The IOTA vs. DCI Plot Thickens

A 124-page long email conversation between IOTA team members and the MIT-affiliated Digital Currency Initiative was leaked to The Tangler over the weekend, and it sheds light on the debate over IOTA’s security. The leak details a months-long conversational volley between David Sønstebø and Sergey Ivancheglo of IOTA and Ethan Heilman and Neha Narula of DCI, and it pulls back the curtain on the behind-the-scenes conversation between both teams surrounding an alleged vulnerability in IOTA’s system.

As an organization, we have tried to stay out of the DCI controversy, and leave it to the individuals involved to lead the discussion. However, there is one public clarificaction to make: no Foundation member was involved in the email leaks in any way. — Dominik Schiener (@DomSchiener) February 26, 2018

The Backdrop

Back in May of 2017, the IOTA team reached out to DCI, an MIT-affiliated academic research group of Ph.D. graduate students, developers, and research scientists, to audit IOTA’s Tangle for any vulnerabilities. Come the 15th of July, they received a response from Ethan Heilman, alerting the team that DCI had executed a successful attack against the system:

“We have found serious cryptographic weaknesses in the cryptographic hash function Curl used by IOTA, Curl. These weaknesses threaten the security of signatures and PoW in IOTA as PoW and Signatures rely on Curl to be pseudo-random and collision resistant.”

Ivancheglo responds in good faith, thanking the team for their interest in and review of IOTA and Curl, the crypto’s hashing function. He then goes on to inquire as to how the team exploited the vulnerabilities, adding that “what [they] identified as weaknesses are [sic] features added intentionally.”

Dominik Schiener then steps in to ask whether or not the DCI team would like to take the conversation to the IOTA Slack channel. Narula refuses the invite for her “slack fatigue,” but Sønstebø presses the issue, stating, “What could be achieved in 1 hour Slack chat will take at least a month via mail.”

And he was right. The emails continue on into the first two weeks of September, an epistolary goulash of cryptographic concepts and code. Throughout the talks, Heilman expands on the logic of the attack, and the IOTA team coaches him on the ins-and-outs of Curl and the Tangle. In fact, Ivancheglo goes into an in-depth explanation on IOTA’s hashing function, even claiming that the “attack is based on a wrong assumption about IOTA signing scheme.”

Nonetheless, the team decides to go the safe route and update IOTA’s hashing function from Curl to Keccak-384 (playfully dubbed Kerl). The update was rolled out in early August.

The Thick of It

At this point, it appears as though the DCI’s findings are not as crucial as Heilman led on. Moreover, the IOTA team indicates that they may have surfaced from applying attack vectors that are irrelevant to the Tangle, or from a complete misunderstanding of how IOTA operates.

This is where the correspondence gets a bit chippy. After hashing out some key information with citations from informal informative sources, Heilman tells Ivancheglo that it’s “best not to use informal stackoverflow answers and Wikipedia for understanding the security of your system.” Ivancheglo respectfully fires back:

“I questioned the credibility of your statements because I had spotted few signs of a shallow analysis (which you confirmed in the yesterday’s letter by ‘I have not made a formal study of this yet as I prioritized notifying the IOTA team’). Your letters titled “Responsible Disclosure: Cryptographic Weaknesses in the Curl hash function in IOTA” sounded pretty official and I thought I had to address everything. Now I see that I was wrong.”

He then goes on to list the problems Heilman raises, asking which of them are factual so that the IOTA team can reasonably address the vulnerabilities in a public report. After nearly a week of no response, Sønstebø presses Heilman for further cooperation, only for him to say, among other things, that “Sergey’s long list questions didn’t seem to serve much of a purpose.” After Ivancheglo asks for clarity on the questions once more, Heilman goes MIA for the remainder of the correspondence.

Narula steps in for him, sending the IOTA team a series of hypothetical bundles (transactions and their hashes) to demonstrate the hashing collisions that expose the system’s vulnerabilities. After reviewing these bundles, Ivancheglo reveals that “they all failed validation” after being run through javascript. He then sends “a quantitative analysis of the demonstrated collisions” to finally clear the air and debunk the vulnerabilities that, to this point in the email string, have yet to be demonstrated. The DCI team is then unresponsive for 10 days.

After a couple of messages and another week of inactivity, the conversation picks back up on September 1st as Narula sends another bundle for examination. This is followed by a copy of DCI’s vulnerability report on IOTA, which she asks the team to review and to provide feedback. Ivancheglo provides a laundry list of inconsistencies, asking that both teams reach a consensus on these issues in the first two sections of the report before moving forward. Narula addresses these issues, accepting some and rejecting others.

This review of the report occurred on September 6th, and it was published on September 7th. In response, Sønstebø had this to say:

“I was preparing a thorough response to your publication, then something almost incomprehensible occurred. We are beyond baffled and frankly shocked at the moment. We were just reached out to by a CoinDesk journalist that Ethan contacted in an attempt to rush out this publication. This may be the biggest scandal I have ever heard of from what has been portrayed as a professional ‘responsible disclosure’. Ethan is clearly in complete conflict of interest and pushing this for his own gain, this is no longer about academic merits, but a desperate attempt by Ethan to make money. We will use all resources to elucidate this as publicly as possible if Ethan does not effective immediately contact all the people he has been spreading this premature story to and retract all his statements.”

Narula responds by saying, “The responsible disclosure time period is over; you fixed the vulnerability we found and deployed the fix. Our original agreement specified that we were bound until August 12th.”

Some Takeaways

Sønstebø follows up on Narula’s response, arguing that “repeated bugs in [the bundles of] code lead to weeks of postponements” and that the DCI team “still have not answered even half of [their] questions.” He also accuses Narula of “the most unprofessional behavior [he has] ever witnessed by an ‘academic'”:

“…you rushed to the press with a preprint, as per your last communication with Sergey just an hour ago there is still a ton of unresolved issues. What kind of academic rushes to the press before peer review?”

The emails are public for anyone to view, so you can come to your own conclusion as to who’s right and who’s wrong in this tiff. That said, the DCI team resisted to communicate in real time over this issue and Ethan Heilman, who originally contacted the team of the vulnerability, refused to cooperate at all after the beginning of August. Moreover, DCI could not offer any tangible evidence that they ever exploited the vulnerability, and throughout the email, they demonstrate (and even admit to) having little knowledge of IOTA’s code and workings.

Even so, the IOTA team fixed a problem that looks like it was little more than a specter of an overactive imagination in the first place. These emails seem to lay to rest the vulnerability, and it appears as though the problem surfaced from a textbook understanding of traditional cryptography that attempted to exploit a vulnerability that doesn’t exist under IOTA’s unconventional Tangle technology.

Heilman holds that IOTA is inherently flawed because the team tried to “roll [their] own crypto.” Maybe this whole misunderstanding came from Heilman rolling his own of something else before evaluating IOTA’s code, but there’s no need for conjecture–as these emails show, guesswork can make a mess of things.