Comment by codethief
2 years ago
> Your username is not stored in plaintext, meaning that Signal cannot easily see or produce the usernames of given accounts. [Footnote: Usernames in Signal are protected using a custom Ristretto 25519 hashing algorithm and zero-knowledge proofs. Signal can’t easily see or produce the username if given the phone number of a Signal account. Note that if provided with the plaintext of a username known to be in use, Signal can connect that username to the Signal account that the username is currently associated with.]
(emphasis mine)
Couldn't Signal just brute-force all possible usernames in order to connect them with their accounts?
All in all, it seems usernames are just as public as anywhere else and the encryption part sounds like snake oil. Ok, maybe once more they try to protect the username table (or its equivalent in the zero-knowledge proof algo) from getting probed too often by means of an Intel SGX enclave or something, but I wouldn't want to trust SGX either.
usernames are between 3 and 32 characters long with up to a 9 digit discriminator at the end. ~200 bits
aes starts at 128 bits
I don't agree with the 200-bit estimate. Usernames will typically not be random and will have much less entropy.
Either way, I was not talking about brute-forcing a single username. What I suggested was that Signal could loop over the space of all possible usernames. Every other name would be a hit (i.e. exist) and reveal the account ID, possibly even the phone number, of that user.
Hell, couldn't regular users do the same? The blog post at least doesn't mention anything about rate limits when probing usernames.