| 1. Re: "needs additional work to become a fully fledged exploit": We have verified this attack in practice, see the paper. 2. We give an example application where it has some "bearing on the security of messages" at the end of https://mtpsym.github.io/ under the heading "Did we really break IND-CPA?" and in the paper. 3. Perhaps a better analogy is: the remaining door requires the date of birth but luckily they kept that secret. But analogies aside: "Luckily, it is almost impossible to carry out in practice. In particular, it is mostly mitigated by the coincidence that certain metadata in Telegram [a salt and an id] is chosen randomly and kept secret." https://mtpsym.github.io/ 4. By cryptographic standards the strongest attack as it would imply full compromise if successful. It costs in the order of 2^32 noise-free queries within minutes where it is not clear how many noisy queries are needed to get "one noise-free query" since we didn't want to test it against Telegram's servers. This falls significantly short of "well established crypto protocols [...] where it's just infeasible to brute force" NB: these provide guarantees also against state resources. This does not mean it is a practical concern. The key contribution of our paper, however, is that we prove that MTProto's symmetric cryptography (with some fixes and when implemented carefully) can give you something comparable to TLS (well, it's Record protocol) which is it's closest "competitor". This proof comes with some caveats, though: MTProto is tricky to implement correctly (as highlighted by our attacks on the official clients). Secondly, MTProto relies on unstudied assumptions that you do not need to make if you use just TLS. See "A Somewhat Opinionated Discussion" at https://mtpsym.github.io/ |