Embed Size (px)
Citation preview
IOTA TUTORIAL 27mobilefish.com
Why normalizedBundleHash? Why not reuse an address for outgoing txs?
v1.0.0
INTROmobilefish.com
• In IOTA tutorial 6 I have explained why you should not reuse an address for outgoing transactions by using the Lamport One Time Signature scheme. That was a simplified explanation but not an accurate one. This tutorial will provide you the correct answer.
• In IOTA tutorial 16 I have never explained why the bundleHash is normalized. In this tutorial I will explain why this it is needed.
PREREQUISITESmobilefish.com
• I assume that you have watched:
• IOTA tutorial 8: Cryptographic sponge construction
• IOTA tutorial 9.1: Key, Digests & Address
• IOTA tutorial 10: Transaction and bundle
• IOTA tutorial 15: BundleHash
• IOTA tutorial 16: normalizedBundleHash
• IOTA tutorial 17: Create and validate a signature
PREREQUISITESmobilefish.com
• If you have not watched these videos you probably will not understand this tutorial. I highly recommended that you first watch these tutorials.
QUICK REFRESHERmobilefish.com
• To be on the same page, in the following slides I will give you a quick refresher:
• What is a transaction bundle and transaction objects.
• What is a bundleHash and how it is created.
• What is a normalizedBundleHash and how it is created.
• How to calculate the number of hashes.
• How to create and validate a signatureFragment.
• How is an address calculated.
TRANSACTIONBUNDLEmobilefish.com
tip0tip1
currentIndex N
trunkTransaction
hash
branchTransaction
currentIndex 2
trunkTransaction
hash
branchTransaction
currentIndex 1
trunkTransaction
hash
branchTransaction
currentIndex 0
trunkTransaction
hash
branchTransaction
:
Transaction bundle
currentIndex N
trunkTransaction
hash
branchTransaction
currentIndex 2
trunkTransaction
hash
branchTransaction
currentIndex 1
trunkTransaction
hash
branchTransaction
currentIndex 0
trunkTransaction
hash
branchTransaction
:
transactionObjects
TRANSACTIONOBJECT EXAMPLEmobilefish.com
• This is what a single transactionObject looks like in a transaction bundle:{
"hash": "YDDQ...A9999",
"signatureMessageFragment": "JHAK...MVGY","address": "HRKD...XKHX","value": -3,"obsoleteTag": "999999999999999999999999999","timestamp": 1515494426,"currentIndex": 1,"lastIndex": 2,
"bundle": "RTGX...LQCY","trunkTransaction": "WVCLP...99999","branchTransaction": "DOXV...X999","tag": "999999999999999999999999999","attachmentTimestamp": 1515496571334,"attachmentTimestampLowerBound": 0,"attachmentTimestampUpperBound": 3812798742493,"nonce": "AZ999IOB9999999999999999999","persistence": true
},
How is this bundleHash created?
BUNDLEHASHmobilefish.com
• The bundle transactionObject addresses, values, obsoleteTags, timestamps, currentIndexes and lastIndexes are used to calculate the bundleEssences:
bundleEssence = convertToTrits(address) + convertToTrytes(valueTrits) + obsoleteTag + convertToTrytes(timestampTrits) + convertToTrytes(currentIndexTrits) + convertToTrytes(lastIndexTrits))
BUNDLEHASHmobilefish.com
• Use the cryptographic sponge construction to absorb the bundleEssences and squeeze the hash.bundle = [transactionObject0, transactionObject1, transactionObject2, transactionObject3]
transactionObjectN = {address, value, obsoleteTag, timestamp, currentIndex, lastIndex}
transactionObject0
bundleEssence0transactionObject1
bundleEssence1
transactionObject2
bundleEssence2transactionObject3
bundleEssence3
f f f f f0 hash
absorbing squeezing
BUNDLEHASHmobilefish.com
• Convert the hash to trytes:bundleHash = convertToTrytes(hash)
TRANSACTIONOBJECT EXAMPLEmobilefish.com
• This is what a single transactionObject looks like in a transaction bundle:{
"hash": "YDDQ...A9999",
"signatureMessageFragment": "JHAK...MVGY","address": "HRKD...XKHX","value": -3,"obsoleteTag": "999999999999999999999999999","timestamp": 1515494426,"currentIndex": 1,"lastIndex": 2,
"bundle": "RTGX...LQCY","trunkTransaction": "WVCLP...99999","branchTransaction": "DOXV...X999","tag": "999999999999999999999999999","attachmentTimestamp": 1515496571334,"attachmentTimestampLowerBound": 0,"attachmentTimestampUpperBound": 3812798742493,"nonce": "AZ999IOB9999999999999999999","persistence": true
},
bundleHash
NORMALIZED BUNDLEHASHmobilefish.com
• The normalizedBundleHash is created by extracting the bundleHash from the transactionObject and the bundleHash is then normalized.
