The International Association for Cryptologic Research (IACR) has released a paper detailing a formal security audit it conducted of encrypted messaging app Signal.
The IACR has certified that it could not find any discernible flaws in the app, saying that it offers a well-designed and compromise-resistant architecture.
Signal was examined by a team of five researchers, Oxford University's information security Professor Cas Cremers, and his PhD students Katriel Cohn-Gordon and Luke Garratt, Queensland University of Technology PhD Benjamin Dowling and McMaster University Assistant Professor Douglas Stebila.
The paper titled ‘A Formal Security Analysis of the Signal Messaging Protocol' assigned this vote of confidence, due to the app's use of a double rachet algorithm which uses ephemeral key exchanges continually during each session. This minimises the amount of text that can be decrypted at any point should a key be compromised.
Speaking of the security of Signal, the authors commented saying that even testing the app was hard: “Providing a security analysis for the Signal protocol is challenging for several reasons. First, Signal employs a novel and unstudied design, involving over ten different types of keys and a complex update process which leads to various chains of related keys. It therefore does not directly fit into existing analysis models. Second, some of its claimed properties have only recently been formalised. Finally, as a more mundane obstacle, the protocol is not substantially documented beyond its source code.”
The researchers concluded that it is impossible to say if Signal meets its goals as there aren't any. However their analysis proves it satisfies security standards, the researchers added "we have found no major flaws in its design, which is very encouraging".