A Tangled Curl: Attacks on the Curl-P Hash Function Leading to Signature Forgeries in the IOTA Signature Scheme

Presented at Black Hat USA 2018, Aug. 8, 2018, 5:05 p.m. (25 minutes)

Our talk presents attacks on the cryptography used in the cryptocurrency IOTA, which is currently the 10th largest cryptocurrency with a market capitalization of 2.8 billion USD. IOTA is billed as a next generation blockchain for the Internet of Things (IoT) and claims partnerships with major companies in the IoT space such as Volkswagen and Bosch.

We developed practical differential cryptanalysis attacks on IOTA's cryptographic hash function Curl-P, allowing us to quickly generate short colliding messages of the same length. Exploiting these weaknesses in Curl-P, we break the EU-CMA security of the IOTA signature scheme. Finally, we show that in a chosen message setting we can forge signatures on valid IOTA payments. We present and demonstrate a practical attack (achievable in a few minutes) whereby an attacker could forge a signature on an IOTA payment, and potentially use this forged signature to steal funds from another IOTA user.

After we disclosed our attacks to the IOTA project, they patched the vulnerabilities presented in our research. However, Curl-P is still used in other parts of IOTA.

Presenters:

• Neha Narula - Director, Digital Currency Initiative
  Neha Narula is the Director of the Digital Currency Initiative, a part of the MIT Media Lab focusing on cryptocurrencies and blockchain technology. While completing a PhD in computer science at MIT, she built fast, scalable distributed systems and databases. She is a member of the World Economic Forum's Global Futures Council on Blockchain and has given a TED talk on the Future of Money. In a previous life, she helped relaunch the news aggregator Digg and was a senior software engineer at Google. There, she designed Blobstore, a system for storing and serving petabytes of immutable data, and worked on Native Client, a way to run native code securely through a browser.
• Ethan Heilman - PhD Student, Boston University
  Ethan Heilman is the CTO/Co-Founder of Commonwealth Crypto and PhD student at Boston University. Ethan has worked as an engineer at a several startups and is the author of over 10 technical papers on cryptocurrency, blockchain, cryptography, and network security. He is an inventor of the TumbleBit protocol and several of his contributions have been merged into Bitcoin Core. In his spare time, he enjoys breaking hash functions.

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#a-tangled-curl-attacks-on-the-curl-p-hash-function-leading-to-signature-forgeries-in-the-iota-signature-scheme-10891
• https://www.youtube.com/watch?v=niBxCgAGSiA

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / I don’t give one IoTA: Introducing the Internet of Things Attack Methodology.