private groups : the Signal serve has no read of your group memberships, group titles, group avatars, or group attributes. We ’ ve been working on new private group engineering that will enable group administrators and access control, improve group scalability, and set the degree for a much richer group experience – all while maintaining Signal ’ s singular group security and privacy properties. We ’ rhenium moving into the future while keeping what we loved about the past .

Retrospective: Groups without groupthink

You can ’ triiodothyronine send a message to everyone in a group unless you know who is in it. Group members besides need to be able to retrieve the latest group country in order to render it : group appoint, group trope, group membership, vitamin a well as any other optional elements ( such as a pin group welcome message ).

This data is sensitive, but the traditional approach to managing group submit is storing it in a plaintext database on a server. This makes it simpleton for clients to retrieve the latest group state, and for the server to enforce access restraint and consistency through a basic API, so it ’ s what basically everyone else does .

 ────────────────────────────────────────────────────────────────────────────────────────────
| id  | group_name        | avatar          | members                  | welcome_message     |
 ────────────────────────────────────────────────────────────────────────────────────────────
| 765 | "Surprise party!" | "party-hat.jpg" | sofia (admin), wei, hugo | "Don't tell Alice!" |
| 766 | "Book Club Ideas" | "library.png"   | jakob, saanvi (admin)    | "Les Mis again?"    |
| 767 | "Finals Week"     | "crying.gif"    | bob, lucia (admin), leo  | "Only 4 days left"  |
 ────────────────────────────────────────────────────────────────────────────────────────────

The obvious downside is that this enables the waiter ( and therefore anyone who compromises or subpoenas the server ) to see all of this personal information. The server knows everything about all groups, and it can besides surreptitiously modify group membership and other group attributes. This international relations and security network ’ metric ton what we wanted for Signal. The group conversation system that we introduced in 2014 was built on the existing pairwise encrypted channels that are already used in one-on-one Signal conversations. Clients send group messages to each other tagged with a Group ID ( a random 128-bit hidden that can not be guessed ), and they besides exchange group state of matter updates – such as the group ’ mho list, attributes, and membership – via the same method. Clients never tell the service which messages are group messages or individual messages, or who is in the group. alternatively, clients tell each other what they need to know. This border on hasn ’ metric ton been arrant. If two group members try to update the group department of state at the lapp time, this can create a rush circumstance as these messages cross paths. It ’ s unclear which update should be treated as authoritative, and this can lead to divergence in the members ’ view of the current state. It besides largely prevent role-based access restraint : every group penis in Signal has the lapp permissions because what you learn about the group is entirely what other people tell you. Their group state may not be accurate, or they could claim to be a role they truly aren ’ thyroxine. Some readers might recognize these as problems implicit in to distributed systems. They require building complex consensus protocols like Paxos or Raft to solve robustly, which are unfortunately impractical to implement across inconsistently connected asynchronous clients running on mobile phones. so even though we would never accept the inadequate security associated with storing huge amounts of sensitive group data server-side in plaintext, we have looked longingly at the ease of a single informant of truth and how much more would be possible with it. ideally, we could somehow create the best of both worlds : a one source of truth that clients can well reference, but privacy keep .

Return of the MAC

Let ’ s try to build a organization that stores group data privately, but canonicalized on a server. Clients in a group could share a symmetrical identify and use it to encrypt group information so that it can be stored on the service, but in a means that is wholly opaque to the avail .

 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
| id  | group_name                          | avatar         | members                                                 | welcome_message                                         |
 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
| 765 | "E2jP6c8LB8ESLdTNy/tingqAZFj2so8s=" | encrypted-file | "2wb5fLpn1yun0acrEbVifXAf566ONu4nwhL2/GDntYdxxn30pejHj" | "uJjNnyiPnMmfFtXpMkhFA/v9NQQfllfSJ7dYZWBkfTJvIw/jpy4+s" |
| 766 | "vNea+GD5bETfL4YS2g/Flhz2lrikq6vY=" | encrypted-file | "Y+bt/qjxu8pacBVYyBGJAoVPlIH9T4LeKwoCqf8KeOMMG5s5mU+mY" | "hKSQ2HnDoHvpwuxBCaCuvJXwjIq+U9cQ="                     |
| 767 | "dil09QiiGNlt5TajrmfqVs/6VZnk6eSE=" | encrypted-file | "+v2Hh1Sh0X64kpAyhXvsn7tuhrNuOpiq1L6VpMV4jvnqzzf+taKdE" | "L+88zl5AXn+5aY3k/CXDTTLyhJwRnAuojqAksXtNmoxyCdAi/PeJS" |
 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

