> Hey Ethan, Did you receive the invite? We can also setup a chat with our ex-NSA post-Quantum hash function experts after we get the initial confusion out of the way. Best, David
It is a great example of someone (the "expert") convincing a non-technical person that they are the "ninja rockstar 11x post-quantum hash function expert".
I've seen this many times. Managers / owners don't have ability to assess who is an expert and who isn't. So whoever talks more convincingly is the "ninja rockstar". After that they can do no wrong. Also after that somehow admitting publicly that the person they picked is a scam artist becomes pretty hard, because it also means admitting to their own mistake of believing them.
Others who see what's going on, leave and this this eventually leads to the whole ship sinking.
Oh and accusations of drunkenness of course, those are always so constructive and helpful.
> We can also setup a chat with our ex-NSA post-Quantum hash function experts
Is there a modern secure hash function considered to be under threat from quantum computing? I was under the impression there isnt one.
It's scary to see marketing spiels thrown into technical discussions, it's even worse when the thread is released as some sort of defense and those less informed see the big words and appeal-to-authority name dropping.
Grover's algorithm means you need to double the length of your hashes, but that hardly puts sha-512 in danger. Even sha-256 is safer than a naive calculation would suggest:
> I've seen this many times. Managers / owners don't have ability to assess who is an expert and who isn't. So whoever talks more convincingly is the "ninja rockstar". After that they can do no wrong. Also after that somehow admitting publicly that the person they picked is a scam artist becomes pretty hard, because it also means admitting to their own mistake of believing them.
I am seeing that a lot right now in public services (I entered a year and a half ago). I am looking at decade-old project going nowhere and managers trying to plug it into anything that would justify its existence (poisonning other agencies in the process).
> Others who see what's going on, leave and this this eventually leads to the whole ship sinking.
>It is a great example of someone (the "expert") convincing a non-technical person that they are the "ninja rockstar 11x post-quantum hash function expert".
It's hilarious that he thought that would work with a security researcher at MIT.
He's not an MIT researcher AFAIK. He's affiliated with DCI, which runs under the MIT banner. MIT actually had a favorable article in their review that DCI took issue with--but of course they were both going after a Swedish contract to create an e-money. IOTA survived the cut, which probably infuriates them even more.
> We were just reached out to
by a CoinDesk journalist that Ethan contacted in an attempt to rush out this publication.
This may be the biggest scandal I have ever heard of from what has been portrayed as
a professional 'responsible disclosure'. Ethan is clearly in complete conflict of interest
and pushing this for his own gain, this is no longer about academic merits, but a
desperate attempt by Ethan to make money.
I can be wrong but the suggestion here seems to be that Coindesk journalist reaching out to the Iota team was a ploy to force them to pay a bounty.
But, after devolving into a personal attack. They expect him to reply back a month later?
> Hi Ethan, I can't get a single reply from you, looks like you put me on ignore on Twitter.
This whole saga seems to be symptomatic of the cryptocurrency scene. Lot of expertise on money, economics, cryptography, programming language etc is out there. But, any criticism of cryptocurrency devolves into either personal attacks or a know-all attitude which ensures not many people want to lend their expertise.
Edit: After re-reading the blog post, I realized the agenda of this leak was to show evidence of conflict of interest. The correct link for the post should have been:
I’m a bit nervous for the graduate student in this equation. There’s a lot of angry people in the iota subreddit - maybe the iota foundation is trying to direct an angry internet mob at this student.
The lab director should have handled all communications.
> But, after devolving into a personal attack. They expect him to reply back a month later?
What are you talking about? Ethan went AWOL from the conversation long before this whole discussion came to an eventual end. The only one who was met with ire was Neha after the IOTA team realized they basically published right when they realized there was no vulnerability after all.
> But, any criticism of cryptocurrency devolves into either personal attacks or a know-all attitude which ensures not many people want to lend their expertise.
This whole exchange was completely civil up until the point DCI threw their weak hand cards on the table. Stop trying to paint IOTA in a bad light. After the release of these emails you'll just look like a complete moron.
>2. If the IOTA project wishes to ensure that trinary logic is involved in the proof of work and signature hashing process we suggest that a trinary function could be composed with a secure hash algorithm in a construction such as:
>Hash(msg) = MD6(msg || TrinaryFunction(msg)).
Haha this is a wonderful suggestion. "If you weirdos think ternary arithmetic has any benefits, just combine it with a crypto primitive you didn't handroll, ya dingus"
And then they say it's okay because of "higher level checks" that a colliding transaction wouldn't validate, so then when one is demonstrated, they say "it's okay because we'd just decide to reject the bad one even if the hash is the same" and the final defense is "something something distributed ledgers Satoshi"
I can't believe I read that entire train wreck front to back. If IOTA published this to "expose" MIT, it does quite the opposite. Rule number one, all together now, don't roll your own crypto.
It actually worked. People who are clueless about cryptography (i.e. like 99% of crypto investors) are totally on IOTA side here. Invancheglo is a grade A troll.
I've noticed that too. They seem to have a decent army of people spreading nonsense on social media right now.
If you post something negative about IOTA you're likely to get a bunch of troll responses from accounts with histories of nothing but IOTA-related likes, retweets, and responses.
I made a post on the Iota subreddit which supported the MIT team, removed 30 minutes later. It honestly terrifies me how easy it is to manipulate discourse online - there are many other posts calling the MIT team frauds and the general tone is that Iota were saints defending against corrupt evil cryptography researchers.
Seems like there is no worse platform to discuss the merits and weaknesses of cryptocurrencies somewhat objectively than those specific subreddits. They are so full of greed and ideology, it's absurd. It's quite hard to look through the hype, so the academics are my best bet when trying to understand things.
back when something awful and metafilter were comparatively big, much of the impetus for the paywalls they put on registrations was to structurally prevent the possibility of this sort of thing. worked fine, although those two communities themselves are pretty moribund.
it would all be solved forever and anon with a paywall. 5 mao men, botheads, shilling, you would raise the cost to them by orders of magnitude (stealing other people's credit card numbers cost real money)
The problem isn’t “bots”. It’s the moderators of these forums. You’ll always find a core group of people willing to believe almost any scam, but putting them on a forum where critical discussion is banned by the moderators is where things go wrong.
