March 13, 20184min1115

IOTAs vulnerability was found that revealed private key of the sender

Willem Pinckaers, a security researcher, says IOTA’s home-cooked cryptography revealed private key of the sender of the transactions as soon as it was made.
The vulnerability has now apparently been fixed, but the private key is meant to be very, very private, and that it was so easily readable is concerning, especially as researchers say there is more where that came from.
“People are starting to take a closer look at the Iota crypto code and things aren’t looking pretty. I’m fairly confident there’s more where this came from,” says Matthew Green,‏ a cryptography professor at John Hopkins.

Private keys are kept very secret because, like a physical key that unlocks the door, they move your funds. For the private key to communicate with the public key it uses a cryptographic method called signature that proves you own the private key without revealing the key itself.
IOTA uses something called WOTS for the cryptographic signing method. They do so because they say its quantum proof as a random part of the signature is revealed each time a transaction is made. Address re-use, therefore, is highly discouraged.

Three months ago someone posted on Reddit that  $26,000 worth of IOTA was stolen from an address that had made only one transaction. This shouldn’t happen with WOTS, researchers say. It should reveal part of the private key with each address reuse, but not all of it in the first use of that address.

This happened because they use home-grown crypto which revealed the full private key in some 37% of transactions before they implemented a workaround.
To understand the workaround, cryptography uses a cooker of a sort, called a hash. That cooker takes words and transforms them into different words. For Iota, it did so to get 26 different values, creating a sequence. When that sequence started with 13, about 37% of the time, the private key was fully revealed.

They managed to workaround  and just send it back to the cooker when the value is 13 so as to ensure that the value is not 13 without addressing the underlying “cooker.” That’s making researchers a bit angry because they’ve been warning since forever to not use home-grown crypto.

Cryptographers do not often get the chance to play around with homegrown crypto, so now that Iota has given them the opportunity, they’ve been poking holes for some time now. The Iota community seems determined on getting the security community to “prove their claims” by developing weaponized exploits.

But that’s not all Iota’s whole suggestion they are scalable seems to be in question.

Iota, uses a tree chain rather than a blockchain whereby every transaction has to confirm two previous transactions. If suddenly there is a surge in usage, there might not be enough transactions for you to confirm, so you have to wait.
So much for the trillions of Internet of Things (IoT) machines they wanted to serve through their centralized server working on homemade crypto.
The project seems to have a lot of road blocks in their way to the top.





About us

We are the new economy news hub. 2100NEWS is the professional index, data, and tools provider in the digital asset space, offering Crypto Market Intelligence, providing the perspective you can trust and equipping you with information edge you need to stay ahead. (Real-time data of token issuers and news, analysis and commentary from community.) We are very excited to contribute to the evolution of the industry and build an ecosystem around our offering (the institutional-grade data infrastructure required to enable institutional investments in digital assets). We want our contributions (Contents and Tools on to be useful for helping investors.



Latest posts


    • ethereumEthereum (ETH) $ 3,066.16 2.8%
    • litecoinLitecoin (LTC) $ 80.79 0.81%