A modified secure version of the Telegram protocol

本论文是 2015 年电子计算和通信技术国际大会(International Conference on Electronics, Computing and Communication Technologies, CONECCT)上的一篇论文。该篇论文的三位作者都来自于印度卡纳塔克邦国家技术研究所。

论文地址，可在 Sci-Hub 获取论文 PDF

这篇论文对 Telegram 现有的 MTProto 协议进行了修改。通过将原有的密钥交换协议从 Diffie-Hellman 修改为使用区块链技术结合非对称密码的密钥交换。采用这种方案，可以解决中间人攻击的问题。
同时，将原有的对称加密算法由 AES-IGE 修改为 AES-CTR，从而实现了并行化加密。而这可以极大地提高加解密的效率。

前置知识

开放计算语言

开放计算语言(Open Computing Language, OpenCL)是一个为异构平台编写程序的框架，此异构平台可由CPU、GPU、DSP、FPGA或其他类型的处理器与硬体加速器所组成。
与其类似的框架有专用于 Nvidia 的 CUDA。而相对于 CUDA，OpenCL 做到跨硬件使用，但相对的性能可能会有所减低。

心脏出血漏洞

加密库 OpenSSL 中的安全漏洞。由于 OpenSSL 被广泛用于各种程序的传输层安全协议(Transport Layer Security, TLS)。
在 TLS 心跳扩展时没有进行边界检查，导致攻击者可能可以获得用户的部分信息，从而导致信息泄露。正是因为 OpenSSL 的使用非常广泛，因此很多站点、应用都受到了影响。

无限混淆拓展

无限混淆拓展¹(Infinite Garble Extension, IGE)是一个相对很少使用的分组密码模式，其主要在 Telegram 中的 MTProto 协议使用。

IGE 的定义为:
$c_i = f_K(m_i \oplus c_{i-1}) \oplus m_{i-1}$
其中 $f_K$ 是使用密钥 $K$ 的加密函数（如 AES）， $i$ 取值 $1$ 到 $n$ ，代表明文分组数目。其图示如下：

IGE 模式图示

对于第一个输出，需要两个初始值 $c_0$ 和 $m_0$ ，两者均来自于 $IV$ 值。在最初的论文中， $m_0$ 是一个随机块，而 $c_0$ 描述为其加密后结果。而 OpenSSL 中这两者都由用户提供。

更详细的内容可以参考 OpenSSL 的论文

摘要

原文

Abstract — The advent of mobile phones and the spread of the internet have caused a substantial increase in the utilization of these technologies for personal communication. A wide range of mobile applications exist, most of which use their own proprietary protocol. Reports of snooping attacks have prompted the parent organizations and users to guarantee that the encrypted data sent over a public network is decrypted only by the intended recipient. Smart phone operating systems provide GPS data to these applications so that users can tag photos with this information. As these applications mostly run a daemon or service in the background to automatically receive messages, an unattended switched on location service coupled with a weak protocol leaves the user highly vulnerable of being tracked by eavesdroppers. These applications are known to, by observing their behaviour, upload the user's contact list to the server so as identify those contacts using the same application. These are but just two important data that need to be protected by tough security measures during transit. Any loop hole in security protocols will leave the user vulnerable to attacks, even outside the digital world. Online chat protocols such as the Telegram protocol ensure end-toend security of data. Although the protocol itself has been explained in much detail by the designers, this protocol is disfavored because of its performance drawbacks and its susceptibility to man-in-themiddle attacks. In this paper, we modify the Telegram protocol in an attempt to make it more efficient and secure.

在互联网普及后，很多应用都使用自己的私有协议进行数据传输。但即使是以安全著称的 Telegram，并且详细公开了其协议 MTProto，但其仍然存在性能缺陷并且难以抵抗中间人攻击。在这篇论文中对 MTProt 进行了修改

Ⅰ. 说明

原文

I. INTRODUCTION

Secure chat protocols have seen a huge increase in use in recent years as concerns over data privacy grow. All applications for digital devices now use novel protocols to ensure that their users' data is not compromised during transit, Telegram being one among them. The Telegram protocol has many features to ensure data integrity but being quite new in the domain, it has still has room for improvements in terms of performance and security. In this paper, we propose replacements and modifications to few modules of the protocol to improve the performance and security of the resulting implementation. We also try to specifically show the performance improvement that comes along with parallelizing the main encryption algorithm.