But there ’ s a snag : the overhaul won ’ deoxythymidine monophosphate be able to authenticate users, enforce who is allowed to fetch and modify group entries, or validate their contents if the overhaul is ineffective to read the data. The implicit in contradiction is that the service needs to authenticate whether a membership commemorate corresponds to the user making a request, but the drug user doesn ’ deoxythymidine monophosphate want the service to know who they are. This is the type of problem that anonymous credentials were invented to solve. With an anonymous certificate system, the service could issue authentication credentials to clients. Those clients could late prove self-control of a certificate, adenine well as facts about attributes bound into the certificate, without revealing anything else.

historically, most anonymous certificate schemes enable the certificate issuer and certificate voucher to be different parties, which is achieved by using complex and dearly-won key signature algorithm. These costs are one reason anonymous credentials have seen limited real-world use. however, in Signal ’ randomness case the issuer and the voucher would be the same party ( the Signal service ), which raises the possibility of using more efficient MAC-based keyed-verification anonymous credentials – a concept introduced several years ago by Melissa Chase, Sarah Meiklejohn, and Greg Zaverucha. unfortunately, existing efficient KVAC schemes ( like the Chase-Meiklejohn-Zaverucha scheme which introduced the KVAC concept ) wear ’ thyroxine patronize efficient validation that a certificate impute matches some code plaintext. So we worked with Melissa Chase and Greg Zaverucha on an extension of this dodge that supports this property. Using these encryption-compatible KVACs, group members can be issued authentication credentials by the service for their exploiter identity ( UID ), and can then authenticate by proving to the server they have an auth certificate issued over the same exploiter identity ( UID ) as some encrypted group membership introduction, without revealing their UID or anything else. A couple problems remain : ( 1 ) There ’ s a catch-22 hera : clients have to prove their certificate matches some ciphertext before they ’ rhenium allowed to download the ciphertext. ( 2 ) Because encrypted entries do not reveal anything about the plaintext within, a malicious node could plainly add the lapp UID over and over, potentially making themselves unmanageable to delete or confusing the server ’ s access control rules. fortunately, both problems have the same solution : if the encoding procedure is made deterministic so the same UID always encrypts to the same ciphertext within a group, then the node can recreate their ciphertext without fetching it, and servers can easily detect and reject duplicate entries .

Grouping it all together

Let ’ s take a look at this system in military action. Suppose Alice has an AuthCredential for her UID, and a GroupMasterKey ( only known by group members, not the server ) for some particular group. The server stores an encrypted membership list for the group. Each entry in the membership list is an encoding of some UID with the GroupMasterKey. To add Bob to the group, Alice must first prove to the server that she is allowed to make this transfer. Alice provides a zero-knowledge proof to the waiter that she possesses an AuthCredential matching some especial introduction. We call this a “ presentation ” of the AuthCredential, but it ’ south more complicated than just sending the AuthCredential ; if Alice did that, the waiter would be able to correlate the receive AuthCredential with the AuthCredential that it issued. alternatively, Alice presents a randomized form of the certificate and uses some “ Schnorr ” and “ Fiat-Shamir ” charming to prove a kinship to the ciphertext without revealing anything else ; see the paper for details. After Alice proves to the server that she matches some entry, she sends the server a fresh entry encrypting Bob ’ s UID. Alice besides sends Bob the GroupMasterKey via an code Signal message. now that Bob is a member of the group, he ’ five hundred like to learn who ’ mho in the group. He can prove he is a penis using his AuthCredential, then download all the entries and decrypt them with the GroupMasterKey. If he has been granted the appropriate function, Bob could besides add Charlie to the group, just like Alice added him.

Signal Private Group System demo

You are invited to join this conversation

We encourage you to explore the latest draft of the wallpaper that covers this topic in more detail, including some features we ’ ll dig into in late blog posts. Please share your input on the Signal Community Forum. Your feedback is valuable, and we are excited to begin implementing these group enhancements in Signal over the approach months. Thank you to Melissa Chase and Greg Zaverucha from Microsoft Research for collaborating on this inquiry, Trevor Perrin for doing all of the heavy revoke on the Signal english, and extra group gratitude to Dan Boneh, Isis Lovecruft, Henry de Valence, and Jan Camenisch for discussions that deepened our sympathy of this problem outer space .

Leave a Reply

Your email address will not be published.