TY - GEN
T1 - Analysis of the Telegram Key Exchange
AU - Albrecht, Martin R.
AU - Mareková, Lenka
AU - Paterson, Kenneth G.
AU - Ronen, Eyal
AU - Stepanovs, Igors
N1 - Publisher Copyright: © International Association for Cryptologic Research 2025.
PY - 2025
Y1 - 2025
N2 - We describe, formally model, and prove the security of Telegram’s key exchange protocols for client-server communications. To achieve this, we develop a suitable multi-stage key exchange security model along with pseudocode descriptions of the Telegram protocols that are based on analysis of Telegram’s specifications and client source code. We carefully document how our descriptions differ from reality and justify our modelling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis. Along the way, we provide a proof of IND-CCA security for the variant of RSA-OEAP+ used in Telegram and identify a hypothetical attack exploiting current Telegram server behaviour (which is not captured in our protocol descriptions). Finally, we reflect on the broader lessons about protocol design that can be taken from our work.
AB - We describe, formally model, and prove the security of Telegram’s key exchange protocols for client-server communications. To achieve this, we develop a suitable multi-stage key exchange security model along with pseudocode descriptions of the Telegram protocols that are based on analysis of Telegram’s specifications and client source code. We carefully document how our descriptions differ from reality and justify our modelling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis. Along the way, we provide a proof of IND-CCA security for the variant of RSA-OEAP+ used in Telegram and identify a hypothetical attack exploiting current Telegram server behaviour (which is not captured in our protocol descriptions). Finally, we reflect on the broader lessons about protocol design that can be taken from our work.
UR - http://www.scopus.com/inward/record.url?scp=105004796647&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-91101-9_8
DO - 10.1007/978-3-031-91101-9_8
M3 - منشور من مؤتمر
SN - 9783031911002
T3 - Lecture Notes in Computer Science
SP - 212
EP - 241
BT - Advances in Cryptology – EUROCRYPT 2025 - 44th Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2025, Proceedings
A2 - Fehr, Serge
A2 - Fouque, Pierre-Alain
PB - Springer Science and Business Media Deutschland GmbH
T2 - 44th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2025
Y2 - 4 May 2025 through 8 May 2025
ER -