Intermediate summary of Heilman et al. claims about the security of a previous version of IOTA signature scheme Come-from-Beyond Follow Feb 26, 2018 · 2 min read

Recent conversation with cryptographers on Twitter dedicated to Heilman et al. claims published in https://github.com/mit-dci/tangled-curl/blob/master/vuln-iota.md paper allowed me to get the following summary:

1. It is possible to generate collisions for Curl-P either by exploiting the easy-to-find-by-design fixed point H(0)=0 or by using the technique developed by Heilman et al. which is based on differential cryptanalysis.

2. Heilman et al. claim to break the EU-CMA (http://www.cs.tau.ac.il/~canetti/f08-materials/scribe8.pdf) security of the IOTA signature scheme.

3. EU-CMA game of their choice is presented for Winternitz signature scheme signing the digest of a message. The game does not suit IOTA signature scheme because the scheme imposes limitations on the content of the signed messages, these limitations violate the completeness requirement of EU-CMA game of Heilman et al. choice. Some of the limitations are explained in Letter #19 in http://www.tangleblog.com/wp-content/uploads/2018/02/letters.pdf.

4. Heilman et al. did not publish code allowing to repeat their attack on EU-CMA security.

5. Heilman et al. provided two examples of messages (money transfers) with the pairs having the same hash (see Waste Money Attack and Steal Money Attack sections of their paper). They claim these examples are the proof of breaking the EU-CMA security. The private keys of the Waste/Steal Money Attacks victims were chosen by Heilman et al. thus violating step 1 of the EU-CMA game of their own choice.

6. Heilman et al. claim their attack is achievable in a few minutes using commodity hardware, no code allowing to verify the claim was published.

7. Heilman et. al claim that their paper provides example demonstrations but does not detail the exact cryptanalytic process to generate the collisions. They stated that a later publication would provide an in-depth study of their cryptanalysis of Curl. No such publication has been released so far (6 months since the initial paper publication) to the best of my knowledge unless https://www.youtube.com/watch?v=x3W0TYbLk4U was meant to be it.

8. There are other claims in Heilman et al. paper which lack a sound proof (e.g. about non-randomness of Curl-P), they will be analyzed later.

I would like to thank professor Matthew D. Green from Johns Hopkins University who initiated the conversation and actively participated in it.