The thing that I think should really worry you is that the reaction among the professional cryptographers to this (or at least the dozens I talk to on Slack and Twitter) is "well, that's cryptocurrency for you".
If you have the impression that serious cryptographers are knee deep in the problem space of trying to make sure cryptocurrencies are actually secure, revise your expectations.
This curl function actually came up in conversation with someone about a month ago. We figured that there was no way the core transformation was secure, and that was about the extent of our interest in it.
Right! I think people have a misapprehension that working cryptographers feel a kind of moral urgency to ensure that popular software is cryptographically sound. When confronted with insane stuff like IOTA, most cryptographers just drink.
The ZCash team are one of the most academic teams out there (for cryptocurrencies), which is a very good thing. The more serious cryptographers that get involved in cryptocurrency the better.
Of course there are. All members of MRL are professional academic cryptographers. There's Surae, Sarang, Shen, etc.
Meanwhile the background and "academic" activities of most of the academics behind Zcash are quite sketchy despite their fame. People will come to see this before long.
The bios of those three say they have degrees in mathematical sciences, physics, and algebraic geometry, respectively. None of those are cryptography. On top of that, they're pseudonymous, so we can't even verify these claims.
ZCash has well-known people, employed at places like Johns Hopkins and Berkeley, who specialize in cryptography and have long lists of publications to their names. If anyone is going to be called "sketchy" it should be the people hiding behind pseudonyms.
I don't own ZCash or Monero, so I don't have a dog in this fight except that I get annoyed at the Monero community's strident insistence of their intellectual superiority over ZCash.
They are not hiding behind pseudonyms and attend meetups regularly, stuff like RingCt was peer revieewed by legder journal...
And yes i call zcash skechy too, creating a currency with a trusted setup and stuffing 10% off all mining rewards in your pockets its an outright scam.
> If you have the impression that serious cryptographers are knee deep in the problem space of trying to make sure cryptocurrencies are actually secure, revise your expectations.
I'd say the teams behind Bitcoin core, Ethereum and especially Zcash can hold their weight to a certain extent.
It's still very early days though and there is a lot more serious research that needs to be done.
I'm not saying that they are perfect, some of those teams have made mistakes, but it's still a cutting edge field so it will take time for more experts to get involved.
> If you have the impression that serious cryptographers are knee deep in the problem space of trying to make sure cryptocurrencies are actually secure, revise your expectations.
Confidence in cryptocurrencies come from their ability to be patched.
Every death knell observation merely makes them stronger. People understood that in 2011 and acquired cryptocurrency, they understand that in 2017 and acquire cryptocurrency, they would prefer widespread self perpetuating ignorance continues while they acquire cryptocurrency.
The fact that people are buying cryptocurrency is not in itself evidence that cryptocurrency is cryptographically secure. Paying actual cryptographers to help create your cryptocurrency is evidence that it's cryptographically secure.
People use software that lies about how secure it is all the time - even when money is on the line - because they're not qualified to understand security, and additionally don't have the understanding of how to delegate that job of understanding. I'm interested in IOTA, but I've yet to see a respected security company put out a document that explains why it's secure and where potential weaknesses that we might be able to exploit in 5, 10, 20 years might be hiding, so I'm not touching it with a bargepole.
Put it this way: would you use a bank that didn't employ any security engineers and yet made grand statements about how secure its processes are?
I even think that the issues with new cryptocurrencies is underestimated in the article. The problem goes beyond the cryptographic aspect to game theoretical challenges: the cryptographic protocols could be perfect and yet the cryptocurrency be insecure or offer a low security threshold.
For example, Bitcoin is perfect from the cryptographic perspective but its security threshold is around 33% [1]. Last year we also started a spreadsheet to benchmark different cryptocurrency metrics [2] but the blockchain/cryptocurrency/ICO space outpaced this initiative ;-).
You're assuming that attackers are always profit-motivated, which would not be true in the case of a government protecting the sovereignty of their national currency, for instance.
If the thing protecting the network is the self interest and good behavior of the miners then people should stop saying that the thing protecting the network is the awesome mining power of the network.
This kind of analysis are vulnerabilities in the consensus sense. You can think of a state actors not caring about the investment done but about the harm they can do.
Almost any state is capable of spending a few billion dollars and making a >50% attack (assuming they can buy enough ASICs), no matter how good your crypto is. There are much cheaper ways to bring something like Bitcoin to its knees. DDoS the nodes for a year, for instance.
So, are you saying that this is not part of the fundamental analysis you should do if you have money at stake? You have made such analysis to argue about the threshold numbers.
Where did I say "this is not part of the fundamental analysis you should do"?
My only point is that >50% attacks by the people involved are purely theoretical. Attacks by almost any state are the end of your project. A billion dollars is enough to DDoS pretty much everything.
My point was that we need to analyze consensus models (and new protocols), and that is very complex (and few people in the world have the skills needed). I gave the example of Bitcoin where the cryptography is perfect but the model has some security bounds.
Then you argued about the bounds and if they were theoretical or not which was not the central point of the argument and we can choose another issue to illustrate our central point. I think we can argue if it is theoretical or not ad infinitum.
So, to push forward my central argument I will again say: we need to check beyond the cryptography. Not only that, I will tell you: stay tuned because a new security finding with Bitcoin will be published soon.
Good old "the vulnerability is purely theoretical". Thank God no individuals on this planet focus on making the theoretical practical, especially not when there is money at stake. That would be unsportsmanlike.
Doing Qora code analysis few years ago, I found that not all the fields of a block are signed (made an issue, still open https://github.com/razakal/Qora/issues/14), and also found some probable DoS vectors. I think many second- and third-tier cryptocurrencies are technically garbage.