I suppose the difference is that people who know about cryptography think that the iota team obviously don't know what they're doing, and people who don't understand cryptography and have a financial stake in iota not being worthless feel differently.
I've taken some cryptography classes and a graduate level cryptanalysis course, and I could immediately tell that the people on the iota side clearly don't know what they're doing. For example, this should trip anyone's bullshit detector:
"IOTA was created to be immune to quantum computer attacks, today I have revealed that it was also created to be immune to attacks from an AI"
What's funny is that crypto issues are actually not the biggest problem with IOTA.
The biggest problem is that it just makes no sense. It's not going to be decentralized & secure at the same time. It's LESS efficient than blockchain in every way. It's bad for IoT. It doesn't have any of fancy features like Ethereum.
Crypto issues is just an icing on a cake. They can change crypto functions, but they can't change the fact that coin is the worst choice for IoT (or pretty much anything).
The only selling point is that it's fee-less. But it's possible to make a centralized fee-less coin which would be much more secure and useful than IOTA.
IOTA actually has status as an NGO in Germany which gives them a lot of credibility (clout?) and therefore companies are intrigued to start deals, but as an amateur cryptographer I must say that having hash derivatives leaking through your hash function [which has been known for a long time actually with IOTA!] is not the way to make a bulletproof currency. Coverups sadly don't make the protocol more robust, either, but so many people have an [in]vested interest in IOTA being successful that it makes sense they want to minimize FUD and/or flaw pointing-out.
Don't take this as a source of truth, it's just my gut feeling, but:
Germany is lacking behind in tech, and the country is putting lots of bets to their car industry, the Volkswagen scandal not helping there. Now there is this new thing called cryptocurrency and one of them comes from Berlin. I don't know is it just me, but it's not that hard to start speculating why these big German companies want to announce themselves to be working with a Germany-based cryptocurrency.
Germany is trailing in shiny stupid tech like the ICO-of-the-day, but it is still on the forefront of boring tech like automation, machinery, industrial robotics and much more. Guess why China is buying so many "Mittelstand" companies in these fields?
Eh, maybe, but I think IOTA has more to prove and more to gain by showing that they are associating with well established giants rather than the other way around. Besides, Switzerland is the place for Crypto now.
Again just speculation, but could it be that these announcements are boosted by the IOTA folks? That the giants are not that much into the tech, IOTA just using the attention to boost their value? These guys are rich and I really doubt they'll do anything more than spend quality time in their Florida penthouse.
IOTA are rolling their own cryptography which immediately makes me run the other way. At least until I see some respected peer review that it's sound. This exchange makes me think that unlikely at best.
Don't buy a Volkswagen until they have run the other way!
Everyone that posts in r/cryptocurrency has an agenda (including myself).
Most of the posts there are ways of confirmation biases - it's very difficult to get someone to see what they don't want to see in his/her cryptocurrency.
There are certain coins that are exceptionally polarizing (Ripple and IOTA come to mind) - it leads to this my coin vs your coin behavior. It's so fascinating, yet odd at the same time.
I read about 3/4 of the emails before coming to the conclusion I had no idea what was going on.
I have this guilty pleasure of occasionally pulling up /r/CryptoCurrency just to find something terrible to laugh at.
(I do think there are cryptocurrencies worth a bet in the long term, if you can afford to take a chance. Better to start with basics like the Princeton course and form your own judgements.)
Why do you think companies jumping on some hype train is indicative of much at all? For Bosch, for instance, it was the VC part of the company making an Iota investment - I'd say investing in unproven tech is their thing. Deployment in actual products would be something else.
Also, it seems logical at this point to disregard anything coming out of the cryptocurrency subreddits. They drink their own Kool-Aid.
Confirming basically everything I already suspected about IOTA -- don't trust anything crypto related that's not written by a professional. "You're gonna have a bad time."
[Edit to add this plug for Zcash! Made with real cryptographers]
A major wake-up call for me in the crypto currency world was
Gavin Andresen's ludicrous "validation" of Colin Wright as Satoshi.
When a so-called leader clearly does not even understand the basics you realise it's 98% shit. Sturgeon's law applies again. But I keep on forgetting that.
The crypto world has certainly inspired me to pursue whole new fields of research. Not in cryptocurrencies, because while the idea of a distributed ledger I think is solid and here to stay, but because at least 90% of these "currencies" must have their value drop to zero given a long enough time frame -- there's simply no reason for the market to support anything else.
No, for the past half a year or so I've been trying to learn all I can about market microstructure, quantitative finance, anything that makes money off of high variance.
Because if there's one thing I will bet on, it's that there's a ton of risk and volatility here in these hills, and there's probably money to be made somehow while it all crashes and burns.
This is an extremely dangerous way to think - it preys on the natural irrationality of the human mind. Someone is out there laying bait of all kinds. Iota is bait for people who think they barely missed out on bitcoin, but this new thing with buzzword salad as it's description and a lead developer that has clearly lost touch with reality will make then rich.
Then there's the second level bait - since there are all these suckers out there, surely money can be made by predicting them!
And then it's turtles all the way down. You won't know if you're a sucker or at the very top level until it all comes crashing down.
Why do you think it was ludicurous? Admittedly I don't remember any detailed account of these events - but as I understand it Wright demonstrated that he can construct a message with Satoshi private keys. Most probably he used some trick there, a rigged laptop or maybe even rigged internet connection. But it was quite reasonable proof for me - I would not expect someone to do tricks on me when he could not demonstrate the same thing publicly - because what would be the goal of that? And if you are so sure that you could not be tricked - then good luck.
> But critics called Dr Wright's claim into doubt when it emerged that part of the evidence the entrepreneur presented in public could have been generated using a string of digits linked to a seven-year-old transaction made by Satoshi, accessible via a search engine.
"It was a mistake to agree to publish my post before I saw his - I assumed his post would simply be a signed message anybody could easily verify," Mr Andresen told security researcher Dan Kaminsky when he challenged the scientist over the matter.
I recognize one of the IOTA foundation's members. I won't say his ego wasn't out of control and several professors asked him to take down "papers" from arxiv for being sloppy.
Smart contract languages are pretty funny - I have yet to see an actual programming language theorist weigh in on them. I read one blogger who was very excited about the type system he was making for his language, but he never actually explained what a type-safe smart contract would entail (i.e. what invariants are encoded into the type system, why do these invariants do the thing, etc).
