Contact Discovery is a cryptographic protocol enabling a client to privately determine the intersection between their local address book and a service's user database, without exposing non-matching contacts to the server. It is a specific, large-scale implementation of Asymmetric PSI, where only the client learns the result. The primary technical challenge lies in performing this matching on massive, unbalanced sets—a user's hundreds of contacts against a server's billions of users—while maintaining semi-honest or malicious security against a compromised infrastructure.
Glossary
Contact Discovery

What is Contact Discovery?
A real-world application of private set intersection that allows a messaging service user to determine which of their phone contacts are also users of the service without revealing their entire address book to the server.
Modern, privacy-preserving implementations replace naive phone number uploads with techniques like Oblivious Pseudorandom Functions (OPRFs) and Homomorphic Encryption (HE). In a typical OPRF-based flow, the client masks their contacts with a blinding factor, the server applies its secret key to generate an encrypted pseudorandom identifier, and the client unblinds the result to compare against a server-provided encrypted directory. This ensures the server learns nothing about the client's non-user contacts, addressing the core privacy vulnerability in traditional contact discovery systems.
Key Properties of Contact Discovery
Contact discovery protocols must balance cryptographic privacy, computational efficiency, and user experience to securely determine which contacts are service users without exposing the entire address book.
Asymmetric Information Flow
Contact discovery is a classic asymmetric PSI use case. Only the client (user) learns the intersection—which of their contacts are on the service. The server learns nothing about the user's address book beyond what it already knows. This prevents the service provider from harvesting non-user contact data. The protocol enforces this through cryptographic means, not policy: even a malicious server cannot extract the full contact list.
Unbalanced Set Optimization
Contact discovery exhibits extreme set size asymmetry. A user's address book typically contains hundreds to thousands of contacts, while the service's registered user base can number in the billions. Protocols like KKRT and VOLE-based constructions are specifically optimized for this imbalance, allowing the client to perform work proportional to their small input set while the server handles the massive set efficiently through precomputed data structures and OT extension.
Rate Limiting as a Security Control
Without rate limiting, a malicious client could perform enumeration attacks—repeatedly querying the service with arbitrary phone numbers to reconstruct the entire user database. Production contact discovery systems enforce cryptographic rate limiting or require the client to solve computational puzzles (e.g., proof-of-work) before each query. This makes bulk enumeration economically infeasible while remaining transparent to legitimate users performing a single lookup.
Server-Side Precomputation
To achieve sub-second latency for billions of records, modern contact discovery protocols leverage offline precomputation. The server can pre-hash its entire user database into a Cuckoo hashing table or precompute OPRF keys once, then reuse these structures across millions of client queries. This shifts the heavy cryptographic work to idle periods, allowing online queries to complete with minimal computation and communication.
Malicious vs. Semi-Honest Security
Contact discovery implementations face a critical security model choice:
- Semi-honest security: Assumes the server follows the protocol correctly but may inspect the transcript. Faster and sufficient when the server is trusted not to deviate.
- Malicious security: Protects against servers that arbitrarily deviate from the protocol to extract information. Essential when the service provider cannot be fully trusted, but incurs higher computational overhead. Signal's private contact discovery service uses a semi-honest model with hardware enclave attestation as an additional trust anchor.
Post-Quantum Migration Planning
Classical contact discovery protocols relying on Diffie-Hellman assumptions are vulnerable to future quantum adversaries capable of breaking discrete logarithms. Forward-looking deployments are evaluating post-quantum PSI constructions based on lattice assumptions or FHE-based PSI that remain secure against Shor's algorithm. While current quantum threats are theoretical, the long-term sensitivity of social graph data warrants crypto-agility in protocol design.
Frequently Asked Questions
Clear answers to common questions about the cryptographic protocols that power private contact discovery in modern messaging applications.
Contact discovery is a privacy-preserving protocol that allows a messaging app user to determine which contacts in their phone's address book are also registered users of the service, without revealing their entire address book to the server. The process works by cryptographically comparing the user's hashed phone numbers against the service's user database using Private Set Intersection (PSI) techniques. In a typical implementation, the client encrypts or hashes each contact identifier with a secret key, sends these protected values to the server, and the server performs a blind matching operation that reveals only the intersection—the contacts who are already users. The server learns nothing about non-matching contacts, and ideally, the client learns only which contacts are users without discovering additional information. Modern protocols like asymmetric PSI optimize this for the unbalanced scenario where the server's user base is massive and the client's contact list is relatively small.
Real-World Deployments
Private set intersection protocols power the 'find my friends' feature in modern messaging apps, allowing users to discover mutual contacts without exposing their entire address book to the server.
Signal's Private Contact Discovery
Signal uses a trusted execution environment (TEE) based on Intel SGX to perform contact discovery. The client encrypts their address book and sends it to a secure enclave running on Signal's servers. The enclave decrypts the data, compares it against the registered user database, and returns only the intersection. The server operator cannot inspect the plaintext address book because the enclave's memory is hardware-encrypted. This approach trades cryptographic complexity for practical performance, processing millions of lookups daily while ensuring the plaintext never leaves the CPU package.
