Mobile Private Contact Discovery at Scale Daniel Kales Christian Rechberger Thomas Schneider Graz University of Technology Graz University of Technology TU Darmstadt Matthias Senker Christian Weinert TU Darmstadt TU Darmstadt Abstract 1 Introduction Mobile messengers like WhatsApp perform contact discov- ery by uploading the user’s entire address book to the service After installation, mobile messaging applications first per- provider. This allows the service provider to determine which form a so-called contact discovery. This allows new users to of the user’s contacts are registered to the messaging service. automatically connect with all other users of the messaging However, such a procedure poses significant privacy risks and service whose phone numbers are stored in their address book. legal challenges. As we find, even messengers with privacy in There exist various ways to perform contact discovery. For mind currently do not deploy proper mechanisms to perform example, WhatsApp simply uploads the user’s entire address contact discovery privately. book on a regular basis to match contacts [1]. The most promising approaches addressing this problem However, revealing all personal contacts to a service revolve around private set intersection (PSI) protocols. Un- provider poses significant privacy risks: from the social graph fortunately, even in a weak security model where clients are of users a variety of personal information can be inferred assumed to follow the protocol honestly, previous protocols and journalists, for example, may need to cover the identity and implementations turned out to be far from practical when of some of their informants to protect whistleblowers from used at scale. This is due to their high computation and/or potential consequences. When installing a mobile messaging communication complexity as well as lacking optimization application, users also jeopardize the privacy of people who for mobile devices. In our work, we remove most obstacles are not even connected to the particular service by transmit- for large-scale global deployment by significantly improving ting their contact information without consent. An illustrative two promising protocols by Kiss et al. (PoPETS’17) while example of a severe breach of privacy can be seen in the case also allowing for malicious clients. of WhatsApp, which was acquired by Facebook in 2014 and Concretely, we present novel precomputation techniques shared its database with the parent company: Facebook users for correlated oblivious transfers (reducing the online commu- received friend recommendations of strangers who happened nication by factor 2x), Cuckoo filter compression (with a com- to see the same psychiatrists [33]. pression ratio of 70%), as well as 4.3x smaller Cuckoo filter Unfortunately, applying simple protection mechanisms like ⇡ updates. In a protocol performing oblivious PRF evaluations hashing the phone numbers of contacts locally before the up- via garbled circuits, we replace AES as the evaluated PRF load to the service provider is not helpful since these hashes with a variant of LowMC (Albrecht et al., EUROCRYPT’15) are vulnerable to brute-force and dictionary attacks due to the for which we determine optimal parameters, thereby reducing relatively small range of possible pre-images. Furthermore, the communication by factor 8.2x. Furthermore, we imple- the service provider can still tell whether two users share a ment both protocols with security against malicious clients contact even a long time after running the discovery routine by in C/C++ and utilize the ARM Cryptography Extensions storing the received hash values. Custom wrappers1 for mes- available in most recent smartphones. Compared to previ- saging applications can somewhat circumvent these problems ous smartphone implementations, this yields a performance by allowing users to manually select contacts to expose to the improvement of factor 1,000x for circuit evaluations. The on- messaging application. However, this approach only protects line phase of our fastest protocol takes only 2.92s measured the contacts of users actually using such custom wrappers. on a real WiFi connection (6.53s on LTE) to check 1,024 Furthermore, manually selecting the contacts to match is a client contacts against a large-scale database with 228 entries. usability problem. As a proof-of-concept, we integrate our protocols in the client application of the open-source messenger Signal. 