[messaging] How secure is TextSecure?

David Leon Gil coruus at gmail.com
Fri Oct 31 21:56:42 PDT 2014

A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904


They present an unknown key-share attack on TextSecure; this is rather
serious, to say the least.

Rather puzzling, however:

1. They claim that HMAC(key=constant, message=secret) is not provably
a PRF.  The security reduction of, e.g., [nested_macs] seems
symmetrical if the hash functions is one-way; am I missing something

(HMAC is insecure if *both* inputs can be controlled by the attacker;
this manifestly isn't the case here.)

2. They also claim that the security of truncated SHA2-256, as used in
TextSecure tags, is unknown. (This is likely true for non-generic
attacks: there are good distinguishers on reduced round SHA2-256.)

But the story is very different for non-generic attacks; the
"how-to-hash" indifferentiability proof works here.

More concerning re tags: TextSecure is only using an 8 byte tag.
64-bit authenticity is plainly insufficient. (This really should be
128 bits of SHA2-256's output, or, preferably 160-256 bits of


[nested_macs]: http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/papers/nestedMACs.pdf

More information about the Messaging mailing list