{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T04:20:55Z","timestamp":1780633255704,"version":"3.54.1"},"reference-count":75,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,12,17]],"date-time":"2025-12-17T00:00:00Z","timestamp":1765929600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,12,17]],"date-time":"2025-12-17T00:00:00Z","timestamp":1765929600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Swiss Federal Institute of Technology Zurich"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2026,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>We study the use of symmetric cryptography in the MTProto 2.0 protocol, Telegram\u2019s equivalent of the TLS protocol. We give positive and negative results. On the one hand, we formally and in detail specify a slight variant of Telegram\u2019s \u201crecord protocol\u201d and prove that it achieves security in a suitable bidirectional secure channel model, albeit under unstudied assumptions; this model itself advances the state of the art for secure channels. On the other hand, we first motivate our slight deviation from MTProto as deployed by giving two attacks on the original protocol specification: one of practical, one of theoretical interest. Then, we give two attacks on the implementation, which are outside of our formal model: one targeting the client, one targeting the server. The client-side attack enables plaintext recovery by exploiting timing side channels, of varying strength, in three official Telegram clients. On its own this attack is thwarted by the secrecy of header fields that are established by Telegram\u2019s key exchange protocol. We thus chain this attack with an attack against the implementation of the key exchange protocol on Telegram\u2019s servers. This final attack breaks the authentication properties of Telegram\u2019s key exchange, allowing a MitM attack. More mundanely, it also reduces the cost of the client-side plaintext-recovery attack. In totality, our results provide the first comprehensive study of MTProto\u2019s use of symmetric cryptography, as well as highlight weaknesses in its key exchange.<\/jats:p>","DOI":"10.1007\/s00145-025-09566-1","type":"journal-article","created":{"date-parts":[[2025,12,17]],"date-time":"2025-12-17T18:27:25Z","timestamp":1765996045000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Four Attacks and a Proof for Telegram"],"prefix":"10.1007","volume":"39","author":[{"given":"Martin R.","family":"Albrecht","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lenka","family":"Marekov\u00e1","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kenneth G.","family":"Paterson","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Igors","family":"Stepanovs","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,12,17]]},"reference":[{"key":"9566_CR1","unstructured":"M.R. Albrecht, J. Blasco, R.B. Jensen, L. Marekov\u00e1, Collective information security in large-scale urban protests: the case of Hong Kong, in USENIX Security 2021, ed. by M. Bailey, R. Greenstadt (USENIX Association, 2021), pp. 3363\u20133380. