Hacker News new | past | comments | ask | show | jobs | submit login

>  the IOTA developers had written their own hash function, _Curl_

Did...did they intentionally name it curl, so that when you search for "Is curl secure?" you will find articles saying that curl - the widely used library - is secure, in the hope that people will confuse the two?

I know that you shouldn't assume malice when it can be explained with incompetence, but combined with some of the other points here, I can't help but feel that this was intentional.




To be very honest, when I first heard about IOTA, there was an article that had the phrase "the inventor of curl", I incorrectly assumed for a while that Daniel Stenberg was involved in the project.


I think the insecurity of their function was a mistake. I doubt they would deliberately code something that threw collisions and have a cover up plan that is basically name it curl and hope people get it mixed up with the real curl.


fwiw, was bored and exploring for the first time the (my God) toxic social timelines of these crypto coins and happened to end with IOTA and the story of the home grown hash function. Just posting what I just read about this topic and not an +/- either way on the topic at hand:

Sergey Ivancheglo (@Come-from-Beyond) claims the collisions were intentional and for the purposes of IOTA the hash merely had to be a one way function:

https://gist.github.com/Come-from-Beyond/a84ab8615aac13a4543...

He addresses his base-3 number system design decision as well (by appealing to authority no less :)

> name it curl

In above he references Curl-P and the final letter (see his last gist) also explicitly asks that the MIT security blogger use the full name which she declined.


The other hash function they use is called Kerl a homonym of Curl.


It gets better... their "improved" version of "curl"? Kerl.

You can't make this shit up.


kerl comes from the fact it wraps & extends keccack hashing library. So the name is actually quite fitting.


Kerl is Keccak I.E. SHA-3, the international NSA standard. They called it Kerl for fun in homage of Curl, which is still under active development with the absolute world-leading cryptographers of lightweight cryptography. Curl had to be invented to push LIGHTWEIGHT cryptography which is necessary for the Internet of Things. It's quite astonishing how much misinformation is spread around.

https://blog.iota.org/iota-foundation-hires-cybercrypt-615d2...


SHA-3 is not an NSA standard. It was invented by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche who are researchers at various companies/universities and are from Italy and Belgium.

Your curl function is not even listed as one of the major lightweight crypto primitive on Lux' zoo: https://www.cryptolux.org/index.php/Lightweight_Hash_Functio...

Your post is full of shit.


I am very curious about what 'LIGHTWEIGHT' cryptography is defined as. I am also dubious about anyone that claims to have 'absolute world-leading cryptographers' since many strong cryptographers are quietly employed by intelligence agencies and most others are academics.

Also, since we are being pedantic, SHA-3/Keccak is an NIST standard, which is a federal agency of the United States.


I'm not an expert in the field, but there certainly have been efforts here and there to make "lightweight" crypto that needs little computational resources (and therefore battery power). One example would be KASUMI[0].

[0]: https://en.wikipedia.org/wiki/KASUMI


This kind of post doesn't work when cryptographers read it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: