Mobile Private Contact Discovery at Scale

Daniel Kales, Christian Rechberger, Thomas Schneider, Matthias Senker, Christian Weinert

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

Mobile messengers like WhatsApp perform contact discovery by uploading the user's entire address book to the service provider. This allows the service provider to determine which of the user's contacts are registered to the messaging service. However, such a procedure poses significant privacy risks and legal challenges. As we find, even messengers with privacy in mind currently do not deploy proper mechanisms to perform contact discovery privately.

The most promising approaches addressing this problem revolve around private set intersection (PSI) protocols. Unfortunately, even in a weak security model where clients are assumed to follow the protocol honestly, previous protocols and implementations turned out to be far from practical when used at scale. This is due to their high computation and/or communication complexity as well as lacking optimization for mobile devices. In our work, we remove most obstacles for large-scale global deployment by significantly improving two promising protocols by Kiss et al. (PoPETS'17) while also allowing for malicious clients.

Concretely, we present novel precomputation techniques for correlated oblivious transfers (reducing the online communication by factor 2x), Cuckoo filter compression (with a compression ratio of 70%), as well as 4.3x smaller Cuckoo filter updates. In a protocol performing oblivious PRF evaluations via garbled circuits, we replace AES as the evaluated PRF with a variant of LowMC (Albrecht et al., EUROCRYPT'15) for which we determine optimal parameters, thereby reducing the communication by factor 8.2x. Furthermore, we implement both protocols with security against malicious clients in C/C++ and utilize the ARM Cryptography Extensions available in most recent smartphones. Compared to previous smartphone implementations, this yields a performance improvement of factor 1000x for circuit evaluations. The online phase of our fastest protocol takes only 2.92s measured on a real WiFi connection (6.53s on LTE) to check 1024 client contacts against a large-scale database with 2^28 entries. As a proof-of-concept, we integrate our protocols in the client application of the open-source messenger Signal.
Originalspracheenglisch
Titel28th USENIX Security Symposium
Herausgeber (Verlag)USENIX Association
Seiten1447-1464
ISBN (elektronisch) 978-1-939133-06-9
PublikationsstatusVeröffentlicht - 14 Aug 2019
Veranstaltung28th USENIX Security Symposium - Santa Clara, USA / Vereinigte Staaten
Dauer: 14 Aug 201916 Aug 2019

Konferenz

Konferenz28th USENIX Security Symposium
KurztitelUSENIX Security '19
LandUSA / Vereinigte Staaten
OrtSanta Clara
Zeitraum14/08/1916/08/19

Fingerprint

Smartphones
Communication
Networks (circuits)
Mobile devices
Cryptography

Dies zitieren

Kales, D., Rechberger, C., Schneider, T., Senker, M., & Weinert, C. (2019). Mobile Private Contact Discovery at Scale. in 28th USENIX Security Symposium (S. 1447-1464). USENIX Association.

Mobile Private Contact Discovery at Scale. / Kales, Daniel; Rechberger, Christian; Schneider, Thomas; Senker, Matthias; Weinert, Christian.

28th USENIX Security Symposium. USENIX Association, 2019. S. 1447-1464.

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Kales, D, Rechberger, C, Schneider, T, Senker, M & Weinert, C 2019, Mobile Private Contact Discovery at Scale. in 28th USENIX Security Symposium. USENIX Association, S. 1447-1464, Santa Clara, USA / Vereinigte Staaten, 14/08/19.
Kales D, Rechberger C, Schneider T, Senker M, Weinert C. Mobile Private Contact Discovery at Scale. in 28th USENIX Security Symposium. USENIX Association. 2019. S. 1447-1464
Kales, Daniel ; Rechberger, Christian ; Schneider, Thomas ; Senker, Matthias ; Weinert, Christian. / Mobile Private Contact Discovery at Scale. 28th USENIX Security Symposium. USENIX Association, 2019. S. 1447-1464
@inproceedings{dae97b4e6c2641c9bb8860edb6329340,
title = "Mobile Private Contact Discovery at Scale",
abstract = "Mobile messengers like WhatsApp perform contact discovery by uploading the user's entire address book to the service provider. This allows the service provider to determine which of the user's contacts are registered to the messaging service. However, such a procedure poses significant privacy risks and legal challenges. As we find, even messengers with privacy in mind currently do not deploy proper mechanisms to perform contact discovery privately.The most promising approaches addressing this problem revolve around private set intersection (PSI) protocols. Unfortunately, even in a weak security model where clients are assumed to follow the protocol honestly, previous protocols and implementations turned out to be far from practical when used at scale. This is due to their high computation and/or communication complexity as well as lacking optimization for mobile devices. In our work, we remove most obstacles for large-scale global deployment by significantly improving two promising protocols by Kiss et al. (PoPETS'17) while also allowing for malicious clients.Concretely, we present novel precomputation techniques for correlated oblivious transfers (reducing the online communication by factor 2x), Cuckoo filter compression (with a compression ratio of 70{\%}), as well as 4.3x smaller Cuckoo filter updates. In a protocol performing oblivious PRF evaluations via garbled circuits, we replace AES as the evaluated PRF with a variant of LowMC (Albrecht et al., EUROCRYPT'15) for which we determine optimal parameters, thereby reducing the communication by factor 8.2x. Furthermore, we implement both protocols with security against malicious clients in C/C++ and utilize the ARM Cryptography Extensions available in most recent smartphones. Compared to previous smartphone implementations, this yields a performance improvement of factor 1000x for circuit evaluations. The online phase of our fastest protocol takes only 2.92s measured on a real WiFi connection (6.53s on LTE) to check 1024 client contacts against a large-scale database with 2^28 entries. As a proof-of-concept, we integrate our protocols in the client application of the open-source messenger Signal.",
author = "Daniel Kales and Christian Rechberger and Thomas Schneider and Matthias Senker and Christian Weinert",
year = "2019",
month = "8",
day = "14",
language = "English",
pages = "1447--1464",
booktitle = "28th USENIX Security Symposium",
publisher = "USENIX Association",
address = "United States",

