Willem Pinckaers, a security researcher, says IOTA’s home-cooked cryptography revealed private key of the sender of the transactions as soon as it was made.
The vulnerability has now apparently been fixed, but the private key is meant to be very, very private, and that it was so easily readable is concerning, especially as researchers say there is more where that came from.
“People are starting to take a closer look at the Iota crypto code and things aren’t looking pretty. I’m fairly confident there’s more where this came from,” says Matthew Green, a cryptography professor at John Hopkins.
Private keys are kept very secret because, like a physical key that unlocks the door, they move your funds. For the private key to communicate with the public key it uses a cryptographic method called signature that proves you own the private key without revealing the key itself.
IOTA uses something called WOTS for the cryptographic signing method. They do so because they say its quantum proof as a random part of the signature is revealed each time a transaction is made. Address re-use, therefore, is highly discouraged.
Three months ago someone posted on Reddit that $26,000 worth of IOTA was stolen from an address that had made only one transaction. This shouldn’t happen with WOTS, researchers say. It should reveal part of the private key with each address reuse, but not all of it in the first use of that address.
This happened because they use home-grown crypto which revealed the full private key in some 37% of transactions before they implemented a workaround.
To understand the workaround, cryptography uses a cooker of a sort, called a hash. That cooker takes words and transforms them into different words. For Iota, it did so to get 26 different values, creating a sequence. When that sequence started with 13, about 37% of the time, the private key was fully revealed.
They managed to workaround and just send it back to the cooker when the value is 13 so as to ensure that the value is not 13 without addressing the underlying “cooker.” That’s making researchers a bit angry because they’ve been warning since forever to not use home-grown crypto.
Cryptographers do not often get the chance to play around with homegrown crypto, so now that Iota has given them the opportunity, they’ve been poking holes for some time now. The Iota community seems determined on getting the security community to “prove their claims” by developing weaponized exploits.
But that’s not all Iota’s whole suggestion they are scalable seems to be in question.
Iota, uses a tree chain rather than a blockchain whereby every transaction has to confirm two previous transactions. If suddenly there is a surge in usage, there might not be enough transactions for you to confirm, so you have to wait.
So much for the trillions of Internet of Things (IoT) machines they wanted to serve through their centralized server working on homemade crypto.
The project seems to have a lot of road blocks in their way to the top.