One priceless line from Ethan Heilman to support that observation: Probably best not to use informal stackoverflow answers and Wikipedia for understanding the security of your system.
I read through the whole exchange and kept thinking "How are they managing to be so polite, to these rank amateurs who show no respect?" I probably would have informed them of the flaw, informed them when I was publishing, informed of a suggested fix then piped all the rest to /dev/null.
I also positively love the use of "push it to the limit".
It honestly gave me flashbacks to a few email chains I've had with students in my tutorials. It's really obvious when someone is asking for clarification but it's not in good faith
"Can you explain to me what you think I did wrong in my program? I can assure you everything is correct. Otherwise you're clearly drunk and out to get me."
> Did you receive the invite? We can also setup a chat with our ex-NSA post-Quantum hash function experts after we get the initial confusion out of the way.
Obviously Sergey isn't mean, but it's just unfortunate phrasing, because he is a non-native speaker, learning English from Java documentation, right? ;-)
Neha's "I'm going to stop responding now." should have come much earlier.
/r/iota sure seems to believe that's what it shows. One comment with 20 upvotes:
> I read the emails and it seems to me that Ethan doesnt understand what theyve done in IOTA or has very different way of interpretting what they have done aka hes trained by a textbook and if you deviate from textbook its wrong bla bla. I think come_from_behind is and will continue to run laps around these University morons
The best part is that part of their argument for why it's not a real vulnerability is that the coordinator might have rejected it - except that the coordinator is essentially a server run by them, which makes the entire "crypto" part of crypto currency totally unnecessary.
Also doesn't help when the byline on their website is "Scalable, Decentralized, Modular, No Fees". Well, maybe 2/4. Having a central coordinator sounds pretty essential to their current design
I only got to page 30 before moving on, but this line is telling:
> In this case you are right, second-preimage resistance is an anti-feature, collision resistance threat is nullified by Coordinator while allows us to easily attack scam-driven copycats. (pg. 24)
The Coordinator referenced is a validation node ran by the IOTA team which currently processes all transactions.
A creator of IOTA said that broken collision-resistance is actually a feature, allowing them to use their centralized node to attack "scammers".
The whole narrative from the start has been decentralized cryptocurrencies; but IOTA it seems is neither decentralized nor a currency backed by secure cryptography.
I read most of it. I suppose if you're interested in IOTA you should read it, it puts IOTA in a terrible light. Check this out:
Ethan (MIT):
> I am shocked that you would call a hash function deployed in production, with "a 800 million dollar bug bounty" as Dominik put it, a prototype.
Sergey (IOTA):
I see Greek wasn’t your favorite subject in school :), don’t worry, word “prototype” is similar to https://en.wikipedia.org/wiki/Prototype_pattern, not to what you thought about. It is also important to keep in mind that all distributed ledgers are currently in a “prototype phase“.
I think I work with a clone of Sergey. He has somehow managed to convince his boss that he knows what he is doing. Every interaction with him is painful as he subconcsiously does everything in his power to discredit me and make himself look good.
That was a painful read. Considering the amount of money invested into this coin, someone should have coughed up travel expenses to get these guys into a room together for a few days so they could more efficiently clarify themselves to each other, maybe establish a bit of trust and rapport from working alongside each other on a problem, and reach consensus as to what facts and opinions they agree on vs. what is in dispute. I would have loved to see some of that energy they spent fretting over optics instead put into solid engineering work.
Just my two cents. Most of this is over my head as I'm not by any means a cryptography expert.
This is a conclusion you might reach if you're not familiar with the terminology the MIT researcher used. Here's an analogy - suppose a professor of engineering is looking at a new car from a promising startup, and discovers that the car uses banana peels as brake pads. (this is about as irresponsible and naive as rolling your own crypto.)
Prof: I've noticed that you're using a non-standard brakepad material, which functions very poorly for stopping the motion of the car. You should fix this.
Startup: That's fine, these peels are organic and eco friendly, and they're safe because I modelled them in the same shape and size as normal brake pads.
Doing research into things, publishing results, and shorting is perfectly legitimate. It's how Lumber Liquidators was found to be using formaldehyde. Just because someone says something you don't like, and they have a short position in the thing, doesn't mean they are wrong.
He went out of his way to foul up (read the comment section for how obviously), not that that validates his assumption that ease-of-use = IOT suitability.
He most certainly did not. In fact, you already legislated this exact point with him and he explained exactly why he made the choices he made -- in your own comment history.
I did exactly what he tried to do. It took me less than 1 hour and my node was in sync.
If you use a dedicated server with sufficient bandwidth and not your laptop at home for a fullnode this can easily been done.
IOT devices are connected to this fullnode and are not fullnodes themselves. I dont know what made him think otherwise.
I'm a person with no background in cryptography. I am in the tech industry however, so I can follow about 30% of the technical jargon that's going on. I read the entire thing. smh.
The whole thing started with someone finding something wrong with the 'Curl' wrapper around a packet that's being sent from A->B. Apparently, this violates a EU-CMA security protocol, and this is an issue. Lots of holes in my knowledge there, but I got the jist.
What I don't get, is HOW this became a bipartisan issue with HN/Reddit. Because if you read the 124 pages, it becomes clear that both the IOTA team, as well as the MIT team were bad at communicating with each other, the purpose of this bad communication is unknown, but both are at fault.
So we at HN look at some emails from IOTA and call out their unprofessional behavior, and Reddit does the same thing with MIT's team.
What if someone has no perspective of how these communications usually take place? It looks like (upon the assumption that IOTA's team member was indeed in an 'incomprehensible' state when he typed that email out) MIT's team member without a second warning, just went ahead with publishing the paper.
So what's the big mess? It's pretty clear that both parties messed by being sloppy at emailing each other.
The MIT team wasn't being sloppy, they were using standard terminology that anyone with a cryptography background would understand. The naive assumption on their part was that the development team of a major crypto currency understood decades-old cryptanalysis techniques that are covered in an introductory undergraduate course.
I think there was some disbelief that a team with so much money could have made such an incredibly rookie mistake.
The way I view it there's a serious asymmetry here in that the IOTA team is denigrating seasoned professionals in the field of cryptography (e.g. Matthew Green) on social media without offering a serious rebuttal of their concerns.