• The normalizedBundleHash contains no tryte value M and the "weights" of the trytes are evenly distributed.
NORMALIZED BUNDLEHASHmobilefish.com
• You can think of normalizing the bundleHash as balancing a seesaw, by manipulating its “weight” (=trytes) to reach a more equilibrium state.
• The normalizedBundleHash is used to create or validate a signature.
134
10
-1-4
Before normalizing sum = 22
first tryte in the part 13-13 4-4 -1
After normalizing sum = -1
mobilefish.com
CALCULATE NUMBER OF HASHES
K = 13 - decimal 23 26 23 13 12 23 19 20 1512025
K times to hash each segment to CREATE signatureFragment
K = 13 + decimal 3 0 3 13 14 3 7 6 112561
K times to hash each segment to VALIDATE signatureFragment
… …
…
…
… …
L Q…R T … 9 AZ T … C YW UbundleHash81 trytes
normalized BundleHash L Q…O T … 9 AN Q … T YQ U
normalized BundleFragment27 trytes
-12 -7 12 -2-7-6-1010-10-13-10tryte decimal
value… … …
mobilefish.com
security level 1
… 25 260 1 … 25 260 1
key
… 25 260 1 … 25 260 1 … 25 260 1hash each segment K times
segment each segment consists of 81 trytes
hash each keyFragment 1x
digests
each digests consists of 81 trytes
27 segments forms a keyFragment
3141330
… 25 260 1
1 3256 1167
1
address
0
1
1
1
address
1
2
1
address
1
hash n digests 1x
security level 2
security level 3
signature Fragment
key Fragment
25 23120
… 25 260 1
26 121323
… 25 260 1
23 152019
… 25 260 1
hash each segment K times
fragment stored in bundle
Seed, index number, security level
SIGNATUREMESSAGEFRAGMENT EXAMPLEmobilefish.com
• This is what a single transactionObject looks like in a transaction bundle:{
"hash": "YDDQ...A9999",
"signatureMessageFragment": "JHAK...MVGY","address": "HRKD...XKHX","value": -3,"obsoleteTag": "999999999999999999999999999","timestamp": 1515494426,"currentIndex": 1,"lastIndex": 2,
"bundle": "RTGX...LQCY","trunkTransaction": "WVCLP...99999","branchTransaction": "DOXV...X999","tag": "999999999999999999999999999","attachmentTimestamp": 1515496571334,"attachmentTimestampLowerBound": 0,"attachmentTimestampUpperBound": 3812798742493,"nonce": "AZ999IOB9999999999999999999","persistence": true
},
mobilefish.com
security level 1
… 25 260 1 … 25 260 1
key
… 25 260 1 … 25 260 1 … 25 260 1hash each segment K times
segment each segment consists of 81 trytes
hash each keyFragment 1x
digests
each digests consists of 81 trytes
27 segments forms a keyFragment
3141330
… 25 260 1
1 3256 1167
1
address
0
1
1
1
address
1
2
1
address
1
hash n digests 1x
security level 2
security level 3
signature Fragment
key Fragment
25 23120
… 25 260 1
26 121323
… 25 260 1
23 152019
… 25 260 1
hash each segment K times
fragment stored in bundle
Seed, index number, security level
mobilefish.com
security level 1
… 25 260 1 … 25 260 1key
… 25 260 1 … 25 260 1 … 25 260 1hash each segment K times
segment each segment consists of 81 trytes
hash each keyFragment 1x
digests
each digests consists of 81 trytes
27 segments forms a keyFragment
2626262626
… 25 260 1
26 262626 262626
1
address
0
1
1
1
address
1
2
1
address
1
hash n digests 1x
security level 2
security level 3
key Fragment
CALCULATE ADDRESSSeed, index number, security level
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• I have created a simple value transaction: I have used security level 1 and transferred 1 IOTA from address A to B and there is no remainder.