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/albrecht"},{"key":"9566_CR2","doi-asserted-by":"publisher","unstructured":"M.R. Albrecht, N. Heninger, On bounded distance decoding with predicate: breaking the \u201clattice barrier\u201d for the hidden number problem, in EUROCRYPT\u00a02021, Part\u00a0I. LNCS, vol. 12696, ed. by A. Canteaut, F.X. Standaert (Springer, Cham, 2021), pp. 528\u2013558. https:\/\/doi.org\/10.1007\/978-3-030-77870-5_19","DOI":"10.1007\/978-3-030-77870-5_19"},{"key":"9566_CR3","doi-asserted-by":"publisher","unstructured":"M.R. Albrecht, L. Marekov\u00e1, K.G. Paterson, E. Ronen, I. Stepanovs, Analysis of the telegram key exchange, in EUROCRYPT\u00a02025, Part\u00a0VIII. LNCS, vol. 15608, ed. by S. Fehr, P.A. Fouque, (Springer, Cham, 2025), pp. 212\u2013241. https:\/\/doi.org\/10.1007\/978-3-031-91101-9_8","DOI":"10.1007\/978-3-031-91101-9_8"},{"key":"9566_CR4","doi-asserted-by":"publisher","unstructured":"M.R. Albrecht, L. Marekov\u00e1, K.G. Paterson, I. Stepanovs, Four attacks and a proof for Telegram, in 2022 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2022), pp. 87\u2013106. https:\/\/doi.org\/10.1109\/SP46214.2022.9833666","DOI":"10.1109\/SP46214.2022.9833666"},{"key":"9566_CR5","doi-asserted-by":"publisher","unstructured":"M.R. Albrecht, K.G. Paterson, G.J. Watson, Plaintext recovery attacks against SSH, in 2009 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2009), pp. 16\u201326. https:\/\/doi.org\/10.1109\/SP.2009.5","DOI":"10.1109\/SP.2009.5"},{"key":"9566_CR6","doi-asserted-by":"publisher","unstructured":"N.J. AlFardan, K.G. Paterson, Lucky thirteen: breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2013), pp. 526\u2013540. https:\/\/doi.org\/10.1109\/SP.2013.42","DOI":"10.1109\/SP.2013.42"},{"key":"9566_CR7","doi-asserted-by":"publisher","unstructured":"J. Alwen, S. Coretti, Y. Dodis, The double ratchet: security notions, proofs, and modularization for the Signal protocol, in Ishai and Rijmen [31], pp. 129\u2013158. https:\/\/doi.org\/10.1007\/978-3-030-17653-2_5","DOI":"10.1007\/978-3-030-17653-2_5"},{"key":"9566_CR8","doi-asserted-by":"publisher","unstructured":"E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in ASIACRYPT\u00a02014, Part\u00a0I. LNCS, vol.\u00a08873, ed. by P. Sarkar, T. Iwata (Springer, Berlin, Heidelberg, 2014), pp. 105\u2013125. https:\/\/doi.org\/10.1007\/978-3-662-45611-8_6","DOI":"10.1007\/978-3-662-45611-8_6"},{"key":"9566_CR9","unstructured":"T. von Arx, K.G. Paterson, On the cryptographic fragility of the Telegram ecosystem. Cryptology ePrint Archive, Paper 2022\/595 (2022), https:\/\/eprint.iacr.org\/2022\/595, to appear at AsiaCCS 2023"},{"key":"9566_CR10","doi-asserted-by":"publisher","unstructured":"M. Bellare, D.J. Bernstein, S. Tessaro, Hash-function based PRFs: AMAC and its multi-user security, in EUROCRYPT\u00a02016, Part\u00a0I. LNCS, vol.\u00a09665, ed. by M. Fischlin, J.S. Coron (Springer, Berlin, Heidelberg, 2016), pp. 566\u2013595. https:\/\/doi.org\/10.1007\/978-3-662-49890-3_22","DOI":"10.1007\/978-3-662-49890-3_22"},{"issue":"4","key":"9566_CR11","doi-asserted-by":"publisher","first-page":"640","DOI":"10.1007\/s00145-011-9106-1","volume":"25","author":"M Bellare","year":"2012","unstructured":"M. Bellare, A. Boldyreva, L.R. Knudsen, C. Namprempre, On-line ciphers and the hash-CBC constructions. J. Cryptol. 25(4), 640\u2013679 (2012). https:\/\/doi.org\/10.1007\/s00145-011-9106-1","journal-title":"Journal of Cryptology"},{"key":"9566_CR12","doi-asserted-by":"publisher","unstructured":"M. Bellare, R. Canetti, H. Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security, in 37th FOCS (IEEE Computer Society Press, 1996), pp. 514\u2013523. https:\/\/doi.org\/10.1109\/SFCS.1996.548510","DOI":"10.1109\/SFCS.1996.548510"},{"key":"9566_CR13","doi-asserted-by":"publisher","unstructured":"M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th FOCS (IEEE Computer Society Press, 1997), pp. 394\u2013403. https:\/\/doi.org\/10.1109\/SFCS.1997.646128","DOI":"10.1109\/SFCS.1997.646128"},{"key":"9566_CR14","doi-asserted-by":"publisher","unstructured":"M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in EUROCRYPT\u00a02003. LNCS, vol.\u00a02656, ed. by E. Biham (Springer, Berlin, Heidelberg, 2003), pp. 491\u2013506. https:\/\/doi.org\/10.1007\/3-540-39200-9_31","DOI":"10.1007\/3-540-39200-9_31"},{"key":"9566_CR15","doi-asserted-by":"publisher","unstructured":"M. Bellare, T. Kohno, C. Namprempre, Authenticated encryption in SSH: provably fixing the SSH binary packet protocol, in ACM CCS 2002, ed. by V. Atluri (ACM Press, 2002), pp. 1\u201311. https:\/\/doi.org\/10.1145\/586110.586112","DOI":"10.1145\/586110.586112"},{"issue":"2","key":"9566_CR16","doi-asserted-by":"publisher","first-page":"206","DOI":"10.1145\/996943.996945","volume":"7","author":"M Bellare","year":"2004","unstructured":"M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: a case study of the encode-then-encrypt-and-mac paradigm. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 206\u2013241 (2004)","journal-title":"ACM Transactions on Information and System Security (TISSEC)"},{"key":"9566_CR17","doi-asserted-by":"publisher","unstructured":"M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Vaudenay [75], pp. 409\u2013426. https:\/\/doi.org\/10.1007\/11761679_25","DOI":"10.1007\/11761679_25"},{"key":"9566_CR18","doi-asserted-by":"publisher","unstructured":"M. Bellare, A.C. Singh, J. Jaeger, M. Nyayapati, I. Stepanovs, Ratcheted encryption and key exchange: the security of messaging, in CRYPTO\u00a02017, Part\u00a0III. LNCS, vol. 10403, ed. by J. Katz, H. Shacham (Springer, Cham, 2017). pp. 619\u2013650. https:\/\/doi.org\/10.1007\/978-3-319-63697-9_21","DOI":"10.1007\/978-3-319-63697-9_21"},{"key":"9566_CR19","doi-asserted-by":"publisher","unstructured":"D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in CRYPTO\u201998. LNCS, vol.\u00a01462, ed. by H. Krawczyk (Springer, Berlin, Heidelberg, 1998), pp. 1\u201312. https:\/\/doi.org\/10.1007\/BFb0055716","DOI":"10.1007\/BFb0055716"},{"key":"9566_CR20","doi-asserted-by":"publisher","unstructured":"C. Boyd, B. Hale, S.F. Mj\u00f8lsnes, D. Stebila, From stateless to stateful: generic authentication and authenticated encryption constructions with application to TLS, in CT-RSA\u00a02016. LNCS, vol.\u00a09610, ed. by K. Sako (Springer, Cham, 2016), pp. 55\u201371. https:\/\/doi.org\/10.1007\/978-3-319-29485-8_4","DOI":"10.1007\/978-3-319-29485-8_4"},{"key":"9566_CR21","doi-asserted-by":"publisher","unstructured":"A. Caforio, F.B. Durak, S. Vaudenay, Beyond security and efficiency: on-demand ratcheting with security awareness, in PKC\u00a02021, Part\u00a0II. LNCS, vol. 12711, ed. by J. Garay (Springer, Cham, 2021), pp. 649\u2013677. https:\/\/doi.org\/10.1007\/978-3-030-75248-4_23","DOI":"10.1007\/978-3-030-75248-4_23"},{"issue":"6","key":"9566_CR22","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1109\/MCOM.1978.1089775","volume":"16","author":"C Campbell","year":"1978","unstructured":"C. Campbell, Design and specification of cryptographic capabilities. IEEE Commun. Soc. Mag. 16(6), 15\u201319 (1978)","journal-title":"IEEE Communications Society Magazine"},{"key":"9566_CR23","doi-asserted-by":"publisher","unstructured":"J.S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damg\u00e5rd revisited: how to construct a hash function, in CRYPTO\u00a02005. LNCS, vol.