[Nursie]

>> > they are trying to do “Mac and Encrypt” which is not secure. >> We are not doing this. We are doing this: http://core.telegram.org/techfaq#q-are-you-doing-encrypt-the....

Right, but you still include the sha-1 of the plaintext in your outgoing message, which is (IIRC) generally considered bad practice because it leaks information about the plaintext.

[StavrosK]

The idea of cryptographic hashes is that they don't leak information about the plaintext, though.

[velis_vel]

No, that's incorrect. A hash function should have these properties:

* Given a hash h it should be hard to find a message m such that hash(m) = h

* Given a mesage m1 it should be hard to find m2 such that hash(m1) = hash(m2)

* It should be hard to find any two messages m1 and m2 such that hash(m1) = hash(m2)

If you have some secure hash function h, the function h'(m) that appends the low byte of m to h(m) is still secure under all three properties, but it obviously leaks information.

[StavrosK]

Hmm, I unfortunately can't remember the hash attack models right now, but you may be right. I think there are models under which this fails, though.