Innovation is a marathon without a finish line

The next weeks and months will be comprised of an exciting marathon of updates, upgrades and announcements regarding the IOTA protocol, ecosystem and the project’s progress and roadmap in general. Some of these will require active participation by the IOTA community in terms of updating their client and also assisting with testing. As most of you probably have seen, this process has already started with the past days’ announcements of R&D into IOTA Private Transactions and IOTA Timestamping which greatly increases IOTA’s utility in pre-existing, as well as unchartered sectors. Dedicated blog posts will come for both of these shortly.

Current action item

Tomorrow at 8:00 PM / 20:00 CET+1 there will be a snapshot which represents the first stage of IOTA’s upgrade marathon. The procedure will be very simple and straightforward for anyone that has participated in a snapshot previously. We will provide instructions, a video and an FAQ section for those that have never participated previously tomorrow before the event.

If you have iotas on an exchange (such as Bitfinex) you don’t have to do anything. This update is coordinated and thus seamless and automatic for all exchange holders.

On guard as a vanguard

As elucidated in the Transparency Compendium, IOTA is not only the first project to go beyond blockchain, get rid of fees and resolve scaling, it was also the first DLT project to tackle quantum security and focus on IoT’s lightweight needs. Due to the nature of IOTA being such a vanguard, a new hash function called Curl based on SHA-3/Keccak’s sponge construction had to be constructed.

Creating a new cryptographic hash function is no trivial undertaking, even when it is being built on preexisting world class standards. “Don’t roll your own crypto” is a compulsory uttered mantra that serves as a good guiding principle for 99.9% of projects, but there are exceptions to the rule. When spearheading technology for a new paradigm this statement is no longer axiomatic. Progress must march on. Therefore audits, reviews and continued research on Curl has been a given from day 1. One of the cryptographers we reached out to months ago to review Curl has disclosed that he is worried there might be a potential vulnerability in Curl. We have since had our internal team, as well as other cryptographers review it and asked the disclosing party for more information. While the party that did the responsible disclosure has been quite forthcoming, there are still some of the last details to be discussed more thoroughly with the respective teams in order to reproduce the claims and verify if there was even any vulnerability.

However, even though we have protection mechanisms in place that would render even most valid attacks useless in this ‘training wheel stage’ (due to the Coordinator and the higher-level protocol), as you are working on the cutting edge you have to take every precaution possible and always be on guard. Therefore we have made the simple decision to temporarily switch Curl with Keccak (SHA-3) for cryptographic signing in IOTA. This is something we had contemplated previously as well, and is now put in motion. Our stellar developers have been tremendous at executing this in a secure and expedient manner. More details on the technical changes will follow in a document tomorrow.

The party that contacted us will be releasing a publication of these potential results after we together nail down the final details. We are thrilled about the upcoming publication as it will potentially provide deeper insight into Curl itself. Curl’s origins date back over 2 years, since then we have engaged numerous cryptographers, in particular experts in the domain of sponge family hash functions, which Keccak and Curl both belong in, in order to further optimize and audit the final incarnation of Curl. We are very excited about this aspect of IOTA. Curl is a hash function specifically tailored for IoT, that also happens to be the world’s first trinary one, so we spare no expense on this part of the project, as we deem it necessary for IOTA and IoT in general to realize its full potential.