From my PoV there seems to be little-to-no miscommunication in bad faith on the part of the MIT researchers in these emails, but a lot of dismissiveness from the IOTA developers towards the concerns that were brought to them.
Over the past few days, it seems to have only gotten worse on Twitter (I encourage you to check out the recent threads in which @matthew_d_green engages with @c___f___b only to be accused of professional incompetence).
tl;dr (from my perspective) is that the big mess here comes from a party without proper education in the field producing a $1B+ market cap cryptocurrency while _unnecessarily rolling their own crypto primitives_, and then steadfastly ignoring the suggestions academics who have spent their entire lives researching this field.
Green is the only guy who could take something as novel as zsnarks and latch it onto a trusted setup (you need it, but it should have been 50 Peter Todds) and optional privacy. He trolled Monero with this same kind of vehemence when he should be turning his critical eye on zcash--so let's not pretend he's an infallible god when he can't even get his own project right. Also, if you read the side convo between CFB and Aumasson you'll get an indicator of why CFB was correct (also polite when someone intelligent listens).
Lol this entire thread you've been defending Iota without facts.
a) there's nothing broken in the Zcash cryptography. Some cryptographic assumptions used by SNARKs are a bit hairy and novel, but these assumptions, and variants there-of, haven't been broken in over 25 years of trying.
b) State-of-the-art efficient SNARKs require trusted setup, but this can be distributed, as was done with Zcash and will be done, in a better way, in the next Zcash upgrade.
c) CFB called Aumasson's methods 'primitive'. Hardly polite, especially considering Aumasson is co-creator of solid hash functions like Blake2.
-No one but the participants should trust a trusted setup, and even then, it's only if they can vouch for their OPSEC.
- B goes to my point that Green is inept as that should have been where they started.
- And they were cordial after they talked through the issues and Aumasson reliezed CFB's point (also, appeal to authority backfires when the authority agrees with the person you are criticizing).
Spend less time worrying about what I'm doing elsewhere and more on the argument in front of you. But it does seem fitting that you are supporting a dev who shows more concern for what others are doing than the product he helped drive into the ground.
As a participant in the SHA hash function contest who broke one of the 51 Round-1 SHA-3 proposals and who worked on security proofs for another SHA-3 proposal I can say with some authority that using the sponge construction and showing statistical properties of the transformation function is not sufficient to ensure security. Of the 51 Round-1 SHA-3 proposals all of them passed statistical tests and at least one round of
review by NIST yet 33/51 were broken.
A more general point is that you should never roll your own crypto and if you must then it should be submitted for peer review by cryptographers before using it in a security critical application.
I know this is a pretty standard way to carry a technical conversation in the crypto community, but this is a pure and unadulterated argument from authority. I don't think other fields of computer science get away with this bullshit (you can't invent anything new unless you get a blessing from "the community").
That’s because other fields of computer science can either prove or demonstrate that their solution works. Cryptography almost never has solid proofs, and demonstrations prove nothing.
When you’re working on something where “works great” and “completely broken” are almost indistinguishable, the only way to even have a hope of avoiding the second one is by having a lot of smart people bang on it for a long time.
What? Modern cryptography is based on proofs and definitions. Sure, we can't prove that SHA2 is cryptographically-strong (that imply P≠NP), but we can show that it resists certain kinds of attacks.
Furthermore, assuming certain properties are satisfied by SHA2, we can order that different constructions based on it (eg a Merkle tree) are secure.
I’m talking about proofs that the stuff works, i.e. that the algorithms or code are cryptographically strong. As far as I know, only the one-time pad has such a proof.
As I said, proving that the underlying crypto is unbreakable would involving proving statements stronger than P≠NP, and so isn't going to happen for a while. What you can do is conjecture that your favourite hardness assumption (SHA-256 is a CRH, AES is a PRF, factorisation is not in P) holds, and then base your cryptographic constructions off such assumptions.
I understand that. Starting with a conjecture and "proving" your algorithm's security based on that is not actually a solid proof. This is why things are the way I said they are.
"Of the 51 Round-1 SHA-3 proposals all of them passed statistical tests and at least one round of review by NIST yet 33/51 were broken."
My central point is that statistical tests are not in anyway sufficient for showing the security of a cryptographic hash function since it is easy to create a hash function that passes them and is broken. My evidence was the SHA-3 competition.
You may dislike the listing of authority, but he's right, and you're kind of misconstruing what he's saying. You can "invent" all the crypto systems you want, you're just foolish to do so without proper review, because there will be flaws.
In a later response, IOTA also appeal to authority...
> Did you receive the invite? We can also setup a chat with our ex-NSA post-Quantum hash function experts after we get the initial confusion out of the way.
That thread is full of IOTA fans who are convinced that this leak "exposes" malfeasance and conflict of interest on the part of DCI. One has to wonder if they actually read the whole transcript, or just jumped on the assumption bandwagon...
Holy shit! this only reinforces the (probably unfair) stereotypes I have about random comments on twitter (as opposed to other places on the internet).
Maybe instead of whipping up a pdf like Manafort that requires trust in the authors copy/paste & editing process it would be better to see the real email conversations incl. message headers. Not saying this isn't how it unfolded but this isn't <evidence> either.
Why go through the trouble of creating a pdf from different emails (he calls "letters") when he could just save the messages verbatim as plain text incl timestamps & other metadata. Some of the justifications for creating a homebrew-crypto says a lot. This sure is nonsense.
Straight out of the Trump / Nunez playbook...just leak something that questionable or even contradicts your point, but tell your supporters that it exposes fraud...and most of them will conveniently apply confirmation bias to believe you.
Wow, this was the juiciest goss I've seen in a while. Seems like the bitter tone was due to some early passive aggressive comments by the Mit media lab team, though.
I read the whole thing and was awaiting Ethan to send "just watch" to the thread and transferring all IOTA to his wallet (or whatever is relevant for IOTA)
IOTA rolled their own crypto. As they were warned by many in and out of the crypto (in both senses of the word) communities at the time, it was susceptible to attack. MIT Media Lab wrote a responsible disclosure report on a vulnerability. IOTA kept pushing back the publication date, based on a mixture of amateur cryptography arguments and nitpicking over disclosure issues. MIT Media Lab finally published, well after the originally agreed deadline, after realizing IOTA was not serious about improving the code further and was using the time to attempt to improve their appearance in the disclosure report's narrative. IOTA got upset, as this publication exposed them with their pants down. They've now threatened the involved academics with legal action. (There is, of course, no actionable basis for such.)
