Providing Membership Privacy to the Asynchronous Ratcheting Trees Protocol without losing Scalability

Abstract

A secure messaging protocol, such as the Signal protocol, provides end-to-end encrypted asynchronous communication. This paper focuses on a secure group messaging (SGM) protocol, and proposes a method capable of hiding membership information from the viewpoint of non group members, which we call “membership privacy”. In this work, we add membership privacy to the Asynchronous Ratcheting Trees (ART) protocol (proposed by Cohn-Gordon et al., (ACM CCS 2018)). For hiding membership-related values in the setup phase, we employ a key-private and robust publickey encryption (Abdalla et al., TCC2010/JoC2018). Moreover, we introduce a group common key to encrypt membership information in the key update phase. Our modification achieves asymptotically the same efficiency of the ART protocol in the setup phase. Any additional cost for key update does not depend on the number of group members. Therefore, the proposed protocol can add membership privacy to the ART protocol with a quite small overhead. Specifically, one encryption and decryption of a symmetric-key encryption scheme and one execution of a key-derivation function for each key update are employed. Finally, we discuss how to extend our protocol to provide sender-specific authentication, dynamic groups, group-size hiding, and how to adopt our technique to the Messaging Layer Security (MLS) protocol. We note that, although Chase et al. (ACM CCS 2020) have considered the same notion, their proposal is an extension of Signal so called “Pairwise Signal” where a group message is repeatedly sent over individual Signal channels. Thus their protocol is not scalable.