09-17-2017 1:11PM (ET)
Neha Narula, Tadge Dryja, Madars Virza, and I just published a report detailing cryptographic vulnerabilities we found in IOTA's hash function Curl which could allow an attacker to forge IOTA signatures in a chosen message setting. We disclosed these vulnerabilities to the IOTA developers. The IOTA developers deployed changes on Aug 7 which replaced Curl in part of their signature algorithm with a hash function they named Kerl. This change fixes our signature forgery attack.
I have a passion for designing, studying and attacking cryptographic hash functions. I participated in the NIST contest to propose a design for SHA-3 during which I broke the cryptographic hash function Spectral Hash and produced a proof that the cryptographic hash function MD6 resists standard differential cryptanalysis attacks.
I am also a cryptocurrency geek and researcher. My research includes developing attacks on Bitcoin which leads to improvements to the security of Bitcoin’s P2P network and designing the protocol TumbleBit for private scalable payments on Bitcoin.
So when I heard that a cryptocurrency, IOTA, had rolled their own cryptographic hash function which piqued my interest as it combined both my research interests.
I worked with a team at MIT’s DCI (Digital Currency Initiative) to examine the security of Curl as deployed in IOTA. What we found was that Curl was highly vulnerable to differential cryptanalysis. We also found that the way Curl was being used to sign payments in IOTA allowed us to forge signatures in a chosen message setting.
I first learned how to apply differential cryptanalysis when I took a class with Ron Rivest at MIT. Developed in the 1980s Differential cryptanalysis is one of the most easily applied and powerful techniques in breaking hash functions. Naturally, the first thing I looked into was Curl’s vulnerability to differential cryptanalysis. It appeared to be highly vulnerable. Working together, we developed attacks which took only a few minutes of compute time to break the security of Curl.
After disclosing how our differential cryptanalysis attack can led to signature forgery attacks, the IOTA developers merged changes into IOTA which replaced some uses of Curl in the IOTA signature algorithm with a new hash function they named Kerl. Curl is still used in other parts of the IOTA code base. As cryptocurrencies requires very strong cryptographic guarantees I would feel far more comfortable if IOTA replaced all their in-house developed cryptography with standardized and publicly-vetted cryptography.
For all the details please read our report here.