Curl disclosure, beyond the headline

The IOTA Foundation no longer supports or endorses this article. We have however kept it available for transparency purposes.


As part of an on-going conversation between the IOTA Team and security researchers from Boston University and MIT DCI, the teams published their report on a vulnerability in Curl today. On August 8th, the IOTA Team implemented a safety precaution by switching Curl with Keccak-384 (wrapped as “Kerl”, as a tongue-in-cheek homage to what it was replacing), but no user funds were ever at risk prior to the upgrade.

We greatly appreciate the disclosure made by the researchers as this will further help to bring IOTA into production-readiness and mainstream adoption. We do, however, have some comments to make on the otherwise strongly worded publication by Narula et al.

As many may already know, we have alreadydiscussed this at length for months, and the network uses KECCAK-384 for signing purposes.  

The attacks presented in Narula et al.’s paper, while being valid academic criticisms of the latest public version of the Curl hash function, do not represent valid attacks on the IOTA cryptocurrency. Here’s why:

Forging signatures on IOTA payments

The “waste money” and “steal money” attacks primarily rely on Eve being able to goad Alice into signing bundles crafted by Eve and then being faster in getting her bundle confirmed than Alice’s:

Firstly, none of the existing IOTA wallets offer this functionality of signing foreign bundles — Alice would therefore have to be a proficient programmer to manually sign a bundle using existing libraries and naive enough to sign a bundle she did not create.  

Secondly, for Eve to be able to generate such a bundle in the first place, Eve would have to know which addresses belong to Alice. Eve can not calculate addresses belonging to Alice from knowing just one of Alice’s addresses, so this attack would require prior seed compromise by Eve (making the entire attack moot) orAlice leaking her address to Eve in the first place.  

Thirdly, only one of each of Eve’s bundles can exist on an IOTA node at any given time. Without Eve having better network propagation than Alice or executing a successful eclipse attack against Alice, Eve would not be successful in being able to see her malicious bundle confirmed before Alice’s bundle is confirmed. However, the mesh network characteristics of the IOTA network make such an eclipse attack very hard to implement.

These requirements are exceptionally unlikely to occur in practice, making the presented attack impractical — even less so when combined with the earlier points.

However, the work of Narula et. al. is a valuable addition to the growing work of a number of academics that are reviewing the Tangle network.

Still, systems with few moving parts provide excellent subjects of study for an analysis of this depth. The IOTA Cryptocurrency is not one of those systems and thus context is very important when claiming a practical attack on a system.

The necessity for greater collaboration between academia and the Crypto-Currency community is of paramount importance. Only by working together, leaving any conflict of interest aside, can we build better systems to serve mankind (or the Machine Economy). For an outsider, it can sometimes be difficult to access the academic community and get the necessary support on sensitive subjects. The IOTA Team has previously reached out to several renown cryptographers in this space, many of whom (including researchers from this publication) have been unable to work with us, often due to conflicts of interest.

We have since formed stronger partnerships with several large academic institutions around the world, and will continue to do so. As for Curl, the IOTA Foundation has already subcontracted a team of 5 world-class cryptographers, as well as 3 independent ones to come up with a final design of Curl and then start the long peer-reviewed process, as was always the plan. No change.

The IOTA Team will continue to work diligently (and tirelessly) to make IOTA the first production-ready distributed ledger protocol. When it comes to security, you can never be safe enough. We hope that researchers, whether independent or from academic institutions, will continue to join us on this path to build a protocol that is scalable, sound and secure.

Notes

Before we conclude this post, we would like to correct the following misrepresentations in the researchers’ post:

  • The transaction size is only 1.6KB at rest (not 10kb as stated in the document)
  • The replacement Kerl hash function is unmodified KECCAK-384 that only converts its input and output from/to 243 trits to 48 bytes using basic two’s complement. KECCAK-384 is well vetted and researched.

-The IOTA Team