人们对数据隐私愈加担忧，很多地方都开始使用安全聊天协议，以确保用户数据在传输过程中不会被破坏。尽管电报协议可以很好地确保数据完整性，但性能和安全性仍有改进的空间。本文通过对原有 MTProto 进行替换和修改来提高性能和安全性。

Ⅱ. 文献综述

原文

Ⅱ. LITERATURE REVIEW

The whole topic of encrypting using OpenCL has been extensively studied and analysed. The performance results of the various algorithms, under various hardware systems and various software platforms too have been extensively studied and analysed. In our paper the main focus has been on analyzing the deficiencies of the Telegram protocol. Hence the topics that we have focussed on are parallelization issues and encryption vulnerabilities. In parallelization issues we have looked at the hardware implementation of parallel hardware architectures and how their processing capabilities and their memory architectures can be harnessed to make algorithms much faster. We have also focussed on replacing the symmetric encryption algorithm by a version that supports parallelization.

Parallel hardware architectures have been a major research area in computer science for a decade now. Much of the initial work was focussed on getting parallel processors to speed up graphics processing since most algorithms used for graphics processing can be readily parallelized. The demand for faster graphics processing fuelled the development of faster and more sophisticated GPUs. The exponential rise in the power of graphics processors has been extensively documented. It was soon noticed that the same architectures that are used for graphics processing can also be used for improving the performance of algorithms of other kinds. The first software platform that allowed for the use of this was OpenGL. This was soon followed by other standards like OpenCL and CUDA.

Similarly the concepts and techniques used for ensuring and privacy security have also seen new developments. Encryption techniques and the vulnerabilities inherent in them are being exploited with a malicious intent with ever increasing frequency. This calls for the development and application of more rigorous and resilient cryptographic techniques and protocols. Critical vulnerabilities like ‘Heartbleed’ have severely affected secure systems in the recent past. Hence there is a major requirement for more efficient cryptosystems.

使用 OpenCL 加密已经经过了广泛的分析研究。这篇文章主要针对 MTProto 的不足，重在并行化和加密方面。通过并行硬件架构硬件实现和并行化对称加密算法来进行安全性的提升。
近几年，并行硬件体系结构一直是计算机科学的重要研究方向。大多数的图形处理算法都可以很容易地并行化，最初的工作集中在并行加速图形处理。由于这种架构也可以提高其他算法的性能，因此 OpenGL、OpenCL、CUDA 等标准框架被提出。
用于确保隐私安全的概念和技术也有新的发展，各种加密技术本身存在的缺陷被加以利用，类似于 Heartbleed 这样的漏洞已经严重影响了安全系统。

Ⅲ. 概念

1. 数字证书

原文

1. Digital Certificates

Digital certificates, also called public key certificates are a class of cryptographic techniques used to verify and validate ownership and authenticity of data. For example, to send secure data over to abc.com, you would contact a trusted party called a Certificate Authority and request a digital certificate for the particular website, containing a public key. The user can use this public key to encrypt data before sending it over to the website. Only the authentic source will have the private key to the corresponding public key and hence only they would be able to decrypt the particular message. However the certificate authorities are themselves vulnerable to a multitude of attacks.

数字证书，也称为公钥证书，是一种用于验证数据所有权和真实性的加密技术。要和abc.com进行通信首先需要向证书颁发机构请求对应站点的数字证书，用户使用该公钥将数据加密后发送到网站。由于只有真实的站点才拥有对应公钥的私钥，因此只有真实站点才能解密特定消息。但也因此，证书颁发机构易受攻击。

2. 对称加密

原文

2. Symmetric Key Cryptography

Symmetric key cryptosystems are those that use the same key for both encryption and decryption. They can be used as stream or block ciphers. Stream ciphers are those where encryption happens one byte at a time. Block ciphers are those where a whole block is encrypted at a time. The most widely used symmetric key cryptosystem is the AES [1] (Advanced Encryption Standard) cryptosystem. Telegram uses the AES symmetric key encryption protocol in IGE block chaining mode to encrypt the messages.

对称密钥体系是使用相同密钥进行加解密的密码系统（与上面提到的使用公钥加密，私钥解密的非对称密钥体系不同）。对称密钥可以使用流密码（一次加解密一个字节）和分组密码（一次加解密固定长度的数据）。在 Telegram 中使用的即是 AES。

3. 分组密码模式

原文

3. Block Cipher Modes

These are algorithms that work on block ciphers to provide confidentiality and authenticity. A block cipher specifies how to repeatedly apply a particular operation on a large set of blocks such that the desired characteristics in the cipher text are enhanced. There are different block cipher modes under AES such as ECB, CBC, CFB, OFB and CTR. Each of these modes has different error propagation properties and, hence, is best suited for different scenarios.

分组密码要求固定长度的明文和密钥，同时输出固定长度的密文。常用的分组加密算法如 AES 可以证明其拥有足够的安全性。对于不同长度的内容，可以使用不同的分组密码工作模式，如：ECB、CBC、CFB、OFB、CTR。每种不同的工作模式都有不同的适用场景。

4. 区块链

原文

4. Blockchain

The block chain is the cornerstone of the Bitcoin protocol and was originally invented for the same. The basic idea espoused in the block-chain concept is that if people have to agree on the ordering of certain events in the digital world then there has to be a monetary incentive attached to it. The mathematical implementation of this idea is considered to be one of the greatest achievements in cryptography and technology in general in the past decade. As it has a monetary value associated with it, it can be just as well used as a currency or a contract. Blockchain technology has been used as the backbone of many crypto currencies over the past five to six years. However the technology can be used to agree on many other things relevant to the digital space. Name-coin was one of the first forks of the original BitCoin protocol. NameCoin used the block-chain idea to attack an old technological challenge in the online world, Domain Names. Traditionally the handling of DNS servers rested at the hands of a centralized internet authority, ICANN. ICANN was suspected to be at least under the partial influence of the US government.

This led to a demand from mainly the anarchist community for a truly decentralized system that can map IP addresses to domain names in which the first and final authority on control rested with the end user. NameCoin protocol was a response to this demand. Each entry in the NameCoin blockchain can be used for storing any identification information of a certain data size. This exact idea has been extended to include domain names and a corresponding public key rather than the IP address. The domain name is associated with each public key and the owner of that NameCoin has the sole authority to edit the value of the pair. Traditionally, this role was fulfilled by certificate authorities.

区块链是比特币的基石，其基本理念是：如果要对某件事达成一致性，就必须要有相应的激励机制。这被认为是密码学中一项伟大的成就。NameCoin 是一个利用区块链来实现的域名系统。我们使用的域名掌握在 ICANN 中，但完全有理由怀疑 ICANN 已经收到了美国政府的控制。
对于这种全人类共有的资源，需要由无政府注意的机构控制，也即建立一个真正的分布式系统，将 IP 和域名互相映射。NameCoin 中存储域名和公钥，只有所有者可以对其相应的域名进行控制。

5. 并行处理

原文

5. Parallel Processing

Latest advances in computer hardware like specialized graphics drivers have greatly increased the number of computational units available in each system. Nowadays even mobile systems contain 4 or more cores. Certain mid-range and higher models also feature a GPU. This has made it possible to create algorithms that run on multiple cores simultaneously, thus increasing the speed of execution. This has also led to a lot of research on what kinds of algorithms can be parallelized [2]. A good part of that effort is focused on encryption algorithms. This concept is relevant to our protocol since encryption algorithms are generally computationally intensive. An encryption algorithm that is parallelized will allow a protocol to encrypt large files quickly.

目前大部分的计算机设备都已经有多个运算核心，并且配备了 GPU，从而实现在多个核心同时运行程序，提高执行速度。加密算法大多属于计算密集型，如果可以对其进行并行运算，可以极大地提升加密速度。

6. OpenCL

原文

6. OpenCL

OpenCL is a standard that was developed to provide a common API to developers who want to leverage the computational capabilities of GPUs and multicore CPUs in a platform independent manner. Any GPU or multi-core CPU with a compatible OpenCL library can run OpenCL programs. An OPENCL program is written in a modified version of C which is then compiled to give an executable, specific to the given architecture on which the program will be run. It standardizes memory hierarchies and computational units making it possible for the programmer to care less about many low level details.