Does anyone know if the IOTA devs ever wrote down a justification for using a hand-rolled hash instead of, like, SHA-256? If so, can you link it in a comment?
EDIT: I feel compelled to explicitly say that this was a mind-bogglingly stupid thing to do, and there is almost no way to justify it. I'm just curious what they thought they were accomplishing.
The IOTA devs are deluded. Here's there justification:
"Creating a new cryptographic hash function is no trivial undertaking, even when it is being built on preexisting world class standards. “Don’t roll your own crypto” is a compulsory uttered mantra that serves as a good guiding principle for 99.9% of projects, but there are exceptions to the rule. When spearheading technology for a new paradigm this statement is no longer axiomatic. Progress must march on."
"Because we needed an efficient hash function for IoT and the future of ternary computing (memristors, spintronics, optical computing and the trend in Artificial Neural Networks)
This has been known since before we even began the project. I spoke with the Keccak team about this all the way back in early 2015 before a code of IOTA was written"
IOTA is trash for this and other reasons. You should short it. Issues:
1. Double spends are devastating and easy, since they permanently split the tangle.
2. With no transaction limit, syncing from the beginning of time will take forever.
3. With no transaction limit, keeping up with network traffic will be impossible. (Especially on IoT devices.
4a. Nobody is going to use power and die space on IoT devices for the PoW chip.
4b. Or, alternately, if, as they claim, the PoW chip will take very little die space and very little power, the network will be destroyed outright by non-IoT PoW chips spamming the network.
5. There is currently a coordinator which confirms transactions. It is not P2P. If they remove the coordinator, I could write code that destroys the network by issuing TiB of transactions per day, making it impossible to sync/keep up.
6. Mesh networks of the type that they envisage deploying IOTA on are not widely deployed, and it's not clear that they will ever be widely deployed.
Even if you're correct on all fronts, there is an unfortunate expectation in the cryptocurrency world that this sort of shit is expected, and it makes the product stronger.
Pretty much every exchange has been hacked at one time or another. Ethereum itself had a vulnerability, and they just forked it. Parity, the ethereum wallet software, had a vulnerability that put millions up for grabs .. the equivalent of a function like 'transferCoin' was made public instead of private.
I think that Iota is different here. Ethereum has a lot of issues, but it is not unfixably broken in any fundamental way. Iota is unfixably broken in multiple fundamental ways.
IOTA is traded on Bitfinex, which I think allows shorting, although I've never done it.
One thing to keep in mind though is that the market is not particularly rational, so even though I think IOTA is doomed in the long term, in the short term it could go up, because markets. So if you do decide to short, make sure to figure out what degree of leverage is important, and what your appetite for risk is.
Why the would you invent your own cryptographic hash function. Did we do a 5 year competition bringing out the creme de la creme in cryptanalysis for nothing? Just use SHA-3 or BLAKE2.
This paints a pretty bad picture for IOTA. Ternany, custom hash functions, and a significant amount of buzzwords used to back up their poorly made choices. It's interesting their market cap is still as high as it is, although that's cryptocurrencies for you.
IOTA is down around 10% in the last 24 hours, leaving it with the worst daily performance out of the top ~45 coins (https://coinmarketcap.com/). I wonder if the authors short sold it :)
Exhibit A: Don't roll your own crypto...we don't just say it because it's fun.
Kudos to the authors for not weaponizing the vulnerability for profit. There was no sound basis for the developers to design their own hash function, and it was a collosal mistake. It's not as if any of the other hash functions were inadequate for their security or performance needs.
Frankly, I don't know if I should blame ignorance or hubris in this situation.
On a seperate issue - Not a problem with IOTA but rather with seed generation using powershell. Which was a method of seed generation they recommended on their site (now removed of course).
https://www.reddit.com/r/Iota/comments/6v9mj6/psa_nearly_all...
What I find disturbing is the rush to modify the subtly balanced mechanisms originally established in Bitcoin of work, reward, and punishment, in order to ensure transparency and integrity in a distributed system.
This includes the subtle features and policies relating to control of the money (coin) supply, growth and hence inflation.
Messing with a time proven recipe is going to result in more and more of these revelations.
> “In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low,” states Bruce Schneier, renowned security technologist, about IOTA when we shared our attack.
Note that IOTA is a system based on ternary rather than binary, which itself is a WTF.
Then on top of that, the hash function they replaced the broken one with is a wrapping of SHA3 (Keccak) with ternary. So again, they rolled their own crypto, although in a (hopefully!) more minor way.
Unfortunately, doing review is a lot of hard work - I know the people involved and they had to waste time and money talking to lawyers and the like - so it's quite possible we won't find out about the flaws in their "fix" until some hacker exploits them to steal money.
Even relatively small changes to hash functions and using them in non-standard ways often fails to give the security guarantees you expected. For instance, this idea from Russell O'Conner is a good example: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017...
His extremely professional handling of the situation is also a good example!
Actually, SHA3 was not converted to ternary. The input is simply chunked into 243 trits that are converted to 48 bytes and are absorbed into KECCAK-384. Squeezing works the other way round, 48 bytes are squeezed and converted into 243 trits.
Ah, that's a good point - I was aware of that, but you made me realize that using the word "convert" to describe what they did could give the wrong impression. I've changed my description to say they "wrapped" SHA3.
The title is click-bait and also somewhat wrong since the vulnerabilities discovered are curl-specific not IOTA in general and also they no longer exist since IOTA has moved to Keccak.
If you have the impression that serious cryptographers are knee deep in the problem space of trying to make sure cryptocurrencies are actually secure, revise your expectations.