International Association for Cryptologic Research

International Association
for Cryptologic Research


Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol

Gareth T. Davies , University of Wuppertal
Sebastian Faller , IBM Research Europe - Zurich, ETH Zurich
Kai Gellert , University of Wuppertal
Tobias Handirk , University of Wuppertal
Julia Hesse , IBM Research Europe - Zurich
Máté Horváth , University of Wuppertal
Tibor Jager , University of Wuppertal
DOI: 10.1007/978-3-031-38551-3_11 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2023
Abstract: WhatsApp is an end-to-end encrypted (E2EE) messaging service used by billions of people. In late 2021, WhatsApp rolled out a new protocol for backing up chat histories. The E2EE WhatsApp backup protocol (WBP) allows users to recover their chat history from passwords, leaving WhatsApp oblivious of the actual encryption keys. The WBP builds upon the OPAQUE framework for password-based key exchange, which is currently undergoing standardization. While considerable efforts have gone into the design and auditing of the WBP, the complexity of the protocol’s design and shortcomings in the existing security analyses of its building blocks make it hard to understand the actual security guarantees that the WBP provides. In this work, we provide the first formal security analysis of the WBP. Our analysis in the universal composability (UC) framework confirms that the WBP provides strong protection of users’ chat history and passwords. It also shows that a corrupted server can under certain conditions make more password guesses than what previous analysis suggests.
  title={Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol},
  author={Gareth T. Davies and Sebastian Faller and Kai Gellert and Tobias Handirk and Julia Hesse and Máté Horváth and Tibor Jager},