Cryptanalysis of Curl-P

We present attacks on the cryptography formerly used in the IOTA blockchain, including under certain conditions the ability to forge signatures. We developed practical attacks on IOTA’s cryptographic hash function Curl-P-27, allowing us to quickly generate short colliding messages. These collisions work even for messages of the same length. Exploiting these weaknesses in Curl-P-27, we broke the EUCMA security of the former IOTA Signature Scheme (ISS). Finally, we show that in a chosen-message setting we could forge signatures and multi-signatures of valid spending transactions (called bundles in IOTA).

[1]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[2]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[3]  Don Coppersmith,et al.  The Data Encryption Standard (DES) and its strength against attacks , 1994, IBM J. Res. Dev..

[4]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[5]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[6]  Xiaoyun Wang,et al.  Colliding X.509 Certificates , 2005, IACR Cryptol. ePrint Arch..

[7]  Michael J. Wiener Bounds on Birthday Attack Times , 2005, IACR Cryptol. ePrint Arch..

[8]  Guang Gong,et al.  The editing generator and its cryptanalysis , 2005, Int. J. Wirel. Mob. Comput..

[9]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[10]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[11]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[12]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[13]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[14]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[15]  Johannes A. Buchmann,et al.  On the security of the Winternitz one-time signature scheme , 2011, Int. J. Appl. Cryptogr..

[16]  Aviv Zohar,et al.  Secure High-Rate Transaction Processing in Bitcoin , 2015, Financial Cryptography.

[17]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[18]  Andreas Hülsing,et al.  "Oops, I Did It Again" - Security of One-Time Signatures Under Two-Message Attacks , 2017, SAC.

[19]  Paul J. M. Havinga,et al.  How to Break IOTA Heart by Replaying? , 2018, 2018 IEEE Globecom Workshops (GC Wkshps).

[20]  Garrett Tanzer,et al.  A Cryptanalysis of IOTA ’ s Curl Hash Function , 2018 .

[21]  Takanori Isobe,et al.  Preimage Attacks on Reduced Troika with Divide-and-Conquer Methods , 2019, IACR Cryptol. ePrint Arch..

[22]  Stefan Kölbl,et al.  Troika: a ternary cryptographic hash function , 2020, Des. Codes Cryptogr..