[lawn]

> “In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low,” states Bruce Schneier, renowned security technologist, about IOTA when we shared our attack.

Indeed

[otp124]

Moreover, rolling their own hash function (which is what they did) is a rookie mistake.

[petertodd]

Note that IOTA is a system based on ternary rather than binary, which itself is a WTF.

Then on top of that, the hash function they replaced the broken one with is a wrapping of SHA3 (Keccak) with ternary. So again, they rolled their own crypto, although in a (hopefully!) more minor way.

Unfortunately, doing review is a lot of hard work - I know the people involved and they had to waste time and money talking to lawyers and the like - so it's quite possible we won't find out about the flaws in their "fix" until some hacker exploits them to steal money.

Even relatively small changes to hash functions and using them in non-standard ways often fails to give the security guarantees you expected. For instance, this idea from Russell O'Conner is a good example: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017...

His extremely professional handling of the situation is also a good example!

[th0br0]

Actually, SHA3 was not converted to ternary. The input is simply chunked into 243 trits that are converted to 48 bytes and are absorbed into KECCAK-384. Squeezing works the other way round, 48 bytes are squeezed and converted into 243 trits.

[petertodd]

Ah, that's a good point - I was aware of that, but you made me realize that using the word "convert" to describe what they did could give the wrong impression. I've changed my description to say they "wrapped" SHA3.

[rubytrader]

I wonder how many rookies there are in this super-hot field.