Research Network Digi-Oek.chMar 11

[en] Signal #messenger: "two practical attacks that break the integrity properties of #Signal in its advertised #threat model" - Patched

Paper #ETHZ

"... protocol for resolving identities based on usernames and on phone numbers introduced a #vulnerability that allows a malicious server to inject arbitrary messages into one-to-one conversations under specific circumstances"

"The second #attack is even more severe. It arises from Signal's Sealed Sender (SSS) feature, designed to allow sender identities to be hidden ... a combination of two errors in the #SSS implementation in #Android allows a #malicious server to #inject arbitrary messages into both one-to-one and group conversations."

https://eprint.iacr.org/2026/484

#security #cryptology #encryption #e2e #chat #messaging
#ResearchHighlights

Signal Lost (Integrity): The Signal App is More than the Sum of its Protocols

Signal is a secure messaging app offering end-to-end security for pairwise and group communications. It has tens of millions of users, and has heavily influenced the design of other secure messaging apps (including WhatsApp). Signal has been heavily analysed and, as a result, is rightly regarded as setting the "gold standard" for messaging apps by the scientific community. We present two practical attacks that break the integrity properties of Signal in its advertised threat model. Each attack arises from different features of Signal that are poorly documented and have eluded formal security analyses. The first attack, affecting Android and Desktop, arises from Signal's introduction of identities based on usernames (instead of phone numbers) in early 2022. We show that the protocol for resolving identities based on usernames and on phone numbers introduced a vulnerability that allows a malicious server to inject arbitrary messages into one-to-one conversations under specific circumstances. The injection causes a user-visible alert about a change of safety numbers, but if the users compare their safety numbers, they will be correct. The second attack is even more severe. It arises from Signal's Sealed Sender (SSS) feature, designed to allow sender identities to be hidden. We show that a combination of two errors in the SSS implementation in Android allows a malicious server to inject arbitrary messages into both one-to-one and group conversations. The errors relate to missing key checks and the loss of context when cryptographic processing is distributed across multiple software components. The attack is undetectable by users and can be mounted at any time, without any preconditions. As far as we can tell, the vulnerability has been present since the introduction of SSS in 2018. We disclosed both attacks to Signal. The vulnerabilities were promptly acknowledged and patched: the first vulnerability was fixed two days after disclosure, while the second one was patched after eight days. Beyond presenting these devastating attacks on Signal's end-to-end security guarantees, we discuss more broadly what can be learned about the challenges of deploying new security features in complex software projects.

IACR Cryptology ePrint Archive
0xKaishakuninMar 1

FYI: #asciidoc with #asciidoctor #bibtex stumbles upon slashes in bibtex #citation keys
it prints the citation key in the bibliography before the entry.

This happens with all the #IACR #eprint #cryptology paper citations generated on their site

Removing the slash from the citekey is a workaround

Show threadConstraints JournalFeb 23

2/2 Here are some highlights. Read the full paper here: https://link.springer.com/article/10.1007/s10601-025-09383-0

#ConstraintProgramming #Security #Cryptology #Cryptography #CryptographicHashFunctions #ConflictDrivenClauseLearning #BooleanSatisfiability #MD5 #SHA1 #SHA256

Constraints JournalFeb 23

1/2 Exciting news: we just published a new paper: "Preimage attacks on round-reduced MD5, SHA-1, and SHA-256 using parameterized SAT solver", by Oleg Zaikin

If you are interested in security, cryptology, or Constraint Programming, definitely give this paper a read!

https://link.springer.com/article/10.1007/s10601-025-09383-0

#ConstraintProgramming #Security #Cryptology #Cryptography #CryptographicHashFunctions #ConflictDrivenClauseLearning #BooleanSatisfiability #MD5 #SHA1 #SHA256

Riley S. FaelanFeb 10

A fascinating story of an orangutang cryptologist tiger team performing various replay attacks on orangutang Alice and Eveing what Alice then had to say to Bob.

https://www.youtube.com/watch?v=TXUcB7SLcM0

#infosec #cryptology #linguistics #ethology #zoology #zoolinguistics

Orangutan Language Is Eerily Similar to Ours

YouTube
The Wild Hunt NewsJan 14

A new study suggests the Voynich Manuscript’s famously unreadable text may have been produced using a historically plausible cipher, one that even incorporates playing cards and early Tarot, bringing scholars a step closer to understanding the manuscript’s mystery.

https://wildhunt.org/2026/01/reading-the-unreadable-a-new-study-proposes-cipher-and-tarot-connection.html

#pagan #witchcraft #science #cipher #cryptology #rarebooks #voynichmanuscript #tarot

Reading the Unreadable: A New Study Proposes Cipher - and Tarot Connection

A new study suggests the Voynich Manuscript’s famously unreadable text may have been produced using a historically plausible cipher, one that even incorporates playing cards and early Tarot, bringing scholars a step closer to understanding the manuscript's mystery.

The Wild Hunt
passagemathJan 13
The #OpenSource package for #cryptology analysis of S-boxes by H. Hadipour runs in #Python using the modularized pip-installable distributions of the #SageMath library from the passagemath project. github.com/hadipourh/sb...

GitHub - hadipourh/sboxanalyze...
GitHub - hadipourh/sboxanalyzer: An easy-to-use and open-source tool for differential, linear, differential-linear, and integral analysis of S-boxes

An easy-to-use and open-source tool for differential, linear, differential-linear, and integral analysis of S-boxes - hadipourh/sboxanalyzer

GitHub
readbeanicecreamJan 4

A new study suggests the mysterious Voynich Manuscript may be a medieval cipher

https://archaeologymag.com/2026/01/voynich-manuscript-may-be-a-cipher/

#history #archaeology #ancienthistory #books #cryptography #cryptology

McDonald_69Nov 26

🫣

A firm considered one of the leading global voices in encryption has cancelled the announcement of its leadership election results after an official lost the encrypted key needed to unlock them.

The International Association for Cryptologic Research (IACR) uses an electronic voting system which needs three members, each with part of an encrypted key, to access the results.

https://www.bbc.com/news/articles/c62vl05rz0ko

#cryptology #encryption #IACR

Cryptology firm cancels elections after losing encryption key

The International Association for Cryptologic Research - created to study secure communication - said it was an "honest human mistake."

Vladimir SavićNov 24

Well, sh*t happens. ¯\_(ツ)_/¯

#Cryptology boffins' association to re-run election after losing encryption key needed to count votes https://www.theregister.com/2025/11/24/cryptologic_research_election_rerun/

Cryptology boffins’ association to re-run election after losing encryption key needed to count votes

: The shoemaker’s children have new friends

The Register