Reports of IOTA cryptographic vulnerabilities debunked in email leak
See highlights from the bombshell IOTA-DCI email leaks that debunk reports of IOTA flaws.
Over the weekend an anonymous person leaked a whole lot of emails to a journalist at Tangleblog who let the whole world take a look at them through Twitter. The emails are correspondence between IOTA developers and researchers at the MIT-affiliated Digital Currency Initiative (DCI).
The DCI previously sparked controversy by reporting that IOTA was cryptographically vulnerable and generally broken. The IOTA team previously gave a comprehensive rebuttal, but rumours of IOTA's vulnerabilities have persisted and been widely republished.
These newly leaked emails present a very detailed look at the circumstances which led up to the initial DCI report, in an extensive 125 page back and forth. You can find it all here (PDF).
The gist is that as far as anyone knows IOTA is fully secure and the DCI reports are just hot air, originally published in bizarre circumstances and with a fairly astonishing dose of academic dishonesty. Shortly after the emails were released IOTA prices spiked up to around US$2, and its 24 hour trade volume surged to over $100 million.
Cryptographic security is essential to all cryptocurrencies, but the IOTA system is much more advanced than most. The Tangle system is much more complex than traditional blockchains, and to date it's probably the only cryptocurrency to aim for quantum-proofing. This necessitated the creation of an entirely new cryptographic function called Curl.
In brief, the leaked emails reveal that:
- DCI told IOTA that they had successfully managed to attack the IOTA system in a way that might let someone steal user funds. The DCI team was unable to actually demonstrate this attack, but argued that it was theoretically possible. Deciding it's better to be safe than sorry, the IOTA team rolled out the Keccak update in August 2017.
- Throughout this the IOTA team keeps asking for more details and real-time conversation rather than stilted email exchanges. The DCI ignores the requests for information, and refuses to have a real time conversation, opting for drawn-out email exchanges over the course of many weeks instead. At the same time an unknown person leaked information of this yet-to-be-demonstrated IOTA vulnerability to journalists before the end of the responsible disclosure period.
- The DCI continues picking at the Tangle in an effort to find vulnerabilities, with the help of IOTA developers. After months they have found nothing new, and are still unable to successfully attack the system or demonstrate the previous issue. It becomes clear throughout the exchanges that IOTA's Curl developers are unsurprisingly a lot more experienced with the new system than DCI researchers are.
- The DCI tells IOTA that they'll be publishing a report on IOTA's cryptography, and as a matter of academic and professional courtesy send a draft to the IOTA team. As academic peers and world experts in Curl cryptography, the IOTA foundation naturally peer reviews the paper and leaves detailed suggestions around factual points. These suggestions are completely ignored.
- The DCI publishes a paper declaring IOTA to be cryptographically vulnerable, claims that the IOTA team only provided clumsy and muddled general objections and suggests that the IOTA team is probably too inexperienced to successfully create their own cryptographic function.
There are a number of interesting highlights throughout.
IOTA is using private sector cryptographers
One of the takeaways is that IOTA's own cryptographers are collaborating with a range of private sector cryptographers who were kept in the loop, did their own research and sided with IOTA. This might explain why Bosch, Volkswagen, the city of Taipei and other high profile partners are signing on with IOTA despite all the reports of IOTA being dangerously vulnerable.
We have been working on finalizing Curl 2 with leading cryptographers with special expertise in the realm of sponge [curl-type cryptography] family for a long time... They represent a company, not an academic institution, so we want to clear it with them beforehand before releasing their affiliation, which I hope you can understand. Beyond this, those details we have requested is something they really want also to be able to make a thorough review of your claims." - David Sønstebø (p. 58)
IOTA seems to walk the talk
The IOTA foundation talks about transparency and open collaboration a lot, and seems to walk the talk behind closed doors. These emails weren't meant to see the light of day, but they square with many previous IOTA updates and show that the Foundation has been thoroughly honest with its users over the months.
"It will be quite straight forward, this is just another basic update in an evolving cutting edge project, nothing special, particularly because we need to see Ethan's paper and his answers to the details we have requested. If all he found was one of the anti-scamcopycat mechanisms then it's nothing extraordinary, another one of the security auditers we contacted around the same time as Ethan [DCI researcher] found another one too," IOTA founder David Sønstebø wrote to Neha Narula, another DCI researcher, regarding the August 2017 Keccak update.
"We have... already considered using SHA-3 in the intermediary period since inception, we even discussed Curl and SHA-3 with the Keccak team since early 2015, so this is not some big thing for us, it's just a basic update to be on the extra safe side. Since it pertains to security it is something to always be taken very seriously, but it's not really some major finding, even if Ethan were to demonstrate an attack vector (which he so far has been unable to do)."
The official announcement of the update was actually slightly more alarmist than the relatively mundane behind-the-scenes email exchanges, and the IOTA Foundation made it very clear that they had been alerted of a potential vulnerability even though they didn't think there was anything to worry about.
The Digital Currency Institute may have been misleading people
The leaked emails make it look like the DCI's previous reports are objectively misleading. It's not clear whether this was the result of DCI's relative inexperience with Curl cryptography, or whether it was motivated by the threat that IOTA poses to their own business interests.
IOTA developers concluded that it was the second one. This squares with previous hit pieces from DCI-affiliated institutions such as MIT Media Labs, which were also found to be baseless, full of errors and written by people who made attempts to hide their conflicts of interest.
The much-cited cardinal rule of cryptography is that you never create your own, and should instead use a tried and tested one. But by necessity IOTA broke this rule to create a new quantum-resistant system. The email exchanges make it look like DCI went in assuming that IOTA must have been vulnerable simply because it was new, and were then forced into delaying actions and borderline academic fraud after realising that it was much better, safer and much more robust than they expected.
The email exchanges wind up with some messages suggesting that IOTA co-founder Sergey Ivancheglo leaked these emails. But much like all of DCI's claims, this has not yet been factually proven.
"Ethan is clearly in complete conflict of interest and pushing this for his own gain, this is no longer about academic merits, but a desperate attempt by Ethan to make money. We will use all resources to elucidate this as publicly as possible if Ethan does not effective immediately contact all the people he has been spreading this premature story to and retract all his statements." - David Sønstebø (p 117)
The responsible disclosure time period is over; you fixed the vulnerability we found and deployed the fix. Our original agreement specified that we were bound until August 12th. It is quite well past that! But it is very important to us to hear what you think might be mistakes in the report, so we can fix them. I'm afraid I don't agree with you on the topic of conflict of interests. At any rate, I'm the one who first contacted a journalist on this topic, so you should direct your ire towards me, not Ethan." - Neha Narula (p 118)
Neha, are you sober? The repeated bugs in your code lead to weeks of postponements, and you still have not answered even half of our questions. This is the most unprofessional behavior I have ever witnessed by an 'academic'... you rushed to the press with a preprint, as per your last communication with Sergey just an hour ago there is still a ton of unresolved issues. What kind of academic rushes to the press before peer review? - David Sønstebø (p 119 - 121)
We will take Sergey's comments under advisement. Tell us of any other factual issues you have with the report, and we will take those under advisement as well. We will be publishing tomorrow." - Neha Narula (p. 122)
I think if your team fixes all issues in Ethan’s findings there will be nothing to publish left. 1 day is not enough for you to extend the "attacks" to something possible in practice, so let’s just continue our dispute in public." - Sergey Ivancheglo (p. 124)
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VEN, XLM, SALT, BTC