It is interesting if you find cryptocurrencies interesting, as it shows how "well" run many are - and IOTA is by no means an outlier here. The foundations are simply not lousy with cryptography, programming and economics experts who are solely interested in best practices.
>MIT Media Lab wrote a responsible disclosure report
Pardon my ignorance but I am confused with engagement of MIT Media lab in this. Was it volunteer or there was some formal engagement between IOTA foundation and MIT Media lab?
Basically they are claiming one of the core primitives to make IOTA work as a secure cryptocurrency is fundamentally flawed. Haven't read enough but if this is what it sounds like, it means IOTA needs a major rework.
I mean what did you expect from a weird shitcoin that uses trinary arithmetic (really?) for no good reason.
Because IOTA is rekt, it has been for some time, and this is just what you should expect from people who try to roll their own cryptography, then get defensive when a notable real cryptographer points out flaws.
Agreed. FD: I've 'shorted' IOTA in any way possible, mostly through altcoins which may actually deliver on IOTAs promises. As soon as I heard they were using ternary as some kind of competitive advantage, I lost all faith in them.
Totally. And not to sound holier than thou, I'm guilty of "unnecessary re-implementation" possibly more than most. I use my own window manager, have written my own high performance disk archival compression, wrote my own (super)multichannel (>8) lossless audio format, am working on my own large sequence data (think: DNA) native clustering algorithm....
But for the love of god man, /never invent your own crypto/
Friendly reminder that iota's cryptographic weaknesses are immaterial, because it's not actually a decentralized currency - there's the coordinator, a server run by the iota team that controls transactions. The entire value of it today is speculation - if a demonstration of the complete incompetence and dishonesty of the team, exposed by a researchers at a world renowned institution that laymen are familiar with wouldn't make the price drop to zero, what hope is there that the crash will happen before you have to close your short position? And if crypto currencies crash, what is the likelihood that whatever exchange you placed your bet on is still solvent?
The market can remain irrational longer than you can remain solvent. Be content to eat popcorn and wait.
I have a vague memory of once upon a time reading a paper alleging that if you could start everything over again from the beginning, that somehow ternary was more efficient than binary for a digital architecture, something having to do with power usage. But other than that it just sounds like nonsense.
Love to see that paper; seems like nonsense to me. If someone came up with a more optimized transistor architecture than CMOS I'd love to have a look at it.
Oh! I remembered more details about it if it helps. It has to do with e being the "most efficient" numbering base. The reason e is the "most efficient" has to do with wanting to minimize both the size of the alphabet of symbols as well as the number of digits in an average computation. If you allow for a non-integer base, and a non-integer number of digits, the optimum base is e. e rounds to 3. ;-)
Now, full disclosure, I'm not entirely sure I believe in this, I'm just citing sources but check these out:
Yeah, it's complete bullocks. Rest assured, if anything was better than binary for _logic_ then it would already have taken over the world. Binary have a lot of wonderful properties (not least noise immunity) and deserves a lot of credit for the success of modern technology. Note, the ENIAC wasn't binary! It was based on decimal.
However there are places where we look beyond binary; most notably in storage where data density is job one. The vast majority of FLASH is using MLC (4-values) or TLC (8-values) which need heroic circuits to recover the data. But note, these are 2^2 and 2^3, still binary based.
It is not "complete bollocks",it just not as efficient as it appears to be. The reason for the (supposedly) higher efficiency of ternary logic is so called Radix Economy (wikipedia has an article). Properly implemented ternary (with a split power supply - positive, negative and ground) would have the same noise immunity as binary.
> I can't get a single reply from you, looks like you put me on ignore on Twitter. I don't
blame you, sometimes I'm pretty annoying, I spend too much time with computers and
lack some skills required for proper interaction with humans.
I'm really relieved to see that in the wake of the leak of these emails the only criticisms the few eternal iota haters that congregate here have left is "lol iota are mean at the end".
IOTA: Can you look into our laundry detergent product and review it's safety?
DCI: Sure. We've got some accomplished chemists that will do a careful review.
IOTA: Cool, let us know what you find.
DCI: Uh oh, it looks like we found a critical problem with your detergent. We tested the product and it seems to have poisonous properties.
IOTA: How did that happen? Did someone accidentally ingest it?
DCI: Can you prove that your laundry detergent pods are safe when ingested?
IOTA: Don't ingest them. Use them to do laundry.
DCI: I see, so you don't deny that they are unsafe for consumption?
IOTA: I don't understand. Why would you try to eat them? Our instructions clearly say that's not what they are for.
DCI: Look, we have a lot of experience with chemicals. Every chemist out there will tell you that these ingredients are unsafe for consumption. Ask for a second opinion if you like.
IOTA: Ok but can you show that they are unsafe to use for laundry?
DCI: We'll let everyone know that this laundry detergent is unsafe.
IOTA: Wait, can you also tell everyone that they shouldn't eat them?
DCI: ...
IOTA: Did you just publish?
Second Preimage Resistance is important with most cryptocurrencies based off bitcoin because they are often calculated as a hash of a hash, which is what second preimage resistance is all about preventing predicting.
In this case, the `curl` function is not being used as a hash function, but a different type of mapping. Unfortunately, that mapping is supposed to be psuedo-random and now it is known that it is not.
The "second" in "second preimage" doesn't refer to hashing something twice. It means that you already have one preimage for a hash (presumably because you started with the "preimage" and calculated the hash from that), and you want to find a second, different one.
To be pedantic: given x and H(x), it is impossible to find x’ such that H(x’) == H(x) in a practical amount of time.
(You need x, and an attack doesn't need to be polynomial to break the hash function; it just needs to be fast enough, considering constant factors, to fit within some plausible attacker's computational resources.)
How would using the hash of a hash strengthen the property of second preimage resistance? The space of all possible hashes is still 2^256. The only impact I see is that the cost of computing a hash is doubled.