\u00a03621, ed. by V. Shoup (Springer, Berlin, Heidelberg, 2005), pp. 430\u2013448. https:\/\/doi.org\/10.1007\/11535218_26","DOI":"10.1007\/11535218_26"},{"key":"9566_CR24","doi-asserted-by":"publisher","unstructured":"J.P. Degabriele, M. Fischlin, Simulatable channels: extended security that is universally composable and easier to prove, in ASIACRYPT\u00a02018, Part\u00a0III. LNCS, vol. 11274, ed. by T. Peyrin, S. Galbraith (Springer, Cham, 2018), pp. 519\u2013550. https:\/\/doi.org\/10.1007\/978-3-030-03332-3_19","DOI":"10.1007\/978-3-030-03332-3_19"},{"key":"9566_CR25","doi-asserted-by":"crossref","unstructured":"K. Ermoshina, H. Halpin, F. Musiani, Can Johnny build a protocol? Co-ordinating developer and user intentions for privacy-enhanced secure messaging protocols, in European Workshop on Usable Security (2017)","DOI":"10.14722\/eurousec.2017.23016"},{"key":"9566_CR26","doi-asserted-by":"publisher","unstructured":"P. Eugster, G.A. Marson, B. Poettering, A cryptographic look at multi-party channels, in CSF 2018 Computer Security Foundations Symposium, ed. by S. Chong, S. Delaune (IEEE Computer Society Press, 2018), pp. 31\u201345. https:\/\/doi.org\/10.1109\/CSF.2018.00010","DOI":"10.1109\/CSF.2018.00010"},{"key":"9566_CR27","unstructured":"M. Fischlin, F. G\u00fcnther, C. Janson, Robust channels: handling unreliable networks in the record layers of QUIC and DTLS 1.3. Cryptology ePrint Archive, Report 2020\/718 (2020). https:\/\/eprint.iacr.org\/2020\/718"},{"issue":"2","key":"9566_CR28","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1007\/s00145-023-09489-9","volume":"37","author":"M Fischlin","year":"2024","unstructured":"M. Fischlin, F. G\u00fcnther, C. Janson, Robust channels: handling unreliable networks in the record layers of QUIC and DTLS 1.3. J. Cryptol. 37(2), 9 (2024). https:\/\/doi.org\/10.1007\/s00145-023-09489-9","journal-title":"J. Cryptol."},{"key":"9566_CR29","unstructured":"Google: BoringSSL AES IGE implementation. https:\/\/github.com\/DrKLO\/Telegram\/blob\/d073b80063c568f31d81cc88c927b47c01a1dbf4\/TMessagesProj\/jni\/boringssl\/crypto\/fipsmodule\/aes\/aes_ige.c (Jul 2018)"},{"key":"9566_CR30","unstructured":"H. Handschuh, D. Naccache, SHACAL (-submission to NESSIE-). Proceedings of First Open NESSIE Workshop (2000), http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.3.4066&rep=rep1 &type=pdf"},{"key":"9566_CR31","unstructured":"Y. Ishai, V. Rijmen (ed.), EUROCRYPT\u00a02019, Part\u00a0I, LNCS, vol. 11476 (Springer, Cham, 2019)"},{"key":"9566_CR32","doi-asserted-by":"crossref","unstructured":"J. Iyengar, M. Thomson, QUIC: A UDP-based multiplexed and secure transport. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-quic-transport\/ (Mar 2021), draft Version\u00a034","DOI":"10.17487\/RFC9000"},{"key":"9566_CR33","doi-asserted-by":"publisher","unstructured":"J. Jaeger, I. Stepanovs, Optimal channel security against fine-grained state compromise: the safety of messaging, in CRYPTO\u00a02018, Part\u00a0I. LNCS, vol. 10991, ed. by H. Shacham, A. Boldyreva (Springer, Cham, 2018), pp. 33\u201362. https:\/\/doi.org\/10.1007\/978-3-319-96884-1_2","DOI":"10.1007\/978-3-319-96884-1_2"},{"key":"9566_CR34","doi-asserted-by":"publisher","unstructured":"J. Jakobsen, C. Orlandi, On the CCA (in)security of MTProto, in Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices\u2014SPSM\u201916 (2016). https:\/\/doi.org\/10.1145\/2994459.2994468","DOI":"10.1145\/2994459.2994468"},{"key":"9566_CR35","doi-asserted-by":"publisher","unstructured":"D. Jost, U. Maurer, M. Mularczyk, Efficient ratcheting: Almost-optimal guarantees for secure messaging, in Ishai and Rijmen [31], pp. 159\u2013188. https:\/\/doi.org\/10.1007\/978-3-030-17653-2_6","DOI":"10.1007\/978-3-030-17653-2_6"},{"key":"9566_CR36","unstructured":"C. Jutla, Attack on free-mac, sci.crypt. https:\/\/groups.google.com\/forum\/#!topic\/sci.crypt\/4bkzm_n7UGA (2000)"},{"key":"9566_CR37","doi-asserted-by":"publisher","unstructured":"J. Kim, G. Kim, S. Lee, J. Lim, J.H. Song, Related-key attacks on reduced rounds of SHACAL-2, in INDOCRYPT\u00a02004. LNCS, vol.\u00a03348, ed. by A. Canteaut, K. Viswanathan (Springer, Berlin, Heidelberg, 2004), pp. 175\u2013190. https:\/\/doi.org\/10.1007\/978-3-540-30556-9_15","DOI":"10.1007\/978-3-540-30556-9_15"},{"key":"9566_CR38","unstructured":"L.R. Knudsen, Block chaining modes of operation. Reports in Informatics, Report 207, Department of Informatics, University of Bergen (2000)"},{"key":"9566_CR39","unstructured":"N. Kobeissi, Formal Verification for Real-World Cryptographic Protocols and Implementations. Theses, INRIA Paris; Ecole Normale Sup\u00e9rieure de Paris\u2014ENS Paris (2018). https:\/\/hal.inria.fr\/tel-01950884"},{"key":"9566_CR40","unstructured":"T. Kohno, A. Palacio, J. Black, Building secure cryptographic transforms, or how to encrypt and MAC. Cryptology ePrint Archive, Report 2003\/177 (2003), https:\/\/eprint.iacr.org\/2003\/177"},{"key":"9566_CR41","doi-asserted-by":"publisher","unstructured":"J. Lu, J. Kim, N. Keller, O. Dunkelman, Related-key rectangle attack on 42-round SHACAL-2, in ISC\u00a02006. LNCS, vol.\u00a04176, ed. by S.K. Katsikas, J. Lopez, M. Backes, S. Gritzalis, B. Preneel (Springer, Berlin, Heidelberg, 2006), pp. 85\u2013100. https:\/\/doi.org\/10.1007\/11836810_7","DOI":"10.1007\/11836810_7"},{"key":"9566_CR42","unstructured":"K. Ludwig, Trudy\u2014Transparent TCP proxy (2017), https:\/\/github.com\/praetorian-inc\/trudy"},{"issue":"1","key":"9566_CR43","doi-asserted-by":"publisher","first-page":"405","DOI":"10.13154\/tosc.v2017.i1.405-426","volume":"2017","author":"GA Marson","year":"2017","unstructured":"G.A. Marson, B. Poettering, Security notions for bidirectional channels. IACR Trans. Symm. Cryptol. 2017(1), 405\u2013426 (2017). https:\/\/doi.org\/10.13154\/tosc.v2017.i1.405-426","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"9566_CR44","unstructured":"R. Merget, M. Brinkmann, N. Aviram, J. Somorovsky, J. Mittmann, J. Schwenk, Raccoon Attack: finding and exploiting most-significant-bit-oracles in TLS-DH(E). https:\/\/raccoon-attack.com\/RacoonAttack.pdf (2020), accessed 11 September 2020"},{"key":"9566_CR45","unstructured":"G.D. Micheli, N. Heninger, Recovering cryptographic keys from partial information, by example. Cryptology ePrint Archive, Report 2020\/1506 (2020). https:\/\/eprint.iacr.org\/2020\/1506"},{"key":"9566_CR46","doi-asserted-by":"crossref","unstructured":"M. Miculan, N. Vitacolonna, Automated symbolic verification of Telegram\u2019s MTProto\u00a02.0. in Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021, ed. by S. De Capitani di Vimercati, P. Samarati (SciTePress, 2021), pp. 185\u2013197","DOI":"10.5220\/0010549601850197"},{"key":"9566_CR47","doi-asserted-by":"crossref","unstructured":"NIST: FIPS 180-4: Secure Hash Standard (2015), http:\/\/dx.doi.org\/10.6028\/NIST.FIPS.180-4","DOI":"10.6028\/NIST.FIPS.180-4"},{"key":"9566_CR48","doi-asserted-by":"crossref","unstructured":"E. Rescorla, H. Tschofenig, N. Modadugu, The Datagram Transport Layer Security (DTLS) protocol version\u00a01.3. