Paper 2015/1177

On the CCA (in)security of MTProto

Jakob Jakobsen and Claudio Orlandi

Abstract

Telegram is a popular messaging app which supports end-to-end encrypted communication. In Spring 2015 we performed an audit of Telegram's source code. This short paper summarizes our findings. Our main discovery is that the symmetric encryption scheme used in Telegram -- known as MTProto -- is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message. We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist. The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Contact author(s)
orlandi @ cs au dk
History
2016-03-31: revised
2015-12-10: received
See all versions
Short URL
https://ia.cr/2015/1177
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/1177,
      author = {Jakob Jakobsen and Claudio Orlandi},
      title = {On the CCA (in)security of MTProto},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1177},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/1177}},
      url = {https://eprint.iacr.org/2015/1177}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.