Mass-surveillance without the State

Bellare, Mihir; Jaeger, Joseph; Kane, Daniel M.

doi:10.1145/2810103.2813681

Cited by 60 publications

(14 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Degabriele et al criticized [DFP15] the perfect decryptability condition required from the subverted ciphertext in BPR's model. Bellare et al improved over the attacks in [BPR14], proposing stateless attacks [BJK15] against all randomized schemes. While previous attacks [BPR14,BJK15] targeted the encryption algorithm, Armour and Poettering proposed an attack [AP19b] by subverting the decryption algorithm.…”

Section: Subversion Attacksmentioning

confidence: 99%

“…Bellare et al improved over the attacks in [BPR14], proposing stateless attacks [BJK15] against all randomized schemes. While previous attacks [BPR14,BJK15] targeted the encryption algorithm, Armour and Poettering proposed an attack [AP19b] by subverting the decryption algorithm. Hodges and Stebila explored the detectability of ASAs via state resetting [HS21].…”

Section: Subversion Attacksmentioning

confidence: 99%

“…First, we propose the first partial key recovery ASAs (see section 5) on the secret chat mode of Telegram. Our attacks are completely passive in nature and incur significantly less latency as compared to previous such attacks on generic authenticated encryption schemes [BJK15,AP19b]. Our attack exploits the random length padding used in the MTProto2.0 encryption.…”

Section: Our Contributionsmentioning

confidence: 99%

See 2 more Smart Citations

Subverting Telegram’s End-to-End Encryption

Cogliati

Ethan²,

Jha³

2023

ToSC

View full text Add to dashboard Cite

Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2EE protocol is susceptible to fairly efficient algorithm substitution attacks. While official Telegram clients should be protected against this type of attack due their open-source nature and reproducible builds, this could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients. We provide an efficient algorithm substitution attack against MTProto2.0 — the underlying authenticated encryption scheme — that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency. This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either through a targeted attack or a compromised third-party app. Our attack exploits MTProto2.0’s degree of freedom in choosing the random padding length and padding value. Accordingly, we strongly recommend that Telegram should revise MTProto2.0’s padding methodology. In particular, we show that a minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios. As a side-effect, we generalize the underlying mode of operation in MTProto2.0, as MTProto-G, and show that this generalization is a multi-user secure deterministic authenticated encryption scheme.

show abstract

Section: Subversion Attacksmentioning

confidence: 99%

Section: Subversion Attacksmentioning

confidence: 99%

Section: Our Contributionsmentioning

confidence: 99%

See 1 more Smart Citation

Subverting Telegram’s End-to-End Encryption

Cogliati

Ethan²,

Jha³

2023

ToSC

View full text Add to dashboard Cite

show abstract

“…Since then kleptography has captured much interest. Bellare et al [3] introduced an idea of strong undetectability used to describe the quality of such backdoors for symmetric schemes. We modify their definition for describing kleptographic backdoors on asymmetric schemes.…”

Section: Preliminariesmentioning

confidence: 99%

“…Compared to the algorithm substitution attack on symmetric schemes by Bellare et al [3], where the strong undetectability is reduced to the security of pseudo random generators, we make the reduction to DDH assumption in the following. Now the Decision Diffie-Hellman assumption on elliptic curves states that it is hard to distinguish a sample of form (Y P, X P, XY P) from a sample of form (Y P, X P, ZP), where P is the generator of an elliptic curve, and X, Y , Z are independently uniformly random integers over Z p .…”

Section: The Quality Of Our Backdoormentioning

confidence: 99%

Lattice Klepto Revisited

Yang

Xie

Pan

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Kleptography introduced by Young and Yung is about using an embedded backdoor to perform attacks on a cryptosystems. At SAC'17, Kwant et al. proposed a kleptographic backdoor on NTRU encryption scheme and thought that the backdoor can not be detected. However, in this paper we show that the user can detect the backdoor very efficiently and hence the problem of constructing a kleptographic backdoor on NTRU stays open. Moreover, we also design a universal method to embed a kleptographic backdoor for RLWE-based scheme, such as NewHope. Our construction is shown to be strongly undetectable, which reveals the threats of the kleptographic attacks on lattice-based schemes. CCS CONCEPTS • Security and privacy → Cryptanalysis and other attacks.

show abstract

Unifying Kleptographic Attacks

Teşeleanu¹

2018

Secure IT Systems

View full text Add to dashboard Cite

Mass-surveillance without the State

Cited by 60 publications

References 18 publications

Subverting Telegram’s End-to-End Encryption

Subverting Telegram’s End-to-End Encryption

Lattice Klepto Revisited

Unifying Kleptographic Attacks

Contact Info

Product

Resources

About