Hacker News new | ask | show | jobs
by AlexandrB 3150 days ago
> Keep in mind that IOTA asked the team to attack Curl, not the other way around. This was planned.

This seems to contradict the researcher's own post [1]:

> We discovered a vulnerability in IOTA after reviewing their code on GitHub in July. We disclosed what we found to the IOTA team on July 14th, and have been in contact with them since then as we discovered new issues and exploits.

Finally, even if Curl is meant as a new, lightweight hash function, it was broken by differential cryptanalysis, not some novel, exotic attack vector. Sounds like it needs a lot of work before it's fit for purpose.

[1] https://medium.com/@neha/cryptographic-vulnerabilities-in-io...
1 comments
Aledgerly 3150 days ago
Yes, Ethan was then forced to admit that the IOTA team actually approached him in May.
link
AlexandrB 3150 days ago
Can you provide a link please? All I see in the comments to the researcher's piece is an IOTA advisor threatening a libel suit - a really good sign that they "really care" about their technical issues.
link
Aledgerly 3150 days ago
I highly suggest you read

https://blog.iota.org/curl-disclosure-beyond-the-headline-18...

link
AlexandrB 3150 days ago
Ok. I've read it. Nowhere does it mention IOTA contacting the researchers in question in May.

This article also answers the wrong question. If the crytocurrency is not cryptographically secure all that stands between an attacker and a victim is a piece of malware or social engineering. The fact that the researchers didn't go all the way and document a specific attack that could be performed tomorrow does not mean that Curl was secure in practice.

Finally this continues to fail to address many salient points. Like why use trits? Why wasn't kekkac used from day one?

link