The post was referring to Bitcoin-based cryptocurrencies which compute addresses using two hashing fictions, RIPEMD160 and SHA256. It's not just the same hash, twice. The PoW for blocks is SHA256(SHA256()), though
IOTA: Can you look into our laundry detergent product and review it's safety?
DCI: Sure. We've got some accomplished chemists that will do a careful review.
IOTA: Cool, let us know what you find.
DCI: Uh oh, it looks like we found a critical problem with your detergent. We tested the product and it seems to have poisonous properties.
IOTA: How did that happen? Did someone accidentally ingest it?
DCI: Can you prove that your laundry detergent pods are safe when ingested?
IOTA: Don't ingest them. Use them to do laundry.
DCI: I see, so you don't deny that they are unsafe for consumption?
IOTA: I don't understand. Why would you try to eat them? Our instructions clearly say that's not what they are for.
DCI: Look, we have a lot of experience with chemicals. Every chemist out there will tell you that these ingredients are unsafe for consumption. Ask for a second opinion if you like.
IOTA: Ok but can you show that they are unsafe to use for laundry?
DCI: We'll let everyone know that this laundry detergent is unsafe.
IOTA: Wait, can you also tell everyone that they shouldn't eat them?
DCI: ...
IOTA: Did you just publish?
It is a great example of someone (the "expert") convincing a non-technical person that they are the "ninja rockstar 11x post-quantum hash function expert".
I've seen this many times. Managers / owners don't have ability to assess who is an expert and who isn't. So whoever talks more convincingly is the "ninja rockstar". After that they can do no wrong. Also after that somehow admitting publicly that the person they picked is a scam artist becomes pretty hard, because it also means admitting to their own mistake of believing them.
Others who see what's going on, leave and this this eventually leads to the whole ship sinking.
Oh and accusations of drunkenness of course, those are always so constructive and helpful.
Is there a modern secure hash function considered to be under threat from quantum computing? I was under the impression there isnt one.
It's scary to see marketing spiels thrown into technical discussions, it's even worse when the thread is released as some sort of defense and those less informed see the big words and appeal-to-authority name dropping.
https://arxiv.org/pdf/1603.09383
I am seeing that a lot right now in public services (I entered a year and a half ago). I am looking at decade-old project going nowhere and managers trying to plug it into anything that would justify its existence (poisonning other agencies in the process).
> Others who see what's going on, leave and this this eventually leads to the whole ship sinking.
It's hilarious that he thought that would work with a security researcher at MIT.
> We were just reached out to by a CoinDesk journalist that Ethan contacted in an attempt to rush out this publication. This may be the biggest scandal I have ever heard of from what has been portrayed as a professional 'responsible disclosure'. Ethan is clearly in complete conflict of interest and pushing this for his own gain, this is no longer about academic merits, but a desperate attempt by Ethan to make money.
I can be wrong but the suggestion here seems to be that Coindesk journalist reaching out to the Iota team was a ploy to force them to pay a bounty.
But, after devolving into a personal attack. They expect him to reply back a month later?
> Hi Ethan, I can't get a single reply from you, looks like you put me on ignore on Twitter.
This whole saga seems to be symptomatic of the cryptocurrency scene. Lot of expertise on money, economics, cryptography, programming language etc is out there. But, any criticism of cryptocurrency devolves into either personal attacks or a know-all attitude which ensures not many people want to lend their expertise.
Edit: After re-reading the blog post, I realized the agenda of this leak was to show evidence of conflict of interest. The correct link for the post should have been:
http://www.tangleblog.com/2018/02/24/full-emails-ethan-heilm...
The lab director should have handled all communications.
What are you talking about? Ethan went AWOL from the conversation long before this whole discussion came to an eventual end. The only one who was met with ire was Neha after the IOTA team realized they basically published right when they realized there was no vulnerability after all.
> But, any criticism of cryptocurrency devolves into either personal attacks or a know-all attitude which ensures not many people want to lend their expertise.
This whole exchange was completely civil up until the point DCI threw their weak hand cards on the table. Stop trying to paint IOTA in a bad light. After the release of these emails you'll just look like a complete moron.
Haha this is a wonderful suggestion. "If you weirdos think ternary arithmetic has any benefits, just combine it with a crypto primitive you didn't handroll, ya dingus"
And then they say it's okay because of "higher level checks" that a colliding transaction wouldn't validate, so then when one is demonstrated, they say "it's okay because we'd just decide to reject the bad one even if the hash is the same" and the final defense is "something something distributed ledgers Satoshi"
I'm not sure how this was meant to "expose" MIT or be pro-IOTA in any way.
If you post something negative about IOTA you're likely to get a bunch of troll responses from accounts with histories of nothing but IOTA-related likes, retweets, and responses.
it would all be solved forever and anon with a paywall. 5 mao men, botheads, shilling, you would raise the cost to them by orders of magnitude (stealing other people's credit card numbers cost real money)
The conclusions on HN are (so far) completely at odds from those on the cryptocurrency subreddit: https://www.reddit.com/r/CryptoCurrency/comments/7zztey/full...
Meanwhile the commercial world seems happy to engage with IOTA:
"Volkswagen CDO will join the supervisory board of the IOTA foundation. And now, Volkswagen is going to utilise this technology in their automobiles." -- https://coingape.com/iota-volkswagen-partnership-raises-hope...
"Bosch makes first investment in distributed ledger technology, purchase of IOTA tokens to support creation of new business models for the Internet of Things" -- http://www.bosch-presse.de/pressportal/de/en/robert-bosch-ve...
"Taiwan's capital city of Taipei is working with the IOTA Foundation to bring Tangle - IOTA's answer to blockchain - to its citizen identification plans." -- https://www.coindesk.com/city-of-taipei-confirms-its-testing...
So what to make of all this?
I've taken some cryptography classes and a graduate level cryptanalysis course, and I could immediately tell that the people on the iota side clearly don't know what they're doing. For example, this should trip anyone's bullshit detector:
"IOTA was created to be immune to quantum computer attacks, today I have revealed that it was also created to be immune to attacks from an AI"
https://www.reddit.com/r/Iota/comments/70ya29/time_for_a_par...
The biggest problem is that it just makes no sense. It's not going to be decentralized & secure at the same time. It's LESS efficient than blockchain in every way. It's bad for IoT. It doesn't have any of fancy features like Ethereum.