}

TY - GEN

T1 - Mobile Private Contact Discovery at Scale

AU - Kales, Daniel

AU - Rechberger, Christian

AU - Schneider, Thomas

AU - Senker, Matthias

AU - Weinert, Christian

PY - 2019/8/14

Y1 - 2019/8/14

N2 - Mobile messengers like WhatsApp perform contact discovery by uploading the user's entire address book to the service provider. This allows the service provider to determine which of the user's contacts are registered to the messaging service. However, such a procedure poses significant privacy risks and legal challenges. As we find, even messengers with privacy in mind currently do not deploy proper mechanisms to perform contact discovery privately.The most promising approaches addressing this problem revolve around private set intersection (PSI) protocols. Unfortunately, even in a weak security model where clients are assumed to follow the protocol honestly, previous protocols and implementations turned out to be far from practical when used at scale. This is due to their high computation and/or communication complexity as well as lacking optimization for mobile devices. In our work, we remove most obstacles for large-scale global deployment by significantly improving two promising protocols by Kiss et al. (PoPETS'17) while also allowing for malicious clients.Concretely, we present novel precomputation techniques for correlated oblivious transfers (reducing the online communication by factor 2x), Cuckoo filter compression (with a compression ratio of 70%), as well as 4.3x smaller Cuckoo filter updates. In a protocol performing oblivious PRF evaluations via garbled circuits, we replace AES as the evaluated PRF with a variant of LowMC (Albrecht et al., EUROCRYPT'15) for which we determine optimal parameters, thereby reducing the communication by factor 8.2x. Furthermore, we implement both protocols with security against malicious clients in C/C++ and utilize the ARM Cryptography Extensions available in most recent smartphones. Compared to previous smartphone implementations, this yields a performance improvement of factor 1000x for circuit evaluations. The online phase of our fastest protocol takes only 2.92s measured on a real WiFi connection (6.53s on LTE) to check 1024 client contacts against a large-scale database with 2^28 entries. As a proof-of-concept, we integrate our protocols in the client application of the open-source messenger Signal.

AB - Mobile messengers like WhatsApp perform contact discovery by uploading the user's entire address book to the service provider. This allows the service provider to determine which of the user's contacts are registered to the messaging service. However, such a procedure poses significant privacy risks and legal challenges. As we find, even messengers with privacy in mind currently do not deploy proper mechanisms to perform contact discovery privately.The most promising approaches addressing this problem revolve around private set intersection (PSI) protocols. Unfortunately, even in a weak security model where clients are assumed to follow the protocol honestly, previous protocols and implementations turned out to be far from practical when used at scale. This is due to their high computation and/or communication complexity as well as lacking optimization for mobile devices. In our work, we remove most obstacles for large-scale global deployment by significantly improving two promising protocols by Kiss et al. (PoPETS'17) while also allowing for malicious clients.Concretely, we present novel precomputation techniques for correlated oblivious transfers (reducing the online communication by factor 2x), Cuckoo filter compression (with a compression ratio of 70%), as well as 4.3x smaller Cuckoo filter updates. In a protocol performing oblivious PRF evaluations via garbled circuits, we replace AES as the evaluated PRF with a variant of LowMC (Albrecht et al., EUROCRYPT'15) for which we determine optimal parameters, thereby reducing the communication by factor 8.2x. Furthermore, we implement both protocols with security against malicious clients in C/C++ and utilize the ARM Cryptography Extensions available in most recent smartphones. Compared to previous smartphone implementations, this yields a performance improvement of factor 1000x for circuit evaluations. The online phase of our fastest protocol takes only 2.92s measured on a real WiFi connection (6.53s on LTE) to check 1024 client contacts against a large-scale database with 2^28 entries. As a proof-of-concept, we integrate our protocols in the client application of the open-source messenger Signal.

M3 - Conference contribution

SP - 1447

EP - 1464

BT - 28th USENIX Security Symposium

PB - USENIX Association

ER -