
Cryptographic vulnerabilities in IOTA - nehan
https://medium.com/@neha/cryptographic-vulnerabilities-in-iota-9a6a9ddc4367
======
tptacek
The thing that I think should really worry you is that the reaction among the
professional cryptographers to this (or at least the dozens I talk to on Slack
and Twitter) is "well, that's cryptocurrency for you".

If you have the impression that serious cryptographers are knee deep in the
problem space of trying to make sure cryptocurrencies are actually secure,
revise your expectations.

~~~
DennisP
The ZCash team is pretty serious:
[https://z.cash/team.html](https://z.cash/team.html)

~~~
jameskegel
To a higher degree, one should note the Monero Research Lab is leaps and
bounds ahead of ZCash.

~~~
DennisP
I'm not competent to compare the work, but there don't appear to be any
professional academic cryptographers on either the core or research lab teams.

[https://getmonero.org/resources/people.html](https://getmonero.org/resources/people.html)

Whereas the ZCash team includes several people who were well-known
cryptographers before ZCash came along.

~~~
blueprint
Of course there are. All members of MRL are professional academic
cryptographers. There's Surae, Sarang, Shen, etc. Meanwhile the background and
"academic" activities of most of the academics behind Zcash are quite sketchy
despite their fame. People will come to see this before long.

~~~
DennisP
The bios of those three say they have degrees in mathematical sciences,
physics, and algebraic geometry, respectively. None of those are cryptography.
On top of that, they're pseudonymous, so we can't even verify these claims.

ZCash has well-known people, employed at places like Johns Hopkins and
Berkeley, who specialize in cryptography and have long lists of publications
to their names. If anyone is going to be called "sketchy" it should be the
people hiding behind pseudonyms.

I don't own ZCash or Monero, so I don't have a dog in this fight except that I
get annoyed at the Monero community's strident insistence of their
intellectual superiority over ZCash.

~~~
otheotheothe
They are not hiding behind pseudonyms and attend meetups regularly, stuff like
RingCt was peer revieewed by legder journal...

And yes i call zcash skechy too, creating a currency with a trusted setup and
stuffing 10% off all mining rewards in your pockets its an outright scam.

~~~
DennisP
Ok. Maybe getmonero.org is out of date. Please share a link that tells their
real names.

------
wslh
I even think that the issues with new cryptocurrencies is underestimated in
the article. The problem goes beyond the cryptographic aspect to game
theoretical challenges: the cryptographic protocols could be perfect and yet
the cryptocurrency be insecure or offer a low security threshold.

For example, Bitcoin is perfect from the cryptographic perspective but its
security threshold is around 33% [1]. Last year we also started a spreadsheet
to benchmark different cryptocurrency metrics [2] but the
blockchain/cryptocurrency/ICO space outpaced this initiative ;-).

[1] [https://arxiv.org/abs/1311.0243](https://arxiv.org/abs/1311.0243)

[2]
[https://docs.google.com/spreadsheets/d/1DQ770nGnHfJOoRSqTLmI...](https://docs.google.com/spreadsheets/d/1DQ770nGnHfJOoRSqTLmIkhuVK5CAbs-
Fgqb6UoGMfVM/edit#gid=0)

~~~
imaginenore
It's not really a vulnerability. Miners don't have an incentive to destroy the
currency with a >50% attack, they are heavily invested in it.

~~~
wslh
This kind of analysis are vulnerabilities in the consensus sense. You can
think of a state actors not caring about the investment done but about the
harm they can do.

~~~
imaginenore
Almost any state is capable of spending a few billion dollars and making a
>50% attack (assuming they can buy enough ASICs), no matter how good your
crypto is. There are much cheaper ways to bring something like Bitcoin to its
knees. DDoS the nodes for a year, for instance.

~~~
wslh
So, are you saying that this is not part of the fundamental analysis you
should do if you have money at stake? You have made such analysis to argue
about the threshold numbers.

~~~
imaginenore
Where did I say _" this is not part of the fundamental analysis you should
do"_?

