mobilefish.com IOTA TUTORIAL 27 · • You can think of normalizing the bundleHash as balancing a...

transcript

IOTA TUTORIAL 27mobilefish.com

Why normalizedBundleHash? Why not reuse an address for outgoing txs?

v1.0.0

INTROmobilefish.com

• In IOTA tutorial 6 I have explained why you should not reuse an address for outgoing transactions by using the Lamport One Time Signature scheme. That was a simplified explanation but not an accurate one. This tutorial will provide you the correct answer.

• In IOTA tutorial 16 I have never explained why the bundleHash is normalized. In this tutorial I will explain why this it is needed.

PREREQUISITESmobilefish.com

• I assume that you have watched:

• IOTA tutorial 8: Cryptographic sponge construction

• IOTA tutorial 9.1: Key, Digests & Address

• IOTA tutorial 10: Transaction and bundle

• IOTA tutorial 15: BundleHash

• IOTA tutorial 16: normalizedBundleHash

• IOTA tutorial 17: Create and validate a signature

PREREQUISITESmobilefish.com

• If you have not watched these videos you probably will not understand this tutorial. I highly recommended that you first watch these tutorials.

QUICK REFRESHERmobilefish.com

• To be on the same page, in the following slides I will give you a quick refresher:

• What is a transaction bundle and transaction objects.

• What is a bundleHash and how it is created.

• What is a normalizedBundleHash and how it is created.

• How to calculate the number of hashes.

• How to create and validate a signatureFragment.

• How is an address calculated.

TRANSACTIONBUNDLEmobilefish.com

tip0tip1

currentIndex N

trunkTransaction

branchTransaction

currentIndex 2

trunkTransaction

branchTransaction

currentIndex 1

trunkTransaction

branchTransaction

currentIndex 0

trunkTransaction

branchTransaction

Transaction bundle

currentIndex N

trunkTransaction

branchTransaction

currentIndex 2

trunkTransaction

branchTransaction

currentIndex 1

trunkTransaction

branchTransaction

currentIndex 0

trunkTransaction

branchTransaction

transactionObjects

TRANSACTIONOBJECT EXAMPLEmobilefish.com

• This is what a single transactionObject looks like in a transaction bundle:{

"hash": "YDDQ...A9999",

"signatureMessageFragment": "JHAK...MVGY","address": "HRKD...XKHX","value": -3,"obsoleteTag": "999999999999999999999999999","timestamp": 1515494426,"currentIndex": 1,"lastIndex": 2,

"bundle": "RTGX...LQCY","trunkTransaction": "WVCLP...99999","branchTransaction": "DOXV...X999","tag": "999999999999999999999999999","attachmentTimestamp": 1515496571334,"attachmentTimestampLowerBound": 0,"attachmentTimestampUpperBound": 3812798742493,"nonce": "AZ999IOB9999999999999999999","persistence": true

How is this bundleHash created?

BUNDLEHASHmobilefish.com

• The bundle transactionObject addresses, values, obsoleteTags, timestamps, currentIndexes and lastIndexes are used to calculate the bundleEssences:

bundleEssence = convertToTrits(address) + convertToTrytes(valueTrits) + obsoleteTag + convertToTrytes(timestampTrits) + convertToTrytes(currentIndexTrits) + convertToTrytes(lastIndexTrits))

• Use the cryptographic sponge construction to absorb the bundleEssences and squeeze the hash.bundle = [transactionObject0, transactionObject1, transactionObject2, transactionObject3]

transactionObjectN = {address, value, obsoleteTag, timestamp, currentIndex, lastIndex}

transactionObject0

bundleEssence0transactionObject1

bundleEssence1

transactionObject2

bundleEssence3

f f f f f0 hash

absorbing squeezing

• Convert the hash to trytes:bundleHash = convertToTrytes(hash)

TRANSACTIONOBJECT EXAMPLEmobilefish.com

"hash": "YDDQ...A9999",

bundleHash

NORMALIZED BUNDLEHASHmobilefish.com

• The normalizedBundleHash is created by extracting the bundleHash from the transactionObject and the bundleHash is then normalized.

• The normalizedBundleHash contains no tryte value M and the "weights" of the trytes are evenly distributed.

