Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency

We present attacks on the cryptography formerly used in the IOTA blockchain, including under certain conditions the ability to forge signatures. We developed practical attacks on IOTA’s cryptographic hash function Curl-P-27, allowing us to quickly generate short colliding messages. These collisions work even for messages of the same length. Exploiting these weaknesses in Curl-P-27, we broke the EUCMA security of the former IOTA Signature Scheme (ISS). Finally, we show that in a chosen-message setting we could forge signatures and multi-signatures of valid spending transactions (called bundles in IOTA).

[1]  Ralph C. Merkle A Certified Digital Signature , 1989, CRYPTO.

[2]  Eli Biham,et al.  Differential Cryptanalysis of DES-like Cryptosystems , 1990, CRYPTO.

[3]  Don Coppersmith The Data Encryption Standard (DES) and its strength against attacks , 1994, IBM J. Res. Dev..

[4]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[5]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[6]  Xiaoyun Wang,et al.  Colliding X.509 Certificates , 2005, IACR Cryptol. ePrint Arch..

[7]  Michael J. Wiener Bounds on Birthday Attack Times , 2005, IACR Cryptol. ePrint Arch..

[8]  Guang Gong,et al.  The editing generator and its cryptanalysis , 2005, Int. J. Wirel. Mob. Comput..

[9]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[10]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[11]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2007 .

[12]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[13]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[14]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[15]  Johannes A. Buchmann,et al.  On the security of the Winternitz one-time signature scheme , 2013, Int. J. Appl. Cryptogr..

[16]  R. Hurlbert,et al.  Oops, I did it again... , 2013, World neurosurgery.

[17]  The Tangle , 2015 .

[18]  Aviv Zohar,et al.  Secure High-Rate Transaction Processing in Bitcoin , 2015, Financial Cryptography.

[19]  Leslie Lamport Constructing Digital Signatures from a One Way Function , 2016 .

[20]  Andreas Hülsing,et al.  "Oops, I Did It Again" - Security of One-Time Signatures Under Two-Message Attacks , 2017, SAC.

[21]  Paul J. M. Havinga,et al.  How to Break IOTA Heart by Replaying? , 2018, 2018 IEEE Globecom Workshops (GC Wkshps).

[22]  Garrett Tanzer,et al.  A Cryptanalysis of IOTA ’ s Curl Hash Function , 2018 .

[23]  Takanori Isobe,et al.  Preimage Attacks on Reduced Troika with Divide-and-Conquer Methods , 2019, IACR Cryptol. ePrint Arch..

[24]  E. Heilman,et al.  Cryptanalysis of Curl-P , 2020 .

[25]  Stefan Kölbl,et al.  Troika: a ternary cryptographic hash function , 2020, Des. Codes Cryptogr..