My only point is that >50% attacks by the people involved are purely
theoretical. Attacks by almost any state are the end of your project. A
billion dollars is enough to DDoS pretty much everything.

~~~
wslh
My point was that we need to analyze consensus models (and new protocols), and
that is very complex (and few people in the world have the skills needed). I
gave the example of Bitcoin where the cryptography is perfect but the model
has some security bounds.

Then you argued about the bounds and if they were theoretical or not which was
not the central point of the argument and we can choose another issue to
illustrate our central point. I think we can argue if it is theoretical or not
ad infinitum.

So, to push forward my central argument I will again say: we need to check
beyond the cryptography. Not only that, I will tell you: stay tuned because a
new security finding with Bitcoin will be published soon.

------
sremani
The response of sorts from IOTA team,

[https://blog.iota.org/curl-disclosure-beyond-the-
headline-18...](https://blog.iota.org/curl-disclosure-beyond-the-
headline-1814048d08ef)

~~~
brohee
Good old "the vulnerability is purely theoretical". Thank God no individuals
on this planet focus on making the theoretical practical, especially not when
there is money at stake. That would be unsportsmanlike.

------
rovek
Pretty incredible that a self-proclaimed IOTA adviser thought it prudent to
attack the author in public[0].

[0] - [https://medium.com/@jer979/disclosure-im-an-advisor-to-
iota-...](https://medium.com/@jer979/disclosure-im-an-advisor-to-
iota-4956de37cfa0)

------
kushti
Doing Qora code analysis few years ago, I found that not all the fields of a
block are signed (made an issue, still open
[https://github.com/razakal/Qora/issues/14](https://github.com/razakal/Qora/issues/14)),
and also found some probable DoS vectors. I think many second- and third-tier
cryptocurrencies are technically garbage.

------
swordswinger12
Does anyone know if the IOTA devs ever wrote down a justification for using a
hand-rolled hash instead of, like, SHA-256? If so, can you link it in a
comment?

EDIT: I feel compelled to explicitly say that this was a mind-bogglingly
stupid thing to do, and there is almost no way to justify it. I'm just curious
what they thought they were accomplishing.

~~~
rodarmor
The IOTA devs are deluded. Here's there justification:

"Creating a new cryptographic hash function is no trivial undertaking, even
when it is being built on preexisting world class standards. “Don’t roll your
own crypto” is a compulsory uttered mantra that serves as a good guiding
principle for 99.9% of projects, but there are exceptions to the rule. When
spearheading technology for a new paradigm this statement is no longer
axiomatic. Progress must march on."

~~~
StavrosK
"Or, sometimes, back."

~~~
taberiand
But always twirling, twirling, twirling towards freedom!

------
rodarmor
IOTA is trash for this and other reasons. You should short it. Issues:

1\. Double spends are devastating and easy, since they permanently split the
tangle.

2\. With no transaction limit, syncing from the beginning of time will take
forever.

3\. With no transaction limit, keeping up with network traffic will be
impossible. (Especially on IoT devices.

4a. Nobody is going to use power and die space on IoT devices for the PoW
chip.

4b. Or, alternately, if, as they claim, the PoW chip will take very little die
space and very little power, the network will be destroyed outright by non-IoT
PoW chips spamming the network.

5\. There is currently a coordinator which confirms transactions. It is not
P2P. If they remove the coordinator, I could write code that destroys the
network by issuing TiB of transactions per day, making it impossible to
sync/keep up.

6\. Mesh networks of the type that they envisage deploying IOTA on are not
widely deployed, and it's not clear that they will ever be widely deployed.

7\. Tip selection does not converge.

~~~
hapahaole
This guy is spreading lies.

1: Flat out lie, this has never happened. Prove it otherwise.

