by Vincent Menard

2017-10-23 16:56:15


A team at the MIT has described a possible attack on IOTA, one of the top crypto currency available, IOTA has a market capital over 1 billion USD. The weakness was fixed in August 2017 but we find interesting to note how it could have affected IOTA.

The problem came from the signature algorithm used, not from the hash algorithm used in the blockchain. Every transaction is signed by the block owner in order to publicly record that transaction. For some reason, IOTA initialy used Curl hash algorithm to sign its transactions. That hash algorithm had known collisions and the MIT team provided an extensive paper on how to exploit it.

The transition to the new signature algorithm is described here :

IOTA issued comments on the MIT paper here :


We've included the summary of the MIT attack, available through the reference link.

Summary: We present attacks on the cryptography used in the IOTA blockchain including under certain conditions the ability to forge signatures. We have developed practical attacks on IOTA’s cryptographic hash function Curl, allowing us to quickly generate short colliding messages. These collisions work even for messages of the same length. Exploiting these weaknesses in Curl, we break the EU-CMA security of the IOTA signature scheme. Finally we show that in a chosen message setting we can forge signatures of valid spending transactions (called bundles in IOTA). We present and demonstrate a practical attack (achievable in a few minutes) whereby an attacker could forge a signature on an IOTA payment, and potentially use this forged signature to steal funds from another IOTA user. This report provides example demonstrations of these vulnerabilities but does not detail the exact cryptanalytic process to generate the collisions. A later publication will provide an in-depth study of our cryptanalysis of Curl.