OpenCL 是一个开发标准，可以以跨平台、硬件的前提下，为调用 CPU、GPU 提供了通用 API。任何兼容 OpenCL 的 CPU 和 GPU 都可以运行 OpenCL 程序，开发者不需要考虑底层细节。其是修改后的 C 语言，将其编译成可执行程序后即可运行。

Ⅳ. MTProto 中的问题

1. AES IGE 不适用于并行计算

原文

1. Inadaptability of AES IGE to parallel processing

The MTProto protocol by Telegram is claimed to be
one of the highly secure data exchange protocols [3]. It offers end to end encryption between two users and even though the server is involved in the transfer, it cannot decipher the data passing through it. The Telegram MTProto protocol uses end to end encryption using the AES encryption protocol with blocks being chained in the IGE (Infinite Garble Extension) mode. Block chaining in symmetric cryptosystems is an extensive subject that has been studied in detail. The most common mode of encryption, ECB, in which each block is treated independently, is not used normally, since it is very insecure. When pictures are encrypted using this method, the basic outline of the picture is many a times still visible in the final cipher. For example if the image of the Linux mascot, tux, in JPEG format is encrypted using AES ECB the cipher version of the image still contains the rough outline of the penguin. There are many cases when even this lack of randomness might severely ompromise security. Block chaining modes ensure greater randomness, and hence security, by ensuring that each block is encrypted with a different key.

The downside of this is that in many of the block chaining encryption modes (CBC, ABC) each block relies on a previous one for encryption. Thus the algorithm itself cannot be parallelized. However there is another AES mode that allows for parallelization. This is called AES-CTR and it is this mode that we have proposed in our protocol. In the CTR mode, unique counter values are generated for encrypting each block. This allows the data blocks to be encrypted in parallel since the counter value is known to be unique and is not dependent on the result of a previous encryption.

MTProto 号称是高度安全得数据交换协议，其提供了端到端的加密，即使信息通过服务器进行传输，服务器仍然无法解密出数据。Telegram 使用 IGE 分组链接模式的 AES。对于常见的 ECB 模式，各分组独自加密，因此非常不安全。如下面的图片，尽管每部分都被加密了（与原来的颜色不同），但是轮廓仍然可以辨别。

明文	ECB 链接	更安全的链接模式

大部分块之间非独立加密的链接方式，块之间的加密结果存在关系，因此难以进行并行运算。使用 CTR 模式则可以并行加密存在关联的块。

2. 中间人攻击

原文

2. Room for Man in the Middle attack

As we have discussed earlier, the MTProto protocol used in Telegram is basically split into two steps. Firstly, the DeffieHellman key exchange mechanism is used to exchange keys. These keys are then used along the AES-IGE to encrypt messages.

However there is still a question of trust involved here. This the exchange of keys using Deffie-Hellman is is because overseen by the Telegram. The centralized server can choose to perform an active man in the middle attack on the connection between two users. In an active man in the middle attack, the attacker maintains two connections with each of the communicating parties and convinces each of them that they are talking to the intended destination while actually reading all the information being sent through it [4]. The protocol is riddled with further problems. Once the keys have been transferred the protocol mandates sending a hash of the key pairs across to the other node. This is compared with the corresponding hash on the receiver’s side. This again leaves the possibility of a birthday attack on the hash wide open.

Telegram 的 MTProto 分为两部分，首先使用 Diffie-Hellman 进行密钥疾患，接着使用 AES-IGE 对消息进行加密。
由于 Diffie-Hellman 无法解决中间人攻击问题，中间人可以同时与通信双端建立连接，并伪装自己是另一端，从而获取传输的数据。当密钥被传输后，协议还要求将密钥的散列发送到对端，并由对端进行确定，但也可能收到生日攻击。

3. 生日攻击

原文

3. The birthday attack

The ‘birthday attack’ is a technique that exploits the mathematics behind the birthday problem in probability. If an algorithm has a fixed number of outputs and an indefinite number of inputs, then the probability that two inputs will have the same output increases exponentially with the number of inputs. The principle can be employed to find such pairs in cryptographic hash functions since they have a fixed number of inputs bits. This takes messages hashing especially that rely on cryptographic vulnerable since this attack allows an authentically signed message to be replaced with a fake one. In a critical message that involves financial transaction this can be very dangerous.

The birthday attack in this case is performed on the hash that is sent across the network to validate the keys required for AES. The hash is converted into a (128x128) block picture which is send across by both parties. A malicious eavesdropper can extract the AES keys from just this information with a birthday attack. The birthday attack on the protocol was calculated to take 2^64 operations for a 50 percent probability [5], something that is considered unacceptably weak in 2015.