• See the corresponding transaction bundle:https://www.mobilefish.com/download/iota/transactions_in_bundle_security_level1.txt
• The transaction bundle has two transactionObjects. A transactionObject containing recipient data and the other containing sender data.
• The senders signatureMessageFragment is “KVSA…HMKW” and the senders address is “VXO…LTKA”.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
… 25 260 1
… 25 260 1
1 3256
1
address
0
1
key
digests
signature Fragment
key Fragment
25 23120
… 25 260 1
hash each segment K times
segment, each segment consists of 81 trytes
hash each keyFragment 1x
each digests consists of 81 trytes
27 segments forms a keyFragment
hash n digests 1x
hash each segment K times
fragment stored in bundle
security level 1
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• Let assume the submitted transaction bundle is pending and a hacker, called Eve, gets hold of this transaction bundle.
• Eve can change the transaction bundle by replacing the recipient’s address with her own address. By doing so the bundleHash changes which means the normalizedBundleHash and the number of hashes (K) are also changed accordingly.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
bundle = [transactionObject0, transactionObject1]
transactionObjectN = {address, value, obsoleteTag, timestamp, currentIndex, lastIndex}
transactionObject0
bundleEssence0transactionObject1
bundleEssence1
f f0
absorbing
f hash bundleHash = convertToTrytes(hash)
squeezing
mobilefish.com
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
K = 13 - decimal 23 26 23 13 12 23 19 20 1512025
K times to hash each segment to CREATE signatureFragment
K = 13 + decimal 3 0 3 13 14 3 7 6 112561
K times to hash each segment to VALIDATE signatureFragment
… …
…
…
… …
L Q…R T … 9 AZ T … C YW UbundleHash81 trytes
normalized BundleHash L Q…O T … 9 AN Q … T YQ U
normalized BundleFragment27 trytes
-12 -7 12 -2-7-6-1010-10-13-10tryte decimal
value… … …
K = number of hashes
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
… 25 260 1
… 25 260 1 fragment stored in bundle
9 12132
1 6 25 3
hash each segment K times
hash each keyFragment 1x
each digests consists of 81 trytes
27 segments forms a keyFragment
hash n digests 1x
Number of hashes (K) changed!
The generated address does not match the sendersaddress. Eve’s attempt will fail.
1
address
0
1
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
D 5 D5
Data (D) is hashed 5x to get the hashed result D5:
D 1 D1 1 D2 1 D3 1 D4 1 D5
You can also draw it this way:
D 1 D1 1 D2 1 D3 1 D4 1 D5
Question: Can you hash a value 3x to get D5?Answer: Yes, if you start with D2.
Question: Can you hash a value 6x to get D5?Answer: No, you can’t! A hash algorithm is a one-way function.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
D 5 D5
Data (D) is hashed 5x to get the hashed result D5:
Question: Can you hash a value 1x to get D5?Answer: Yes, if you start with D4.
D4 1 D5
Question: Can you hash a value 4x to get D5?Answer: Yes, if you start with D1.
D1 4 D5
Question: Can you hash a value 7x to get D5?Answer: No, you can’t.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• Eve knows she can change the signatureFragment.
1
4
1
6
1 1
14
2
1
=
25
12
25
25
25 25
2512
13
25
=
… 25120 14
9 2 13
26
12
… 25 260 1
signature fragment hacked
K hacked
segmenthashed 4x
segmenthashed 12x
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
Khacked, after Eve changed the address
signature fragment
… 25 260 1
25 260 1
9 12132
1 6 25 3 Koriginal
…
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• But Eve still has a problem with the first and last segment.
• Her attempt is only successful if all Koriginal values are bigger of equal than the corresponding Khacked values.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
… 25120 14
9 2 13
26
12
… 25 260 1
signature fragment hacked
K hacked
segmenthashed 4x
segmenthashed 12x
Khacked
signature fragment
… 25 260 1
25 260 1
9 12132
1 6 25 3
…Koriginal
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• Now lets assume the following case:The Koriginal values are all between 14-26.The Khacked values are all between 1-13.
