What's a little leakage between friends?

TL;DR

This paper identifies a new vulnerability in metadata-private messaging systems where compromised friends can infer users' other conversations, and proposes a primitive to prevent this attack, highlighting the trade-offs involved.

Contribution

It formalizes the compromised friend attack, introduces the exclusive call center problem, and proposes a private answering machine primitive with a practical construction under certain assumptions.

Findings

The attack can reveal user activity through compromised friends.

A new primitive called a private answering machine can prevent the attack.

Secure implementation is challenging without additional assumptions.

Abstract

This paper introduces a new attack on recent messaging systems that protect communication metadata. The main observation is that if an adversary manages to compromise a user's friend, it can use this compromised friend to learn information about the user's other ongoing conversations. Specifically, the adversary learns whether a user is sending other messages or not, which opens the door to existing intersection and disclosure attacks. To formalize this compromised friend attack, we present an abstract scenario called the exclusive call center problem that captures the attack's root cause, and demonstrates that it is independent of the particular design or implementation of existing metadata-private messaging systems. We then introduce a new primitive called a private answering machine that can prevent the attack. Unfortunately, building a secure and efficient instance of this primitive under only computational hardness assumptions does not appear possible. Instead, we give a construction under the assumption that users can place a bound on their maximum number of friends and are okay leaking this information.