Crypto issues is just an icing on a cake. They can change crypto functions, but they can't change the fact that coin is the worst choice for IoT (or pretty much anything).
The only selling point is that it's fee-less. But it's possible to make a centralized fee-less coin which would be much more secure and useful than IOTA.
Germany is lacking behind in tech, and the country is putting lots of bets to their car industry, the Volkswagen scandal not helping there. Now there is this new thing called cryptocurrency and one of them comes from Berlin. I don't know is it just me, but it's not that hard to start speculating why these big German companies want to announce themselves to be working with a Germany-based cryptocurrency.
Cars aren't everything.
IOTA are rolling their own cryptography which immediately makes me run the other way. At least until I see some respected peer review that it's sound. This exchange makes me think that unlikely at best.
Don't buy a Volkswagen until they have run the other way!
Most of the posts there are ways of confirmation biases - it's very difficult to get someone to see what they don't want to see in his/her cryptocurrency.
There are certain coins that are exceptionally polarizing (Ripple and IOTA come to mind) - it leads to this my coin vs your coin behavior. It's so fascinating, yet odd at the same time.
I read about 3/4 of the emails before coming to the conclusion I had no idea what was going on.
(I do think there are cryptocurrencies worth a bet in the long term, if you can afford to take a chance. Better to start with basics like the Princeton course and form your own judgements.)
Also, it seems logical at this point to disregard anything coming out of the cryptocurrency subreddits. They drink their own Kool-Aid.
[Edit to add this plug for Zcash! Made with real cryptographers]
A major wake-up call for me in the crypto currency world was Gavin Andresen's ludicrous "validation" of Colin Wright as Satoshi.
When a so-called leader clearly does not even understand the basics you realise it's 98% shit. Sturgeon's law applies again. But I keep on forgetting that.
No, for the past half a year or so I've been trying to learn all I can about market microstructure, quantitative finance, anything that makes money off of high variance.
Because if there's one thing I will bet on, it's that there's a ton of risk and volatility here in these hills, and there's probably money to be made somehow while it all crashes and burns.
Then there's the second level bait - since there are all these suckers out there, surely money can be made by predicting them!
And then it's turtles all the way down. You won't know if you're a sucker or at the very top level until it all comes crashing down.
> But critics called Dr Wright's claim into doubt when it emerged that part of the evidence the entrepreneur presented in public could have been generated using a string of digits linked to a seven-year-old transaction made by Satoshi, accessible via a search engine.
"It was a mistake to agree to publish my post before I saw his - I assumed his post would simply be a signed message anybody could easily verify," Mr Andresen told security researcher Dan Kaminsky when he challenged the scientist over the matter.
Also
https://www.wired.com/2016/05/craig-wright-privately-proved-...
I'm out of the loop; do you have any good summaries of this incident?
Yowza.
I read through the whole exchange and kept thinking "How are they managing to be so polite, to these rank amateurs who show no respect?" I probably would have informed them of the flaw, informed them when I was publishing, informed of a suggested fix then piped all the rest to /dev/null.
I also positively love the use of "push it to the limit".
"Can you explain to me what you think I did wrong in my program? I can assure you everything is correct. Otherwise you're clearly drunk and out to get me."
> Did you receive the invite? We can also setup a chat with our ex-NSA post-Quantum hash function experts after we get the initial confusion out of the way.
hahahaha fuck me, this is good stuff.
Neha's "I'm going to stop responding now." should have come much earlier.
Which is the real "yowza" imho.
Being in the green just means you’ve convinced a critical mass of greedy, ignorant people that you’re a winner.
http://www.kguttag.com
Let your fingers do the walking.
> I read the emails and it seems to me that Ethan doesnt understand what theyve done in IOTA or has very different way of interpretting what they have done aka hes trained by a textbook and if you deviate from textbook its wrong bla bla. I think come_from_behind is and will continue to run laps around these University morons
https://www.reddit.com/r/Iota/comments/8016uc/debunking_the_...
That is a cringe worthy statement by someone doing a cryptographic decentralized project. The whole conversation is a trainwreck. :/
> In this case you are right, second-preimage resistance is an anti-feature, collision resistance threat is nullified by Coordinator while allows us to easily attack scam-driven copycats. (pg. 24)
The Coordinator referenced is a validation node ran by the IOTA team which currently processes all transactions.
The whole narrative from the start has been decentralized cryptocurrencies; but IOTA it seems is neither decentralized nor a currency backed by secure cryptography.
Ethan (MIT): > I am shocked that you would call a hash function deployed in production, with "a 800 million dollar bug bounty" as Dominik put it, a prototype.
Sergey (IOTA): I see Greek wasn’t your favorite subject in school :), don’t worry, word “prototype” is similar to https://en.wikipedia.org/wiki/Prototype_pattern, not to what you thought about. It is also important to keep in mind that all distributed ledgers are currently in a “prototype phase“.
Just my two cents. Most of this is over my head as I'm not by any means a cryptography expert.
Prof: I've noticed that you're using a non-standard brakepad material, which functions very poorly for stopping the motion of the car. You should fix this.
Startup: That's fine, these peels are organic and eco friendly, and they're safe because I modelled them in the same shape and size as normal brake pads.
It’s a fun read and you’ll probably end up unimpressed to say the least.
It is from the same author
Doing research into things, publishing results, and shorting is perfectly legitimate. It's how Lumber Liquidators was found to be using formaldehyde. Just because someone says something you don't like, and they have a short position in the thing, doesn't mean they are wrong.
The whole thing started with someone finding something wrong with the 'Curl' wrapper around a packet that's being sent from A->B. Apparently, this violates a EU-CMA security protocol, and this is an issue. Lots of holes in my knowledge there, but I got the jist.
What I don't get, is HOW this became a bipartisan issue with HN/Reddit. Because if you read the 124 pages, it becomes clear that both the IOTA team, as well as the MIT team were bad at communicating with each other, the purpose of this bad communication is unknown, but both are at fault.
So we at HN look at some emails from IOTA and call out their unprofessional behavior, and Reddit does the same thing with MIT's team.
What if someone has no perspective of how these communications usually take place? It looks like (upon the assumption that IOTA's team member was indeed in an 'incomprehensible' state when he typed that email out) MIT's team member without a second warning, just went ahead with publishing the paper.
