[paveldurov]

After reading tptacek's comments in the latest thread about Telegram https://news.ycombinator.com/item?id=6940665 I can only agree. He insisted Telegram team should abandon its custom solution without providing any actual proof that it's vulnerable. His advice was to rely only on "modern" algorithms (mostly the ones included in "NSA Suite B Cryptography"), but he provided zero evidence why these algorithms should be more secure than the ones already in use.

[sheetjs]

In cryptography, the expectation is that the person presenting the algorithm should substantiate their claims, preferably with a proof. Saying that something is secure because it hasn't been broken yet does not settle well with people. And when it does happen, it's clearly caveated ("assuming the hardness of Discrete Logarithms", for example).

That aside, your challenge smacks of snake oil. I gave an analogy earlier that captures the essence of the complaints:

Suppose I am selling fire-proof safes. These are designed to protect your documents and valuables from thieves and from fire and other events.

The normal way people set up tests is to put some documents and valuables in a box and actually try to break it (MythBusters style, bringing out cool machinery and trying different ways). For fire resistance, there is a rating system (https://en.wikipedia.org/wiki/Fire-resistance_rating) and a standard way to test.

The Telegram proposition is: we are going to place the safe in Fort Knox. If you can't break the safe that is in Fort Knox, then clearly our safe is secure.

People are arguing that in order to break the safe, you have to break into Fort Knox. And for all intents and purposes that's not going to happen. You could have put a cardboard box in Fort Knox but no one can tell the difference because of the way you structured the challenge.

In that sense, you aren't testing the real-life security.

[Confusion]

You guys are still failing to appreciate that your composition of cryptographic primitives is unproven, which means it is probably broken. Why is it probably broken? Because most compositions of crypto primitives are broken and your adversary is so formidable he will find the smallest problem.

In cryptography, you either prove it is safe or you consider it broken. Your choice should be considered broken until you prove otherwise.

[lawnchair_larry]

This is a really bad and somewhat frustrating comment (if you're trolling, nicely done). He's absolutely correct about Telegram and this is not how you run crypto contests. This isn't even a tptacek opinion, it's a "everybody who has any reputation in the crypto field" opinion.

Edit: Oh, you're the Telegram employee who designed the contest. I encourage you to read moxie's blog post, and Schneiers rebuttals to crypto contests that are probably linked all over your other threads.

[phpnode]

I think Pavel is providing the financial backing for Telegram, rather than being an employee -http://en.wikipedia.org/wiki/Pavel_Durov

[lawnchair_larry]

Ah, the Telegram HN account just said he "proposed the contest", so I assumed employee. If he is the financier, then it is not surprising that he doesn't understand why his crypto contest is a bad idea.

[phpnode]

right and it also explains why the Telegram guys went ahead with his suggestion, because they're presumably keen to keep their main financial backer happy.

I don't think there's any attempt to sell snakeoil here, this is a case of a road to hell being paved with good intentions. To people not well versed in cryptography the things Pavel is saying and the approach Telegram is taking all seem completely reasonable, and the people who do do crypto and are responding might as well be talking a different language. To them the flaws and red flags are so obvious that their responses are incredulous, which has led to the vitriolic back and forth we've seen - neither side can comprehend the other's position. This is Dunning-Kruger[0].

[0] http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect

[paveldurov]

With all due respect, nothing can be "obvious" unless it is proven. You cannot take something for granted just because a respected cryptographer says that. Not after we learned that NSA pushes backdoors using respected firms and people in the crypto-community.

[phpnode]

By this reasoning you should presumably agree that the onus is on Telegram to prove the security of their system, not on the rest of the cryptography community to prove that it is insecure. Telegram have completely failed to do this. Even if Telegram had a formal proof of their system (and implementation), would you be in a position to read and understand that proof? I suspect not. Like me, you'd have to trust a group of respected cryptographers to do that job for you, so I don't really know what you're trying to say here. Just because one or two respected cryptographers appear to have become NSA tools, does not mean everyone has.

Also note that it's not a case of one random crypto guy saying that Telegram's approach is flawed, but a case of virtually the entire crypto community saying that the approach is flawed. Does this not ring alarm bells for you? How can you judge that the Telegram guys know their stuff and aren't leading you down the garden path or are themselves deluded?

With your backing, there is a real chance for Telegram to bring secure communications to the masses. This is indisputably a noble goal, but the areas that Telegram should be innovating in are in UI and features - not cryptography. There is no such thing as mostly correct, 'good enough' cryptography, either the system is secure, or it's insecure - there is basically no middle ground. If you fail, it's a bit more serious than your typical software bug - innocent people can literally die - the very people that need this the most are the most at risk. These are the reasons Telegram have been met with such a frosty reception here. Because they come across as arrogant in an area where arrogance is the absolute least desirable trait.

[paveldurov]

The wish to broaden the contest is understandable and already taken into account http://bit.ly/1htlEod

What I was saying in the comment above, however, had nothing to do with the contest. I expressed concern about tptacek's aggressive promotion of one algorithms (branded as "modern") over the other (claimed as "anachronistic") without any substantial proof. https://news.ycombinator.com/item?id=6941934

This is really alarming.

[11001]

Could you please provide some proof that you are who you claim you are? Like a post on your VK page? Thanks.

[danabramov]

This comment on VK by id1 (Pavel) clearly states he participates in recent HN threads. I think it's fairly safe to assume he is who he is.

https://vk.com/roem?w=wall-20537665_23327

Here's an unedited Google Translate translation (I read it, and I think it conveys the message):

As I see it , there is not so much Anonymus as creators local competitor - TextSecure under Android . Telegram gathered a lot of users , and they're rightly fuss . The boys are torn between argument " either too new algorithm , why is it , if there is a proven " and your " algorithm either too old , why is it when new ." Nevertheless , trade on HN gives thousands of registrations Anglo-Saxons and tons of references .

I think the debate will be a good end to the competition announcement decoding traffic Telegram. Let's say I was ready to open all of my correspondence traffic since registration in Telegram and give $ 200,000 to anyone who will decipher it and tell you how . As a result Telegram or detect and close the loophole for special services, or - more likely - will receive another proof of the inviolability of their protocol

[11001]

Ok, thanks.

Here's another comment of his further down:

Я помню первый обзор о ВКонтакте на Хабрахабре, кажется, в 2006 году. Эксперты делились комментариями вроде "кто они такие", "еще одна соцсеть не нужна" и "на php пишут только нубы". Неудивительно, что HackerNews, построенный примерно тех же принципах (карма, ранжирование), создает чувство deja vu.

Тем не менее, будет здорово, если там объявятся не только любители поговорить, но и те, кто реально прочитает документацию к MTProto.

Which roughly translates to:

I remember the first reviews of VK back in 2006. The experts were saying "who are they?", "we don't need another social network", "only noobs write in php". It is not surprising that HN is built on the exact same principles (karma, rankings), brings up a deja vu.

However, it would be great if someone who actually read the MTProto docs can show up, and not just those who like to talk.

[lawnchair_larry]

In this case, it doesn't actually matter who he is, so there is no need really. Our responses would not be different if it were someone else saying the same thing.