2: IOTA uses snapshotting, you don't need to sync from the "beginning"

3: Untrue

4: Untrue

5: The only thing so far you've said that's true

6: Untrue

~~~
brohee
You'll need better arguments than "untrue", especially when at a glance, the
statement is indeed true...

------
baby
Why the ____would you invent your own cryptographic hash function. Did we do a
5 year competition bringing out the creme de la creme in cryptanalysis for
nothing? Just use SHA-3 or BLAKE2.

------
ve55
This paints a pretty bad picture for IOTA. Ternany, custom hash functions, and
a significant amount of buzzwords used to back up their poorly made choices.
It's interesting their market cap is still as high as it is, although that's
cryptocurrencies for you.

IOTA is down around 10% in the last 24 hours, leaving it with the worst daily
performance out of the top ~45 coins
([https://coinmarketcap.com/](https://coinmarketcap.com/)). I wonder if the
authors short sold it :)

------
dsacco
_Sigh._

Exhibit A: Don't roll your own crypto...we don't just say it because it's fun.

Kudos to the authors for not weaponizing the vulnerability for profit. There
was no sound basis for the developers to design their own hash function, and
it was a collosal mistake. It's not as if any of the other hash functions were
inadequate for their security or performance needs.

Frankly, I don't know if I should blame ignorance or hubris in this situation.

------
laserlives
On a seperate issue - Not a problem with IOTA but rather with seed generation
using powershell. Which was a method of seed generation they recommended on
their site (now removed of course).
[https://www.reddit.com/r/Iota/comments/6v9mj6/psa_nearly_all...](https://www.reddit.com/r/Iota/comments/6v9mj6/psa_nearly_all_powershell_generated_seeds_are/)

------
aryehof
What I find disturbing is the rush to modify the subtly balanced mechanisms
originally established in Bitcoin of work, reward, and punishment, in order to
ensure transparency and integrity in a distributed system.

This includes the subtle features and policies relating to control of the
money (coin) supply, growth and hence inflation.

Messing with a time proven recipe is going to result in more and more of these
revelations.

------
lawn
> “In 2017, leaving your crypto algorithm vulnerable to differential
> cryptanalysis is a rookie mistake. It says that no one of any calibre
> analyzed their system, and that the odds that their fix makes the system
> secure is low,” states Bruce Schneier, renowned security technologist, about
> IOTA when we shared our attack.

Indeed

~~~
otp124
Moreover, rolling their own hash function (which is what they did) is a rookie
mistake.

~~~
petertodd
Note that IOTA is a system based on _ternary_ rather than binary, which itself
is a WTF.

Then on top of that, the hash function they replaced the broken one with is a
wrapping of SHA3 (Keccak) with ternary. So again, they rolled their own
crypto, although in a (hopefully!) more minor way.

Unfortunately, doing review is a lot of hard work - I know the people involved
and they had to waste time and money talking to lawyers and the like - so it's
quite possible we won't find out about the flaws in their "fix" until some
hacker exploits them to steal money.

Even relatively small changes to hash functions and using them in non-standard
ways often fails to give the security guarantees you expected. For instance,
this idea from Russell O'Conner is a good example:
[https://lists.linuxfoundation.org/pipermail/bitcoin-
dev/2017...](https://lists.linuxfoundation.org/pipermail/bitcoin-
dev/2017-May/014449.html)

His extremely professional handling of the situation is also a good example!

~~~
th0br0
Actually, SHA3 was not converted to ternary. The input is simply chunked into
243 trits that are converted to 48 bytes and are absorbed into KECCAK-384.
Squeezing works the other way round, 48 bytes are squeezed and converted into
243 trits.

~~~
petertodd
Ah, that's a good point - I was aware of that, but you made me realize that
using the word "convert" to describe what they did could give the wrong
impression. I've changed my description to say they "wrapped" SHA3.

------
redka
The title is click-bait and also somewhat wrong since the vulnerabilities
discovered are curl-specific not IOTA in general and also they no longer exist
since IOTA has moved to Keccak.

------
stijnh
Hurts to read this. The author manages to repeat exact sentences more than two
times in just a few paragraphs.

~~~
tehlike
There goes your hash collision.

