[messaging] How secure is TextSecure?

Nadim Kobeissi nadim at nadim.computer
Sat Nov 1 15:02:29 PDT 2014

------ Original Message ------
From: "David Leon Gil" <coruus at gmail.com>
To: "messaging at moderncrypto.org" <messaging at moderncrypto.org>
Sent: 2014-11-01 12:56:42 AM
Subject: [messaging] How secure is TextSecure?

>A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904
>They present an unknown key-share attack on TextSecure; this is rather
>serious, to say the least.
I disagree that this is a serious attack. When I read the paper, I was 
surprised that this was even considered a TextSecure-specific attack to 
begin with. I'm sure someone else could write a paper ascribing this 
attack to half the in-production public-key cryptography systems on the 

It's a cool paper though, good on TextSecure for surviving the scrutiny. 
Also, Cryptocat got a mention, that was nice to see. :-)


>Rather puzzling, however:
>1. They claim that HMAC(key=constant, message=secret) is not provably
>a PRF. The security reduction of, e.g., [nested_macs] seems
>symmetrical if the hash functions is one-way; am I missing something
>(HMAC is insecure if *both* inputs can be controlled by the attacker;
>this manifestly isn't the case here.)
>2. They also claim that the security of truncated SHA2-256, as used in
>TextSecure tags, is unknown. (This is likely true for non-generic
>attacks: there are good distinguishers on reduced round SHA2-256.)
>But the story is very different for non-generic attacks; the
>"how-to-hash" indifferentiability proof works here.
>More concerning re tags: TextSecure is only using an 8 byte tag.
>64-bit authenticity is plainly insufficient. (This really should be
>128 bits of SHA2-256's output, or, preferably 160-256 bits of
>Messaging mailing list
>Messaging at moderncrypto.org

More information about the Messaging mailing list