生日攻击是利用概率论中生日问题所蕴含的数学原理的攻击手段。如果一个算法的输入不确定，但是可能的输出个数确定，那么两个输入具有相同输出的概率会随着输入数量的增加呈指数级增长。借用该原理，可以有效地对哈希函数进行攻击，将原消息替换成假消息。
对于 AES 的密钥，哈希将会转换成 $128 \times 128$ 的分组。攻击者有 $50\%$ 的几率在 $2^{64}$ 次运算中完成攻击。

4. 匿名性丢失

原文

4. Lack of Anonymity

In the Telegram protocol user verification happens in the conventional manner. A SMS is sent to the particular phone and the device is authenticated with the central server. This removes anonymity to a great extent since the server can know which node a message originated from. This too is a serious handicap for any chat system that claims to be more ‘private’ than the others. In the ideal scenario the messages should be strictly anonymous and access to the messages should strictly be based on access to the encrypted messages’ private keys. We have tried to overcome this issue too in our proposal.

电报协议中，消息会被发送到由中央服务器认证后的特定设备。而这个验证过程则很大程度上消除了匿名性，服务器将得知消息通信的双端身份。在理想状况下，消息应该是严格匿名的，身份的验证应该依赖于私钥。

V. 协议草案

1. 概述

原文

Overview

The modified protocol that we propose has two major differences compared to the original one. We remove the session key exchange with Deffie-Hellman followed by a symmetric encryption technique to include asymmetric key encryption. However we again face the issue of MIM attack since even in this case the public keys have to be exchanged. To solve this we choose to include NameCoin into this protocol to act as a public key repository. In brief, our protocol would pick a session key, encrypt it with the recipients’ public key chosen from the NameCoin block-chain blockchain and send the message over to the server. The recipient then accepts this request depending on whether or not the request is legitimate i.e. after checking if the message is actually encrypted by the person as claimed and chooses to allow or close the session. Note that this part requires both parties to have access to the NameCoin blockchain. Once the session key is exchanged, further communication can happens using the AES CTR where the session key is used to generate a key for the symmetric encryption algorithm.

与原始的 MTProto 相比，本文提出了两部分修改。

将 Diffie-Hellman 替换为对称加密技术来包含非对称加密
将 AES-IGE 替换为 AES-CTR

原本协议	修改后协议
原本协议	修改后的协议

将 Diffie-Hellman 替换为对称加密后，仍然会面临中间人攻击。要解决该问题，需要将 NameCoin 包含到协议里，作为公钥存储库。也即选择一个会话密钥（对称密码）后，从 NameCoin 区块链中选择一个公钥，用该公钥加密会话密钥后发送（该部分需要要求通信双方都可以访问 NameCoin 区块链）

2. AES-CTR 的角色

原文

2. Role of AES CTR

One of the deficiencies with the original Telegram protocol is that it relies on an encryption mode that cannot be parallelized. The encryption speed is acceptable when an application encrypts small data like text messages but in cases where bulk data in billions of bytes need to be encrypted, AES-IGE becomes a huge performance handicap. Hence, we propose the use of AES CTR which is readily parallelizable [6]. This makes it easy to implement over a parallel programming framework like OpenCL or CUDA.

原始电报协议的缺陷是他不能并行化加密过程，当用于加密长度较短的文本消息，其加密速度可以接收。但如果要加密数十亿字节的大容量数据，AES-IGE 会成为一个巨大的性能在障碍。因此需要替换为更容易进行并行化运算的 AES-CTR。要实现并行化的 AES-CTR，可以使用 OpenCTL 或 CUDA。

2.1 实验分析与结果

原文

2.1 Experimental Analysis and Results

The AES-CTR implementation was tested on the OpenCL platform provided by AMD and the GPU used for the experiment was an AMD Radeon 7470M. A control program was run on the CPU to compare performance. An OpenCL kernel had to be created for AES-CTR [7].

An OpenCL kernel looks very much like a C function but with the "__kernel" (without quotes) qualifier. It accepts parameters for input and output data. The parameters of the kernel were:

Plain text

Output buffer

Round keys (computed earlier on CPU)

Nonce + counter: Nonce is a unique 8 byte value given to AES and is applied to all blocks. The counter is the next 8 bytes initialized to zero and is incremented when encrypting each block.

The input and output buffers were typecast to a 4 byte word for easy adaptation to AES. A set of 4 words (total of 16 bytes) were assigned to each OpenCL work item. As each work item has a unique global ID (obtained by calling get_global_id), the same value can be used as the counter. Each work item hence works on a 16 byte block on exactly one processing element. Hence, the speed of encryption becomes dependent only on the number of processing elements in the GPU. Despite having a lesser clock frequency than a serial CPU, the GPU provides substantial computational speed up owing to the large number of processing elements.

The performance was measured in terms of processing time taken by CPU and GPU. As the experiment was carried out on a general purpose computer, there were differences between successive readings. An average of ten readings for each data size was thus taken for both CPU and GPU. The readings have been summarized in Fig. 2. Additional speed up can be achieved by overlapping the copying and computational steps, thus improving encryption performance greatly [7]. As many network enabled applications security, it would be best rely on encryption for data to provide the GPU encryption functions to all of them through a standard API. [8] The performance increase is shown in Figure 2 and Figure 3.

Note that for small file sizes the GPU takes more time than the CPU. This is because of the extra time involved in transferring data between main memory and GPU memory. This copy time overshadows the encryption speed up that the GPU gives. As the data size grows, the GPU gives a substantial performance improvement over the CPU as shown in the graph.

在 AMD 上使用 OpenCTL 实现 AES-CTR 进行测试。测试使用的 GPU 为 AMD Radeon 7470M。在 CPU 上运行一个控制程序来比较性能。
函数输入为明文、输出、轮密钥（使用 CPU 提前计算出）、随机数和计数器。随机数提供给 AES 的唯一 $8$ 字节值，用于所有的块，计数器则在每次加密块时自动增加。
AES 的输入长度为 $128$ 位，也即 $16$ 字节。为了方便计算，输入和输出缓冲区类型都是 $4$ 个字（按照 $1$ 个字 $2$ 个字节， $1$ 个双字 $4$ 个字节算，这里似乎应该是 $8$ 个字？）。每次 worker 都有一个唯一的全局 ID，通过get_global_id获得，因此可以使用相同的计数器。一个 worker 只处理一个 $16$ 字节的分组。加密的速度取决于并行的计算模块数目。
性能通过 CPU 和 GPU 处理时间衡量。在图 2 中记录了不同环境行运算 $10$ 次后的平均值。重用复制和计算步骤可以进一步提高运算速度，性能提高见图 3。

数据大小	CPU(ms)	GPU(ms)
10Mb	331	559
20Mb	494	474
30Mb	770	603
40Mb	1037	730
50Mb	1269	849
60Mb	1468	976
70Mb	1757	1118
80Mb	2006	1232
90Mb	2441	1368
100Mb	2680	1488

CPU 和 GPU 的性能比较图

对于较小得文件，GPU 会花费更多得时间，这时由于主存储器和 GPU 之间传输数据需要额外的小号。但随着数据量增加，GPU 的性能远优于 CPU。

3. NameCoin 的角色

原文

3. Role of NameCoin

The main role of NameCoin is to provide a directory of the available public keys along with the names of the owners. The client uses these public keys to initialize sessions with another client [9]. This is radically different from the original. Telegram protocol that relied on the server to provide a session ID. Once the session key is finalized AES CTR is used in further communication.

This effectively solves the problem of the man in the attack since the responsibility for maintaining the authenticity of the NameCoin blockchain rests with the NameCoin protocol. This outsourcing is evidently advantageous since the blockchain is known to be extremely secure against precisely this kind of attack. The only kind of vulnerability that NameCoin is susceptible to, which is remotely similar to a MIM attack is a 51% attack. In this an attacker who controls more than 51% of the total network’s computational power chooses to rewrite the records to cancel certain transactions made on it, or to add a few extra ones. However as the network size grows and decentralization is maintained, it becomes extremely difficult to control more than 50% of the network’s power. Also as the blockchain’s size increases the security of the transactions recorded deep down in the blockchain (transactions that were recorded comparatively earlier) increases.

Even in the case where a 51% attack happens it is extremely easy to spot it immediately. Hence the user can directly encrypt using the public keys stored in the NameCoin blockchain without having to worry about any kind of key exchange. This removes a large part of the trust deficiency since this is the point at which the man in the middle attack normally occurs.

Since NameCoin exists as a third party component of the whole software, it can be extended to service other applications easily. For example, an application that seeks to make voice calls secure can easily use the public key provided in NameCoin to build an encryption protocol. Almost any kind of secure application can be built on top of this system. It is this flexibility that we want to really exploit in this protocol.

NameCoin 的主要作用是提供公钥目录以及所有者名称，客户端使用这些公钥来初始化会话。这和原本 Telegram 协议思路不同。当会话密钥传输完成，即可使用 AES-CTR 进行进一步的通信。
将密钥交换交给区块链技术来维护，可以有效地解决了中间人攻击。NameCoin 容易受到的攻击时 $51\%$ 攻击。当攻击者拥有足够计算能力的资源后，将可以修改数据内容。但随着区块链规模的增大，该攻击很难实现，协议的安全性也随之提高。
即使 $51\%$ 攻击发生，仍然很容易被发现，因此用户完全可以信任 NameCoin 存储的数据，这可以消除信任不足的问题。
由于 NameCoin 作为第三方组件存在，因此可以对其进行拓展，从而为更多应用提供服务。任何安全应用程序都可以构建在这个系统上。

4. 细节内容

原文

4. Miscellaneous Details

The only identity that a two way channel should have should be the details in the NameCoin blockchain. Many other chat systems necessitate that each new redundant application across multiple devices be verified and authenticated independently this extra overhead can easily be avoided in the method that we propose. This would make it readily transferable across multiple systems without needing verification by SMS or something similar.

The server being relieved of much of the session handling normally done by chat servers
details can be extremely lightweight. The server source can be released under an open source license thus allowing for more peer review, similar to
IRC chat [10].

The server can provide important features like storage till the other recipient logs in, providing features like group chat. However it cannot read the messages because it is encrypted. For extremely secure communication links the users can run servers on their own computers and use a third party server just to transmit their respective server addresses. They can even have their own static IP addresses listed in NameCoin thus making it a direct link between two systems without the need for a server.

双向通信只应该使用 NameCoin 区块链中的信息，而非使用中心化的身份验证。采用这个思路可以避免独立验证的开销，更容易在不同系统中使用。
服务端不需要处理更多会话处理任务，因此更为轻量，可以很容易通过开放源码提供给更多人进行代码审查。
服务器只需要提供信息存储、登录、群聊的功能，同时在不必读取信息内容。甚至通信对端可以直接在 NameCoin 中列出自己的静态 IP，从而直接通信，不需要服务器的参与。

5. 挑战

原文

5. Challenges

The biggest challenge that is faced while trying to incorporate the NameCoin feature into such applications is the size of the block-chain. NameCoin blockchain as it is today is 2.15 GB big. Such a quantity of storage is too big for the average mobile device. Also storing the entire NameCoin blockchain on the system is somewhat similar to storing the entire DNS server on a single system, precisely the problem that the DNS system was invented to avoid. However there exist techniques to reduce the data stored at any one particular node [11]. These make the system suitable for individual desktop nodes but still too heavy for mobile devices. However since authentication is something that needs to be done only once, this can be considered a useful tradeoff. And even in the case where a copy of the NameCoin block chain is not available with every single user, the sheer existence of such a facility is a huge step up, especially

要面临的最大问题是 NameCoin 的区块链大小。目前 NameCoin 的区块链有 $2.15GB$ ，这样的存储空间对于移动设备而言太大了。而如果由服务器来提供检索服务，则又背离了原本去中心化的初衷。因此需要采用降低单个节点存储的数据数量的技术，从而使用折衷的手段解决该问题。

Ⅵ. 结论

原文

VI. CONCLUSION

In this study we have proposed modifications to the Telegram protocol that make it more secure and efficient. We have also tried to show how this general principle can be extended to other secure systems that require key exchange or public key encryption. Since the protocol in its simplest form is best suited for text messages we hope to see it for such applications in the near future. The main strength of the system is in its ability to be extended to a generalized cryptographic system. Also, Telegram supports file transfers up to 1 GB. As most personal computers and smart phones today are equipped with GPUs, utilizing this for encryption will enhance performance and hence, user experience. As mobile devices are just beginning to have graphics processors, there is more room for research in this area. This is where we believe the bulk of the further development of this protocol should be focussed.

该论文提出了对 Telegram 协议的修改，使其更为安全、高效。同时尝试提出了将该思路用于更多安全系统中，并扩展为一个广义密码系统。由于电报最高支持 $1GB$ 的数据传输，由于大部分个人设备都已经配备了 GPU，利用其进行加密则可以极大提高性能。这是一个值得很探讨的方向。

参考资料

IGE Block Cipher Mode ↩︎