IOTA Update: The Tangled Web of Home-Rolled Cryptography
Time for a disclosure: this author is not an application to monitor the behavior of the ICOs post-analysis. Sometimes, by the time of publication, things are already shifting, and updates are necessary. In IOTA, there was a rush to publishing because we did not want readers to miss out on the obvious hype bubble. We feel that plenty of such readers were able to extract profit at the top there, but this doesn’t prevent us from checking in on IOTA.
We find that a few days ago, a major security vulnerability was discovered in IOTA, and that trading was suspended at Bitfinex for at least a day. We find two separate blog posts from IOTA on the matter, we’ll call these Exhibit A and Exhibit B.
In Exhibit A, IOTA cursorily alludes to the security vulnerability:
One of the cryptographers we reached out to months ago to review Curl has disclosed that he is worried there might be a potential vulnerability in Curl. We have since had our internal team, as well as other cryptographers review it and asked the disclosing party for more information. While the party that did the responsible disclosure has been quite forthcoming, there are still some of the last details to be discussed more thoroughly with the respective teams in order to reproduce the claims and verify if there was even any vulnerability.
We reached out to the researchers (associated with a security lab at MIT) who discovered the vulnerability. We spoke with Ethan Heilman from Boston’s Commonwealth Crypto, who works with Neha Narula, Tadge Dryja, Madars Virza, the other researchers. The author first reached out to Narula, but she was on vacation was traveling for work, deferring to Heilman. Heilman’s first reply to our inquiry was illuminating, and led to more questions, especially as we had just discovered Exhibit B as well. The first piece of IOTA’s response that he addressed was the following passage
“Don’t roll your own crypto” is a compulsory uttered mantra that serves as a good guiding principle for 99.9% of projects, but there are exceptions to the rule. When spearheading technology for a new paradigm this statement is no longer axiomatic.
To this, Heilman said that if a new cryptographic hashing function is necessary, then there is a process for that and it should have been followed. “I’ve found no record of any such paper for IOTA’s Curl, we had to read the IOTA source code to understand how the algorithm functioned. For instance as part of my work on MD6 I spent two years designing a proof of differential resistance for MD6 which I then published at a peer reviewed conference. The burden of proof rests on the designer of a new cryptographic algorithm,” he wrote.
Heilman also tipped the author off to another primary source, a post on Reddit which quotes the author of IOTA’s Curl function –Sergey Ivancheglo who goes by the name of Come-from-Beyond – as saying that the vulnerability that Heilman and friends were able to exploit was actually a feature intended to copy-protect the source code of the project.
This is extraordinarily unusual among cryptocurrency projects or open source projects in general. Transparency in the code does not lead to less opacity in the ledger; open source is not only safer in argument, it’s safer in practice. Had this code been previously published, for instance, despite its design intent, the bug could have been caught. According to Heilman, it’s unlikely that this code was looked at by the alleged legion of cryptographers “over the years.”
I look forward to IOTA providing a list of cryptographers who reviewed Curl, until that point I have no way of knowing who IOTA did or didn’t speak with. What I will say is that the vulnerability we found was fairly simple and I believe many people with a cryptanalytic background would have discovered it after visually inspecting the Curl source code. Differential cryptanalysis, which is what we used to break Curl, is the first thing you check when attacking a cryptographic hash function.
Bruce Schneier, globally recognized security pundit, brilliant cryptographer, and one of the core contributors to the Skein hashing function (which has passed peer review and is currently in practice in more than one cryptocurrency) commented on the research saying:
In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low.
In Exhibit B, IOTA were a little more forthcoming about what all went down, but still couldn’t help themselves: they had to spin it.
As part of an on-going conversation between the IOTA Team and security researchers from Boston University and MIT DCI, the teams published their report on a vulnerability in Curl today. […] We have since formed stronger partnerships with several large academic institutions around the world, and will continue to do so. As for Curl, the IOTA Foundation has already subcontracted a team of 5 world-class cryptographers, as well as 3 independent ones to come up with a final design of Curl and then start the long peer-reviewed process, as was always the plan. No change.
Most of this sounds good, and positive. This post also works to downplay the seriousness of the steps that were skipped in the process of developing the IOTA alpha. There are several arguments you can make in their defense, but in the end, doesn’t it begin to feel like IOTA were just afraid their grand idea wouldn’t fund in another, less frenetical ICO investor setting?
Regardless, there’s more to it. There is this post which emerges from the IOTA community. In it, we learn that Come-from-Beyond has made a statement on the matter:
IOTA team has already responded to the paper published by Neha Narula.
It was me who created Curl and IOTA signature scheme in those old days when there was no IOTA Foundation.
[…] […] In 2013 I created the first full Proof-of-Stake currency and protected it with my novel techniques against cloning.
Those who knew me as BCNext were sure that I would do the same trick to protect IOTA, some people even approached me asking about that.
Remembering how quickly Nxt protection was disarmed I was keeping in secret the fact of existence of such mechnism in IOTA.
I was pretty sure that the protection would last long time because it was hidden inside cryptographical part and programming skills would be insufficient to disarm the mechanism.
[…]
Sergey Ivancheglo aka Come-from-Beyond
To this, Heilman responded:
Is IOTA saying they backdoored their own cryptocurrency? How does that relate to David Sønstebø earlier statements?
Updated Disposition
All of these things being noted, we can’t leave IOTA in such high standing by comparison to her peers who are blameless of these sorts of hubris-induced mistakes. For whatever IOTA wants to say in their press releases, they were given a serious pass by the entire industry in getting listed at Bitfinex in the first place. The machinations there, allowing unreviewed cryptographric code on a multi-billion dollar exchange, are interesting. Economic impact was had by their entire investment community, in a negative way: trading was halted for at least one day because of something the firm did. This disposition would be reading differently if things had not turned upward following resumption of trading.
Nonetheless, after trading did resume, it appears the market was okay with their response, while this author clearly isn’t, and while established cryptographers are clearly calling warning signs on this project, and the market rewarded the token with a moderate rise:
Thus, our actual point revision has to be less. It looks like they might get through this, but there are serious issues raised during this episode, some of which the author is keeping under his collar for the moment, which make us weary of the future for IOTA.
Luckily for everyone involved, IOTA have a vault of cash to throw at these problems. It seems they might even know where it should be thrown. As such, we’re deducting 99% of one point from IOTA, since we believe their response and intent was worth about 1% of the market reward that followed it. We still believe this technology has legs, but like with Enigma, at this point, they’re vulnerable to a far more competent team coming along and doing the job independently of them. More to the point, those copy protections aren’t going to slow down a firm if they see the opportunity and the gains that IOTA had just through being the big first-mover on sponge-type cryptocurrency. This leaves their updated rating at a 6.01, still probably plenty to be made in speculating here.