8

Zero value transactions can send a message instead of a signature, using the transactions signatureMessageFragment. However, as far as I understand the mechanism, only value, currentIndex, lastIndex, obsoleteTag, timestamp and address are part of the bundle hash.

What ensures the signatureMessageFragment can't be changed until a bundle is confirmed? Even if there is a tx including value in the bundle, which signs the bundle hash, how does this validate the tx carrying the message?

Akkumulator
  • 1,468
  • 9
  • 19

2 Answers2

6

Short answer: it is not.

Long answer: Signatures are not supposed to protect anything else than the iota values and (obsolete)tag fields. Therefore, as long as your transaction is not confirmed, anybody could replay/reattach it with a different content in the message field of the receiving transaction and the luckiest transaction would win.

Therefore, you have to design your IOTA use cases in a way that does not depend on the value of the messages to be immutable (the fact that the message has been mutated will be visible as both the original and the new transaction are kept until the next snapshot). You can for example ensure this by putting your own signature anywhere, or by putting e.g. a hash of your signed data into the tag field(s) of the transactions.

mihi
  • 7,324
  • 2
  • 15
  • 34
  • Interesting design decision. I think it should be communicated more clearly that it is not safe to use a message. – Akkumulator Jan 12 '18 at 19:42
  • 2
    @Akkumulator there are many things in the IOTA protocol that should be communicated more clearly, but apparently the IOTA foundation is not very good at communicating clearly :-( – mihi Jan 12 '18 at 19:47
  • The tag isn’t part of the bundle hash either, right? So one must store the message hash in the obsoleteTag, which automatically changes if the normalized hash is insecure... – Akkumulator Jan 12 '18 at 19:59
  • @Akkumulator but hopefully only the one of the first transaction of the bundle (or was it the last one?) – mihi Jan 12 '18 at 20:01
  • Oh, right. Index 0. Still so many things to consider when doing a supposedly trivial task like sending an immutable message. – Akkumulator Jan 12 '18 at 20:04
  • @Akkumulator perhaps you should just donate some IOTA instead :-P – mihi Jan 12 '18 at 20:07
  • @Akkumulator Shouldn't you use MAM layer for signing and encrypting messages with IOTA? – blockmined Jan 13 '18 at 06:58
  • MAM bundles are 0 value, too. How is ensured that nobody changes the mam payload? Even if the message would be considered invalid then. The sender would have to validate that the unmodified tx is attached/comfirmed in the tangle. If it has been modified he needs to issue the same tx again. If there is no signature in the bundle, anyone could send and modify any bundle from and to any address right (until confirmation)? – Akkumulator Jan 13 '18 at 07:22
3

It's not included in the bundle hash, but it is included in the transaction hash. If you look into how MAM does it, the message fragment contains the message, signature, and sibling hashes( for merkle root calculation ), all encoded into the message field.

The message is not 'validated' because any tx with positive value needs no signature, but the tx hash is created from the entire payload of the tx, and this is what the approving tx reference.

Paul
  • 316
  • 1
  • 1