Our main discovery is that the symmetric encryption scheme used in Telegram -- known as MTProto -- is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message.
We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist.
The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.
Category / Keywords: secret-key cryptography / Date: received 8 Dec 2015, last revised 31 Mar 2016 Contact author: orlandi at cs au dk Available format(s): PDF | BibTeX Citation Version: 20160331:084923 (All versions of this report) Short URL: ia.cr/2015/1177 Discussion forum: Show discussion | Start new discussion