• In this case, Eve can successfully hack the transaction bundle and send IOTAs to her address.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
… 251208 111
9 2 13
262
12
… 25 260 1
signature fragment hacked
K hacked
8x 12x11x 2x
Khacked
signature fragment
… 25 260 1
25 260 1
9 12132
17 13 25 14 Koriginal
…
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• However in reality the previous mentioned case is difficult to realise because a normalizedBundleHash is used.
• Eve attempt can only be successful if ALL Koriginal values are bigger of equal than the corresponding Khacked values.
• By using a normalizedBundleHash the probability that this will happen is small.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
L Q…R T … 9 AZ T … C YW UbundleHash81 trytes
normalized BundleHash L Q…O T … 9 AN Q … T YQ U
normalized BundleFragment27 trytes
-12 -7 12 -2-7-6-1010-10-13-10tryte decimal value
… … …
K = 13 + decimal 3 0 3 13 14 3 7 6 112561
K times to hash each segment to VALIDATE signatureFragment
…… …K = number of hashes
WHY IS NORMALIZEDBUNDLEHASH NEEDED?mobilefish.com
• The previous mentioned decimal values (= normalizedBundleHash tryte values converted to decimal values) are in the range -13 to 13 and are evenly distributed just like a seesaw.
• By distributing these values evenly the Koriginal values are “spread”. You will have low values: 1-13 and high values 14-26.You can not have only Koriginal values between 14 and 26, the normalizedBundleHash prevents this.
WHY IS NORMALIZEDBUNDLEHASH NEEDED?
134
10
-1-4
Before normalizing sum = 22
13-13 4-4 -1
After normalizing sum = -1
WHY NOT REUSE AN ADDRESS FOR OUTGOING TXS?mobilefish.com
… 25 260 1
… 25 260 1
1 3254
1
address
0
1
digests
signature Fragment
key Fragment … 25 260 1
… 25 260 1
20 21115
1
address
0
1
1st tx bundle 2nd tx bundle
Create another outgoing transaction using the same address
WHY NOT REUSE AN ADDRESS FOR OUTGOING TXS?mobilefish.com
• Eve has found these two transaction bundles using the same address A for outgoing transactions.
• A few days later, Eve noticed 500 MIOTA were send to address A.
• Eve tries a hack attempt, she takes the 2nd transaction bundle:
• From the receiver tx object, she change the recipient’s address with her own address and change the recipient’s value to 500 MIOTA.
• From the sender tx object, she change the spending value to 500 MIOTA.
• By doing so the bundleHash, normalizedBundleHash and the K values are changed.
WHY NOT REUSE AN ADDRESS FOR OUTGOING TXS?mobilefish.com
… 25 260 1
… 25 260 1
1 3254
1
address
0
1
1st tx bundle
… 25 260 1
… 25 260 1
20 21115
1
address
0
1
2nd tx bundle
… 25 260 1
… 25 261102 1
18 10124
1
address
0
1
Eve modified 2nd tx bundle
20 21115
Using 2nd tx bundleHack attempt not successful
Koriginal
Khacked
WHY NOT REUSE AN ADDRESS FOR OUTGOING TXS?mobilefish.com
… 25 260 1
… 25 260 1
1 3254
1
address
0
1
1st tx bundle
… 25 260 1
… 25 261102 1
18 10124
1
address
0
1
Eve modified 2nd tx bundle
20 21115
Using 2nd bundleHack attempt not successful
… 25 260 1
… 2513 261102 1
18 10124
1
address
0
1
Eve modified 1st tx bundle
20 21254
Using 2nd & 1sttx bundleHack attempt issuccessful
Koriginal
Khacked
WHY NOT REUSE AN ADDRESS FOR OUTGOING TXS?mobilefish.com
• If you reuse an address for outgoing addresses you provide a hacker more possibilities to successfully create a modified transaction bundle sending IOTAs from the victim’s address to the hackers address.
• Reusing an address for outgoing transactions does not mean the hacker will immediately succeed in its hack attempt, but it will definitely increase its chances.