NORMALIZED BUNDLEHASHmobilefish.com

• You can think of normalizing the bundleHash as balancing a seesaw, by manipulating its “weight” (=trytes) to reach a more equilibrium state.

• The normalizedBundleHash is used to create or validate a signature.

Before normalizing sum = 22

first tryte in the part 13-13 4-4 -1

After normalizing sum = -1

mobilefish.com

CALCULATE NUMBER OF HASHES

K = 13 - decimal 23 26 23 13 12 23 19 20 1512025

K times to hash each segment to CREATE signatureFragment

K = 13 + decimal 3 0 3 13 14 3 7 6 112561

K times to hash each segment to VALIDATE signatureFragment

… …

L Q…R T … 9 AZ T … C YW UbundleHash81 trytes

normalized BundleHash L Q…O T … 9 AN Q … T YQ U

normalized BundleFragment27 trytes

-12 -7 12 -2-7-6-1010-10-13-10tryte decimal

value… … …

mobilefish.com

security level 1

… 25 260 1 … 25 260 1

… 25 260 1 … 25 260 1 … 25 260 1hash each segment K times

segment each segment consists of 81 trytes

hash each keyFragment 1x

digests

each digests consists of 81 trytes

27 segments forms a keyFragment

3141330

… 25 260 1

1 3256 1167

address

hash n digests 1x

security level 2

security level 3

signature Fragment

key Fragment

25 23120

… 25 260 1

26 121323

… 25 260 1

23 152019

… 25 260 1

hash each segment K times

fragment stored in bundle

Seed, index number, security level

SIGNATUREMESSAGEFRAGMENT EXAMPLEmobilefish.com

"hash": "YDDQ...A9999",

mobilefish.com

security level 1

… 25 260 1 … 25 260 1

digests

3141330

… 25 260 1

1 3256 1167

address

hash n digests 1x

security level 2

security level 3

signature Fragment

key Fragment

25 23120

… 25 260 1

26 121323

… 25 260 1

23 152019

… 25 260 1

Seed, index number, security level

mobilefish.com

security level 1

… 25 260 1 … 25 260 1key

digests

2626262626

… 25 260 1

26 262626 262626

address

hash n digests 1x

security level 2

security level 3

key Fragment

CALCULATE ADDRESSSeed, index number, security level

WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com

• I have created a simple value transaction: I have used security level 1 and transferred 1 IOTA from address A to B and there is no remainder.

• See the corresponding transaction bundle:https://www.mobilefish.com/download/iota/transactions_in_bundle_security_level1.txt

• The transaction bundle has two transactionObjects. A transactionObject containing recipient data and the other containing sender data.

• The senders signatureMessageFragment is “KVSA…HMKW” and the senders address is “VXO…LTKA”.

… 25 260 1

1 3256

address

digests

signature Fragment

key Fragment

25 23120

… 25 260 1

segment, each segment consists of 81 trytes

hash n digests 1x

security level 1

• Let assume the submitted transaction bundle is pending and a hacker, called Eve, gets hold of this transaction bundle.

• Eve can change the transaction bundle by replacing the recipient’s address with her own address. By doing so the bundleHash changes which means the normalizedBundleHash and the number of hashes (K) are also changed accordingly.

bundle = [transactionObject0, transactionObject1]

transactionObjectN = {address, value, obsoleteTag, timestamp, currentIndex, lastIndex}

transactionObject0

bundleEssence1

absorbing

f hash bundleHash = convertToTrytes(hash)

squeezing

mobilefish.com

WHY IS NORMALIZEDBUNDLEHASH NEEDED?

K = 13 - decimal 23 26 23 13 12 23 19 20 1512025

K times to hash each segment to CREATE signatureFragment

K = 13 + decimal 3 0 3 13 14 3 7 6 112561

… …

-12 -7 12 -2-7-6-1010-10-13-10tryte decimal

value… … …

K = number of hashes

… 25 260 1

… 25 260 1 fragment stored in bundle

9 12132

1 6 25 3

hash n digests 1x

Number of hashes (K) changed!

The generated address does not match the sendersaddress. Eve’s attempt will fail.

address

D 5 D5

Data (D) is hashed 5x to get the hashed result D5:

D 1 D1 1 D2 1 D3 1 D4 1 D5

You can also draw it this way:

D 1 D1 1 D2 1 D3 1 D4 1 D5

Question: Can you hash a value 3x to get D5?Answer: Yes, if you start with D2.