WhatsApp's OPRF-Based Protocol
WhatsApp employs an oblivious pseudorandom function (OPRF) to protect user contact lists. The client hashes each phone number and blinds it before sending it to the server. The server applies its secret key to the blinded value and returns the result. The client unblinds the response to obtain a PRF output, which is then used to query an encrypted database. This ensures the server never sees the raw phone numbers and cannot link queries across different sessions. The protocol is designed to handle unbalanced PSI scenarios where the server holds billions of registered users while the client uploads a few hundred contacts.
Telegram's Server-Side Matching
Telegram performs contact discovery by uploading hashed phone numbers to its servers. The server computes the intersection against its user database and returns matching contacts. While this approach is fast and simple, it provides weaker privacy guarantees compared to OPRF or TEE-based methods. A malicious or compromised server could theoretically perform a brute-force enumeration attack against the hashed numbers, especially given the limited entropy of phone numbers. Telegram relies on rate limiting and operational security rather than cryptographic privacy for this feature.
Apple's iMessage Contact Discovery
Apple's iMessage uses identity-based encryption (IBE) for contact discovery. When a user enables iMessage, their device generates a set of public keys derived from their phone number and Apple's master secret. Other users can encrypt invitation tokens to these derived public keys without needing to query Apple's servers for each contact. The server acts as a relay but cannot decrypt the tokens. This design shifts the privacy guarantee toward client-side cryptography, reducing server trust requirements while maintaining the ability to discover which contacts are iMessage-enabled.
Microsoft's Password Monitor
Microsoft Edge's Password Monitor uses a private set intersection cardinality protocol to check if a user's saved credentials appear in known breach databases without revealing the passwords to Microsoft. The client hashes and blinds each credential, sends the blinded values to the server, and receives back encrypted results. The client can determine if a match exists without the server learning which credentials were checked or which matched. This is a practical deployment of asymmetric PSI where only the client learns the result, protecting billions of credentials from exposure.
Google's Private Join and Compute
Google's Private Join and Compute is a labeled PSI protocol that allows two organizations to compute aggregate statistics over the intersection of their datasets without revealing individual records. For example, an advertiser can measure campaign conversion rates by joining their impression data with a merchant's sales data, learning only the aggregate conversion count. The protocol uses homomorphic encryption to compute sums over the matched records, ensuring that neither party learns the other's non-matching entries or individual matched values. This demonstrates PSI's evolution from simple membership testing to privacy-preserving analytics.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Contact Discovery vs. Naive Address Book Upload
A comparison of the privacy, security, and operational properties of cryptographic contact discovery versus a traditional address book upload to a server.
| Feature | Contact Discovery (PSI) | Naive Address Book Upload |
|---|---|---|
Server Learns Non-User Contacts | ||
Server Learns Social Graph | ||
Client Learns Non-User Contacts | ||
Data Exposure on Server Breach | None (only user's own ID) | Full address book + social graph |
Cryptographic Guarantee | Yes (based on PSI protocol) | No (relies on policy) |
Computational Overhead | Higher (OT/OPRF operations) | Negligible (plaintext upload) |
Bandwidth Complexity | O(n) to O(n log n) | O(n) |
Compliance with Data Minimization |
Related Terms
Contact discovery relies on a stack of cryptographic building blocks and protocol variants. Understanding these related terms is essential for evaluating the security, efficiency, and privacy guarantees of a real-world deployment.
Asymmetric PSI
The specific Private Set Intersection variant that underpins contact discovery. In this model, only the client (the user) learns the intersection of their contact list with the server's user base. The server learns nothing about the client's input set, preventing bulk surveillance of social graphs.
Oblivious Pseudorandom Function (OPRF)
A core building block for modern, efficient contact discovery. The client's contact identifiers are hashed under a key held exclusively by the server. The client learns the pseudorandom output for their inputs without the server learning the inputs themselves. This allows the server to provision a secret-shared lookup table without exposing raw identifiers.
Unbalanced PSI
A protocol optimization critical for contact discovery, where set sizes are extremely lopsided. The client's set (phone contacts) is typically small (hundreds), while the server's set (registered users) is massive (hundreds of millions). Unbalanced PSI protocols minimize client computation and bandwidth by shifting the heavy cryptographic lifting to the server.
Malicious Security
The strongest security model for contact discovery protocols. It guarantees correctness and privacy even if the server or a network adversary arbitrarily deviates from the protocol specification. This prevents active attacks where a malicious server might try to extract a user's full contact list by manipulating the protocol flow.
Cuckoo Hashing
A hashing scheme used to optimize the server-side data structure in PSI protocols. It resolves collisions by relocating existing keys using multiple hash functions, ensuring a compact, evenly filled table. This reduces the storage overhead and communication complexity when the server encodes its massive user database for private comparison.
Fuzzy PSI
An extension of private set intersection that identifies approximate matches rather than exact equality. In the context of contact discovery, this could be used to match contacts with slight formatting differences (e.g., country code variations) without revealing the raw, un-normalized identifiers to the server.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us