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-tls-dtls13\/ (Feb 2021), draft Version\u00a041","DOI":"10.17487\/RFC9147"},{"key":"9566_CR49","doi-asserted-by":"publisher","unstructured":"P. Rogaway, Nonce-based symmetric encryption, in FSE\u00a02004. LNCS, vol.\u00a03017, ed. by B.K. Roy, W. Meier (Springer, Berlin, Heidelberg, 2004), pp. 348\u2013359. https:\/\/doi.org\/10.1007\/978-3-540-25937-4_22","DOI":"10.1007\/978-3-540-25937-4_22"},{"key":"9566_CR50","doi-asserted-by":"publisher","unstructured":"P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in Vaudenay [75], pp. 373\u2013390. https:\/\/doi.org\/10.1007\/11761679_23","DOI":"10.1007\/11761679_23"},{"key":"9566_CR51","doi-asserted-by":"publisher","unstructured":"P. Rogaway, Y. Zhang, Simplifying game-based definitions\u2014indistinguishability up to correctness and its application to stateful AE, in CRYPTO\u00a02018, Part\u00a0II. LNCS, vol. 10992, ed. by H. Shacham, A. Boldyreva (Springer, Cham, 2018), pp. 3\u201332. https:\/\/doi.org\/10.1007\/978-3-319-96881-0_1","DOI":"10.1007\/978-3-319-96881-0_1"},{"issue":"4","key":"9566_CR52","doi-asserted-by":"publisher","first-page":"656","DOI":"10.1002\/j.1538-7305.1949.tb00928.x","volume":"28","author":"CE Shannon","year":"1949","unstructured":"C.E. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656\u2013715 (1949)","journal-title":"Bell Syst. Tech. J."},{"key":"9566_CR53","unstructured":"T. Shrimpton, A characterization of authenticated-encryption as a form of chosen-ciphertext security. Cryptology ePrint Archive, Report 2004\/272 (2004), https:\/\/eprint.iacr.org\/2004\/272"},{"key":"9566_CR54","doi-asserted-by":"crossref","unstructured":"T. Su\u0161\u00e1nka, J. Koke\u0161, Security analysis of the Telegram IM, in Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, pp.\u00a01\u20138 (2017)","DOI":"10.1145\/3150376.3150382"},{"key":"9566_CR55","unstructured":"Telegram: MTProto transports. http:\/\/web.archive.org\/web\/20200527124125\/https:\/\/core.telegram.org\/mtproto\/mtproto-transports (2020)"},{"key":"9566_CR56","unstructured":"Telegram: Notice of ignored error message. http:\/\/web.archive.org\/web\/20200527121939\/https:\/\/core.telegram.org\/mtproto\/service_messages_about_messages#notice-of-ignored-error-message (2020)"},{"key":"9566_CR57","unstructured":"Telegram: Schema. https:\/\/core.telegram.org\/schema (2020)"},{"key":"9566_CR58","unstructured":"Telegram: tdlib. https:\/\/github.com\/tdlib\/td (2020)"},{"key":"9566_CR59","unstructured":"Telegram: TL language. https:\/\/core.telegram.org\/mtproto\/TL (2020)"},{"key":"9566_CR60","unstructured":"Telegram: 500 million users. https:\/\/t.me\/durov\/147 (2021)"},{"key":"9566_CR61","unstructured":"Telegram: End-to-end encryption, secret chats\u2014sending a request. http:\/\/web.archive.org\/web\/20210126013030\/https:\/\/core.telegram.org\/api\/end-to-end#sending-a-request (2021)"},{"key":"9566_CR62","unstructured":"Telegram: Mobile protocol: Detailed description. http:\/\/web.archive.org\/web\/20210126200309\/https:\/\/core.telegram.org\/mtproto\/description (2021)"},{"key":"9566_CR63","unstructured":"Telegram: Mobile protocol: Detailed description\u2014server salt. http:\/\/web.archive.org\/web\/20210221134408\/https:\/\/core.telegram.org\/mtproto\/description#server-salt (2021)"},{"key":"9566_CR64","unstructured":"Telegram: Security guidelines for client developers. http:\/\/web.archive.org\/web\/20210203134436\/https:\/\/core.telegram.org\/mtproto\/security_guidelines#mtproto-encrypted-messages (2021)"},{"key":"9566_CR65","unstructured":"Telegram: Sequence numbers in secret chats. http:\/\/web.archive.org\/web\/20201031115541\/https:\/\/core.telegram.org\/api\/end-to-end\/seq_no (2021)"},{"key":"9566_CR66","unstructured":"Telegram: tdlib\u2014Transport.cpp. https:\/\/github.com\/tdlib\/td\/blob\/v1.7.0\/td\/mtproto\/Transport.cpp#L272 (2021)"},{"key":"9566_CR67","unstructured":"Telegram: Telegram Android\u2014Datacenter.cpp. https:\/\/github.com\/DrKLO\/Telegram\/blob\/release-7.4.0_2223\/TMessagesProj\/jni\/tgnet\/Datacenter.cpp#L1171 (2021)"},{"key":"9566_CR68","unstructured":"Telegram: Telegram Android\u2014Datacenter.cpp. https:\/\/github.com\/DrKLO\/Telegram\/blob\/release-7.6.0_2264\/TMessagesProj\/jni\/tgnet\/Datacenter.cpp#L1250 (2021)"},{"key":"9566_CR69","unstructured":"Telegram: Telegram Desktop\u2014mtproto_serialized_request.cpp. https:\/\/github.com\/telegramdesktop\/tdesktop\/blob\/v2.5.8\/Telegram\/SourceFiles\/mtproto\/details\/mtproto_serialized_request.cpp#L15 (2021)"},{"key":"9566_CR70","unstructured":"Telegram: Telegram Desktop\u2014session_private.cpp. https:\/\/github.com\/telegramdesktop\/tdesktop\/blob\/v2.6.1\/Telegram\/SourceFiles\/mtproto\/session_private.cpp#L1338 (2021)"},{"key":"9566_CR71","unstructured":"Telegram: Telegram Desktop\u2014session_private.cpp. https:\/\/github.com\/telegramdesktop\/tdesktop\/blob\/v2.7.1\/Telegram\/SourceFiles\/mtproto\/session_private.cpp#L1258 (Apr 2021)"},{"key":"9566_CR72","unstructured":"Telegram: Telegram iOS\u2014MTProto.m. https:\/\/github.com\/TelegramMessenger\/Telegram-iOS\/blob\/release-7.6.2\/submodules\/MtProtoKit\/Sources\/MTProto.m#L2144 (Apr 2021)"},{"key":"9566_CR73","unstructured":"Telegram: Telegram MTProto\u2014creating an authorization key. http:\/\/web.archive.org\/web\/20210112084225\/https:\/\/core.telegram.org\/mtproto\/auth_key (Jan 2021)"},{"key":"9566_CR74","doi-asserted-by":"publisher","unstructured":"N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, M. Smith, SoK: Secure messaging, in 2015 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2015), pp. 232\u2013249. https:\/\/doi.org\/10.1109\/SP.2015.22","DOI":"10.1109\/SP.2015.22"},{"key":"9566_CR75","unstructured":"S. Vaudenay, ed. EUROCRYPT\u00a02006, LNCS, vol\u00a04004 (Springer, Berlin, Heidelberg, 2006)"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-025-09566-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00145-025-09566-1","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-025-09566-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T20:00:17Z","timestamp":1770840017000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00145-025-09566-1"}},"subtitle":["Marc Fischlin"],"short-title":[],"issued":{"date-parts":[[2025,12,17]]},"references-count":75,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,1]]}},"alternative-id":["9566"],"URL":"https:\/\/doi.org\/10.1007\/s00145-025-09566-1","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,12,17]]},"assertion":[{"value":"31 March 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"12 September 2025","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 October 2025","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 December 2025","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"10"}}