1e.g., https://www.backes-srt.com/en/solutions-2/whatsbox USENIX Association 28th USENIX Security Symposium 1447 One possible solution to this dilemma is to apply a particu- Thus, we revisit state-of-the-art unbalanced PSI protocols lar form of secure two-party computation. In general, secure which provide cryptographic security and show that using new two-party computation allows parties P1 and P2 to jointly optimizations and native implementations they turn out to be compute a publicly known function f on their respective in- practical on modern smartphones. Furthermore, we achieve puts X1 and X2 s.t. the parties learn no information from the security against malicious clients: since every user could run a protocol execution but the result. The research area of pri- manipulated version of the messaging application, deviations vate set intersection (PSI) focuses on optimized protocols for from the protocol may lead to revealing information about the case where X1 and X2 are sets of elements, and f is the the server’s database. On the other hand, we assume that intersection function. PSI has been studied in great depth in the server behaves semi-honestly, i.e., it follows the protocol the past years, yielding very efficient protocols (e.g., [41, 51]) but tries to learn as much information as possible. This is a based on oblivious transfer extensions (OTe, cf. [4, 36, 39]). reasonable assumption since there are legal requirements and However, while these protocols are very efficient in many financial incentives to behave correctly: once misconduct gets scenarios, they turn out to be impractical for use-cases like known publicly, users will abandon the misbehaving service private contact discovery on mobile devices, where the input and switch to a more trustworthy alternative. set of the service provider is much larger (sometimes by a factor of a few million) than the input set of the user. This is because the online phase of these protocols (which depends 1.1 Our Contributions on the actual inputs) has a computation and communication As a motivation, we investigate how contact discovery is complexity that is linear in the size of the larger set. handled in widely used mobile messaging applications. For Therefore, other PSI protocols for the case of unbalanced this, we conduct a survey where we analyze privacy policies, set sizes were developed (e.g., [19, 21, 40, 59]). However, source code, and network traffic. Our results show that in only [40] actually provides an implementation on real mo- practice none of these applications protect the users’ privacy bile smartphone clients. The experiments performed by the during contact discovery. authors of [40] show a rather large discrepancy between proto- We optimize two protocols for unbalanced PSI that can eas- col execution on x86-based PC hardware and Android smart- ily be made secure against malicious clients and are suitable phones where performance-critical cryptographic operations for private contact discovery: one that uses oblivious evalua- are implemented in Java. In fact, their performance results tions of the Naor-Reingold PRF (NR-PSI, cf. [31,40,47]) and do not encourage real-world deployment. For example, their one that uses Yao’s garbled circuits (GC-PSI, cf. [40, 52, 56]) fastest protocol that can easily be made secure against mali- to run oblivious AES evaluations. For both protocols we ap- cious clients requires more than 52s on a smartphone with ply new forms of correlated random OT precomputation (re- WiFi connection to check a single client contact against a ducing the online communication by factor 2x, which is of database with only 220 entries. independent interest) and introduce a method for Cuckoo fil- ter compression (with a compression ratio of 70% and ⇡ The developers of Signal, a mobile messaging service sim- negligible computational overhead) as well as 4.3x smaller ilar to WhatsApp but with focus on privacy, considered the Cuckoo filter updates to reduce the required network com- use of PSI protocols for contact discovery. However, they munication. Moreover, we improve the GC-PSI protocol by refrained from actually implementing PSI since the aca- instantiating the PRF with LowMC [2], a cipher specifically demic research in PSI and the related private information designed for efficient evaluation in secure protocols, instead retrieval (PIR) protocols “is quite a disappointment” [44]. of the default choice AES. While this was already proposed Instead, they presented a technology preview that protects in [40], we find optimal parameter sets for LowMC and pro- the contact discovery task on the server side with Intel Soft- vide implementations. Compared to AES, we thereby reduce ware Guard Extensions (SGX), a trusted execution environ- the communication by factor 8.2x. ment that can be attested by remote users [45]. In theory, this We provide C/C++ implementations for both protocols with yields a secure contact discovery service with negligible per- security against malicious clients that make use of the Cryp- formance overhead compared to plain computation. However, tography Extensions (CE) in the ARMv8 architecture avail- Intel SGX is a proprietary engineering-driven solution with able in most recent smartphones for hardware-accelerated no cryptographic security guarantees and vulnerable to severe execution. Thereby, we improve the runtime of the online attacks, e.g., the recent Foreshadow attack [16] managed to phase of the GC-PSI protocol by more than a factor of 1,000x reliably extract confidential data from enclaves. Moreover, compared to the previous work of [40] that only implements some fixes for hardware security designs such as Intel SGX security against semi-honest clients.