Potential Vulnerability Found in IOTA’s Kerl Hash Function
Potential vulnerability found in IOTA’s Kerl hash function

IOTA is an open-source cryptocurrency developed for the internet of things. IOTA uses a directed acyclic graph to store transactions on its ledger. This ledger is termed Tangle. Tangle is an open-source, feeless, and scalable distributed ledger. It supports frictionless data and value transfer.

Recently few developers have been vocal about an identified potential vulnerability. They found out that multiple inputs in IOTA can produce the same Kerl hash!

IOTA’s history of vulnerabilities

Historically, IOTA has seen multiple phishing, scamming, and hacking attempts. Users have lost tokens and seen extended periods of downtime.

In September 2017, researchers Ethan Heilman from Boston University and Neha Nerula from MIT’s Digital Currency Initiative (DCI) published a paper identifying potential security flaws with IOTA’s Curl-P-27 hash function. They disclosed the vulnerabilities in the paper Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency. The paper presented attacks on the cryptography formerly used in the IOTA blockchain. It also included, under certain conditions, the ability to forge signatures.

  • The researchers developed practical attacks on IOTA’s cryptographic hash function Curl-P-27. This allowed them to quickly generate short colliding messages. These collisions work even for messages of the same length.
  • They broke the EU-CMA security of the former IOTA Signature Scheme (ISS).
  • The researchers also showed that in a chosen-message setting they could forge signatures and multi-signatures of valid spending transactions (called bundles in IOTA).

This followed a long series of arguments and counter-arguments. IOTA threatened to take legal actions against the researchers. The IOTA foundation received considerable criticism on the way they handled the situation. The broader cryptocurrency space did not welcome the legal threats and use of aggressive languages.

The transition from Curl-P-27 to Kerl

In October 2017, the IOTA developers transitioned from using Curl-P-27 to using Kerl.

However, developers identified an unrelated vulnerability called the 13 or M attack. This bug partially revealed a portion of the private key generated for specific addresses. This puts the users’ funds at risk.

The IOTA Foundation created a logic that if a message hash to be signed includes a 13, then the user must alter the message until no 13s are present in the digest. IOTA transferred all impacted funds to addresses under its control. Users later applied to the IOTA Foundation to claim the funds back.

Recent potential vulnerability accusation: Kerl Collisions

Recently a user ‘Soatok’ found out that multiple inputs in IOTA can create the same hash function (Kerl Collisions).

“IOTA replaced Curl-P-27 with a hash function based on Keccak-384 (called Kerl). Keccak is a sponge function that went on to become SHA-3. Kerl encodes the input bytes into ternary ({0, 1} -> {-1, 0, 1}) before hashing.”

Soatok reveals that as a consequence, he has found inputs that provide the same Kerl hash. An example below:


Soatok identifies possible explanations as below:

  • It is a backdoor enabled by a bug intended to be exploited by the Coordinator.
  • Kerl has a critical design mistake.

The complete claims can be found in Soatok blog

Counter-arguments by IOTA

Wolfgang Welz – Senior Research Scientist of IOTA tried to explain this situation. According to him, this vulnerability cannot be exploited within the IOTA Protocol. However, do not use it for general purposes outside of the IOTA Protocol.

He said, “Kerl was designed as a drop-in replacement for Curl. Curl takes a 243-trit input to create a 243-trit output. So Kerl had to do the same. However, internally used Keccak-384 is binary. Unfortunately, 243 trits require 386 bits in their binary representation. Therefore, Kerl can effectively only produces a 243-trit output where the last trit will always be 0.”

IOTA does not believe that the security of the current mainnet version is compromised. In the upcoming Chrysalis update, IOTA will switch from ternary to binary as well as add support for a standard-based signature scheme such as EdDSA. IOTA will use a standard binary hash function which is fully second-preimage resistant.

A detailed discussion can be found on the IOTA Reddit page.


The IOTA situation is complex and hinders development. Vulnerabilities, if any needs to be fixed immediately. There is a need to support the IOTA Foundation for the bigger cause of distributed ledger development. We hope the entire IOTA community can come together to come to a logical and stable solution.

Reference: Wikipedia



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.