So what's the big mess? It's pretty clear that both parties messed by being sloppy at emailing each other.
I think there was some disbelief that a team with so much money could have made such an incredibly rookie mistake.
From my PoV there seems to be little-to-no miscommunication in bad faith on the part of the MIT researchers in these emails, but a lot of dismissiveness from the IOTA developers towards the concerns that were brought to them.
Over the past few days, it seems to have only gotten worse on Twitter (I encourage you to check out the recent threads in which @matthew_d_green engages with @c___f___b only to be accused of professional incompetence).
tl;dr (from my perspective) is that the big mess here comes from a party without proper education in the field producing a $1B+ market cap cryptocurrency while _unnecessarily rolling their own crypto primitives_, and then steadfastly ignoring the suggestions academics who have spent their entire lives researching this field.
a) there's nothing broken in the Zcash cryptography. Some cryptographic assumptions used by SNARKs are a bit hairy and novel, but these assumptions, and variants there-of, haven't been broken in over 25 years of trying.
b) State-of-the-art efficient SNARKs require trusted setup, but this can be distributed, as was done with Zcash and will be done, in a better way, in the next Zcash upgrade.
c) CFB called Aumasson's methods 'primitive'. Hardly polite, especially considering Aumasson is co-creator of solid hash functions like Blake2.
-No one but the participants should trust a trusted setup, and even then, it's only if they can vouch for their OPSEC.
- B goes to my point that Green is inept as that should have been where they started.
- And they were cordial after they talked through the issues and Aumasson reliezed CFB's point (also, appeal to authority backfires when the authority agrees with the person you are criticizing).
Spend less time worrying about what I'm doing elsewhere and more on the argument in front of you. But it does seem fitting that you are supporting a dev who shows more concern for what others are doing than the product he helped drive into the ground.
A more general point is that you should never roll your own crypto and if you must then it should be submitted for peer review by cryptographers before using it in a security critical application.
I know this is a pretty standard way to carry a technical conversation in the crypto community, but this is a pure and unadulterated argument from authority. I don't think other fields of computer science get away with this bullshit (you can't invent anything new unless you get a blessing from "the community").
When you’re working on something where “works great” and “completely broken” are almost indistinguishable, the only way to even have a hope of avoiding the second one is by having a lot of smart people bang on it for a long time.
Furthermore, assuming certain properties are satisfied by SHA2, we can order that different constructions based on it (eg a Merkle tree) are secure.
Cryptography is highly mathematical.
Under very carefully chosen assumptions, which may or may not be true (hello Random Oracle). But this is a very flimsy sort of proof.
My central point is that statistical tests are not in anyway sufficient for showing the security of a cryptographic hash function since it is easy to create a hash function that passes them and is broken. My evidence was the SHA-3 competition.
> Did you receive the invite? We can also setup a chat with our ex-NSA post-Quantum hash function experts after we get the initial confusion out of the way.
I think we've all worked with a Sergey in our careers so far. And most of us end up doing what Ethan did.
http://untangled.world/iota-founders/
Why go through the trouble of creating a pdf from different emails (he calls "letters") when he could just save the messages verbatim as plain text incl timestamps & other metadata. Some of the justifications for creating a homebrew-crypto says a lot. This sure is nonsense.
It is interesting if you find cryptocurrencies interesting, as it shows how "well" run many are - and IOTA is by no means an outlier here. The foundations are simply not lousy with cryptography, programming and economics experts who are solely interested in best practices.
Pardon my ignorance but I am confused with engagement of MIT Media lab in this. Was it volunteer or there was some formal engagement between IOTA foundation and MIT Media lab?
I mean what did you expect from a weird shitcoin that uses trinary arithmetic (really?) for no good reason.
edit: letter #11 says "shit's fucked, yo".
You should start reading at #76. It is a fast read.
But for the love of god man, /never invent your own crypto/
The market can remain irrational longer than you can remain solvent. Be content to eat popcorn and wait.
Now, full disclosure, I'm not entirely sure I believe in this, I'm just citing sources but check these out:
http://bit-player.org/wp-content/extras/bph-publications/AmS... https://hackaday.com/2016/12/16/building-the-first-ternary-m...
Also, Don Knuth likes balanced ternary, and, well, I guess that counts for something.
(again, personally I have no idea if I think it's nonsense or not)
However there are places where we look beyond binary; most notably in storage where data density is job one. The vast majority of FLASH is using MLC (4-values) or TLC (8-values) which need heroic circuits to recover the data. But note, these are 2^2 and 2^3, still binary based.
That's a contradictory statement. If it was as efficient as claimed it wouldn't be bollocks. But it isn't, thus, bollocks.
"(with a split power supply - positive, negative and ground) would have the same noise immunity as binary."
[citation needed]
I'm not a EE, but my understanding from EE friends is that isn't true.
Only if you increase the supply voltage such that: V+tern - GNDtern == V+bin - GNDbin == GNDtern - V-tern
That says it all.
IOTA: Can you look into our laundry detergent product and review it's safety? DCI: Sure. We've got some accomplished chemists that will do a careful review. IOTA: Cool, let us know what you find. DCI: Uh oh, it looks like we found a critical problem with your detergent. We tested the product and it seems to have poisonous properties. IOTA: How did that happen? Did someone accidentally ingest it? DCI: Can you prove that your laundry detergent pods are safe when ingested? IOTA: Don't ingest them. Use them to do laundry. DCI: I see, so you don't deny that they are unsafe for consumption? IOTA: I don't understand. Why would you try to eat them? Our instructions clearly say that's not what they are for. DCI: Look, we have a lot of experience with chemicals. Every chemist out there will tell you that these ingredients are unsafe for consumption. Ask for a second opinion if you like. IOTA: Ok but can you show that they are unsafe to use for laundry? DCI: We'll let everyone know that this laundry detergent is unsafe. IOTA: Wait, can you also tell everyone that they shouldn't eat them? DCI: ... IOTA: Did you just publish?
In this case, the `curl` function is not being used as a hash function, but a different type of mapping. Unfortunately, that mapping is supposed to be psuedo-random and now it is known that it is not.
(You need x, and an attack doesn't need to be polynomial to break the hash function; it just needs to be fast enough, considering constant factors, to fit within some plausible attacker's computational resources.)