IOTA is an open-source cryptocurrency developed for the internet of things. IOTA uses a directed acyclic graph to store transactions on its ledger. This ledger is termed Tangle. Tangle is an open-source, feeless, and scalable distributed ledger. It supports frictionless data and value transfer.
Recently few developers have been vocal about an identified potential vulnerability. They found out that multiple inputs in IOTA can produce the same Kerl hash!
IOTA’s history of vulnerabilities
Historically, IOTA has seen multiple phishing, scamming, and hacking attempts. Users have lost tokens and seen extended periods of downtime.
In September 2017, researchers Ethan Heilman from Boston University and Neha Nerula from MIT’s Digital Currency Initiative (DCI) published a paper identifying potential security flaws with IOTA’s Curl-P-27 hash function. They disclosed the vulnerabilities in the paper Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency. The paper presented attacks on the cryptography formerly used in the IOTA blockchain. It also included, under certain conditions, the ability to forge signatures.
- The researchers developed practical attacks on IOTA’s cryptographic hash function Curl-P-27. This allowed them to quickly generate short colliding messages. These collisions work even for messages of the same length.
- They broke the EU-CMA security of the former IOTA Signature Scheme (ISS).
- The researchers also showed that in a chosen-message setting they could forge signatures and multi-signatures of valid spending transactions (called bundles in IOTA).
This followed a long series of arguments and counter-arguments. IOTA threatened to take legal actions against the researchers. The IOTA foundation received considerable criticism on the way they handled the situation. The broader cryptocurrency space did not welcome the legal threats and use of aggressive languages.
The transition from Curl-P-27 to Kerl
In October 2017, the IOTA developers transitioned from using Curl-P-27 to using Kerl.
However, developers identified an unrelated vulnerability called the 13 or M attack. This bug partially revealed a portion of the private key generated for specific addresses. This puts the users’ funds at risk.
The IOTA Foundation created a logic that if a message hash to be signed includes a 13, then the user must alter the message until no 13s are present in the digest. IOTA transferred all impacted funds to addresses under its control. Users later applied to the IOTA Foundation to claim the funds back.
Recent potential vulnerability accusation: Kerl Collisions
Recently a user ‘Soatok’ found out that multiple inputs in IOTA can create the same hash function (Kerl Collisions).
One of many reasons not to use #iota — These two inputs to their Kerl hash function collide:
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFEIZ
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFEIH
— soatok@home~$ (@SoatokDhole) July 15, 2020
“IOTA replaced Curl-P-27 with a hash function based on Keccak-384 (called Kerl). Keccak is a sponge function that went on to become SHA-3. Kerl encodes the input bytes into ternary ({0, 1} -> {-1, 0, 1}) before hashing.”
Soatok reveals that as a consequence, he has found inputs that provide the same Kerl hash. An example below:
- GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFEIZ
- GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFEIH
- GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFEIQ
Soatok identifies possible explanations as below:
- It is a backdoor enabled by a bug intended to be exploited by the Coordinator.
- Kerl has a critical design mistake.
The complete claims can be found in Soatok blog
Counter-arguments by IOTA
Wolfgang Welz – Senior Research Scientist of IOTA tried to explain this situation. According to him, this vulnerability cannot be exploited within the IOTA Protocol. However, do not use it for general purposes outside of the IOTA Protocol.
He said, “Kerl was designed as a drop-in replacement for Curl. Curl takes a 243-trit input to create a 243-trit output. So Kerl had to do the same. However, internally used Keccak-384 is binary. Unfortunately, 243 trits require 386 bits in their binary representation. Therefore, Kerl can effectively only produces a 243-trit output where the last trit will always be 0.”
IOTA does not believe that the security of the current mainnet version is compromised. In the upcoming Chrysalis update, IOTA will switch from ternary to binary as well as add support for a standard-based signature scheme such as EdDSA. IOTA will use a standard binary hash function which is fully second-preimage resistant.
A detailed discussion can be found on the IOTA Reddit page.
Conclusion
The IOTA situation is complex and hinders development. Vulnerabilities, if any needs to be fixed immediately. There is a need to support the IOTA Foundation for the bigger cause of distributed ledger development. We hope the entire IOTA community can come together to come to a logical and stable solution.
Reference: Wikipedia
It is 2020 and this exploit has never been used successfully. The coin is still here. This is 3 year old FUD.