Disclaimer: this is my summary based on what I discussed with my friend. I’m not a cryptographer.
This is a theoretical attack, not a practical one.
The researcher is effectively saying that if:
-
An attacker has possession of a substantial number of Session keys. If Session is like Signal in this way, then each message is a key. A realistic number is about 4 billion or 2^32. Why? Because it’s effectively impossible to break 1 in 2^128, but it’s within possibility to break 2^(128-32) = 2^96. To get down to 2^64, they would need 2^64 keys, or 18 quintillion.
-
An attacker expends significant resources attempting to decrypt the key. Think (very) roughly the current hashing power of the entire Bitcoin network. Basically, some global-scale compute resources.
After that effort, an attacker would succeed within a reasonable time (e.g. within an average human lifetime, I don’t know the exact time) at decrypting one random key (probably one random message).
Is it reasonable to have approximately 4 billion Session keys? Session is a small network and uses (at least partially) decentralized message routing. Even if Session was this widely used, the attacker would need to infect enough Session nodes or run enough of their own nodes to get keys of this magnitude.
Then, is it really that practical to expend all this effort to decrypt one random message?
Clearly Session’s approach is not as good as Signal’s, and to the researcher’s point, you should use Signal if this is a concern for you. However, the issues described in these two blog posts are not practical concerns for the vast majority of threat models.