Question: Can you hash a value 6x to get D5?Answer: No, you can’t! A hash algorithm is a one-way function.

D 5 D5

Data (D) is hashed 5x to get the hashed result D5:

D4 1 D5

D1 4 D5

Question: Can you hash a value 7x to get D5?Answer: No, you can’t.

• Eve knows she can change the signatureFragment.

… 25120 14

9 2 13

… 25 260 1

signature fragment hacked

K hacked

segmenthashed 4x

segmenthashed 12x

Khacked, after Eve changed the address

signature fragment

… 25 260 1

25 260 1

9 12132

1 6 25 3 Koriginal

• But Eve still has a problem with the first and last segment.

• Her attempt is only successful if all Koriginal values are bigger of equal than the corresponding Khacked values.

… 25120 14

9 2 13

… 25 260 1

K hacked

segmenthashed 4x

segmenthashed 12x

Khacked

signature fragment

… 25 260 1

25 260 1

9 12132

1 6 25 3

…Koriginal

• Now lets assume the following case:The Koriginal values are all between 14-26.The Khacked values are all between 1-13.

• In this case, Eve can successfully hack the transaction bundle and send IOTAs to her address.

… 251208 111

9 2 13

… 25 260 1

K hacked

8x 12x11x 2x

Khacked

signature fragment

… 25 260 1

25 260 1

9 12132

17 13 25 14 Koriginal

• However in reality the previous mentioned case is difficult to realise because a normalizedBundleHash is used.

• Eve attempt can only be successful if ALL Koriginal values are bigger of equal than the corresponding Khacked values.

• By using a normalizedBundleHash the probability that this will happen is small.

-12 -7 12 -2-7-6-1010-10-13-10tryte decimal value

… … …

K = 13 + decimal 3 0 3 13 14 3 7 6 112561

…… …K = number of hashes

• The previous mentioned decimal values (= normalizedBundleHash tryte values converted to decimal values) are in the range -13 to 13 and are evenly distributed just like a seesaw.

• By distributing these values evenly the Koriginal values are “spread”. You will have low values: 1-13 and high values 14-26.You can not have only Koriginal values between 14 and 26, the normalizedBundleHash prevents this.

Before normalizing sum = 22

13-13 4-4 -1

After normalizing sum = -1

WHY NOT REUSE AN ADDRESS FOR OUTGOING TXS?mobilefish.com

… 25 260 1

1 3254

address

digests

signature Fragment

key Fragment … 25 260 1

… 25 260 1

20 21115

address

1st tx bundle 2nd tx bundle

Create another outgoing transaction using the same address

• Eve has found these two transaction bundles using the same address A for outgoing transactions.

• A few days later, Eve noticed 500 MIOTA were send to address A.

• Eve tries a hack attempt, she takes the 2nd transaction bundle:

• From the receiver tx object, she change the recipient’s address with her own address and change the recipient’s value to 500 MIOTA.

• From the sender tx object, she change the spending value to 500 MIOTA.

• By doing so the bundleHash, normalizedBundleHash and the K values are changed.

… 25 260 1

1 3254

address

1st tx bundle

… 25 260 1

20 21115

address

2nd tx bundle

… 25 260 1

… 25 261102 1

18 10124

address

Eve modified 2nd tx bundle

20 21115

Using 2nd tx bundleHack attempt not successful

Koriginal

Khacked

… 25 260 1

1 3254

address

1st tx bundle

… 25 260 1

… 25 261102 1

18 10124

address

Eve modified 2nd tx bundle

20 21115

Using 2nd bundleHack attempt not successful

… 25 260 1

… 2513 261102 1

18 10124

address

Eve modified 1st tx bundle

20 21254

Using 2nd & 1sttx bundleHack attempt issuccessful

Koriginal

Khacked

• If you reuse an address for outgoing addresses you provide a hacker more possibilities to successfully create a modified transaction bundle sending IOTAs from the victim’s address to the hackers address.

• Reusing an address for outgoing transactions does not mean the hacker will immediately succeed in its hack attempt, but it will definitely increase its chances.

mobilefish.com IOTA TUTORIAL 27 · • You can think of normalizing the bundleHash as balancing a...

Documents