There’s nothing obviously wrong with the paper, which deals solely with the anonymous credentials mechanism. It would be fine if the protocol existed in a vacuum, however in practice any request to the Signal service needs a way to get there, and this regular HTTP network journey leaks the user’s digital identity. Any person accessing or updating a group’s encrypted state is revealing their IP address to a Signal server in the process.
If the user has already identified themselves by the time they get to the anonymous credentials process, then the fact that they aren’t deanonymised yet again means nothing. They’ve already signed in at the front desk to enter the building: the fact you’re not making them sign in again means nothing. It doesn’t matter how good the cryptography is – it’s moot.
By analysing Signal’s log files, it would be very easy to create a list of every IP address belonging to each group. This seems to defeat the point of the anonymous credentials mechanism.
The Signal Groups V2 model moved the group-chat abstraction from the client to the server, entrusting Signal with a new power to list the members of each group (and also to know how many groups there are, when each group was created, and so on).
The usefulness of anonymous credentials under the new private group system rests wholly on trusting Signal to not keep logs. And, of course, you should assume that the Signal is logging everything (that’s why end-to-end encryption is a thing). Signal Groups V2 is a privacy downgrade
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer