My synopsis of MTProto: A collection of silly design decisions.
(I guess I should amend my synposis to add “that could plausibly be a bugdoor”.)
But the idea of including an extended nonce from server randomness isn’t entirely crackpot. It’s just the XOR that makes it silly.
Appending the nonce then hashing with e.g. SHA256 would be fine. Using HMAC-SHA256 with one input as the message and the other as the key is arguably better.
Every time someone finds a bug in MTProto, I solemnly wish they listened to cryptographers’ criticism instead of dismissing it or deflecting with weird contests.
Very interesting report! Is there an official statement on this? Did anybody try to get one?
Is it normal if it’s just a blank page? 🤔