Upgrade to Pro — share decks privately, control downloads, hide ads and more …

New Cryptography

New Cryptography

George Tankersley, Filippo Valsorda (with Jack Grigg, Ben Kreuter)

Cryptography is usually associated with encrypting and signing messages, but since the 1990s, the field developed new tools that bring completely new capabilities: from PAKE protocols that make bruteforcing passwords impossible, to zero-knowledge proofs enabling blind credentials. This talk will take a look at all those things modern cryptography can do beyond the old encryption and signatures.

HOPE XII
July 20, 2018

George Tankersley

July 20, 2018
Tweet

More Decks by George Tankersley

Other Decks in Technology

Transcript

  1. New Cryptography:
    The Most Dangerous
    Game
    George Tankersley
    (@gtank__)
    Filippo Valsorda
    (@FiloSottile)
    https://hivemill.com/collections/smbc/products/smbc-the-most-dangerous-game-shirt

    View full-size slide

  2. Crypto 1.0
    Symmetric Encryption
    Public-Key Encryption
    Key Exchange
    Signing
    Hashing

    View full-size slide

  3. Crypto 1.0
    Symmetric Encryption
    Public-Key Encryption
    Key Exchange
    Signing
    Hashing
    BORING

    View full-size slide

  4. Crypto 2.0
    Builds on Crypto 1.0 (Berry Schoenmakers).
    If Crypto 1.0 defends against outside attackers, 2.0 defends against malicious
    insiders.
    Much weirder. Mostly much newer. Not necessarily safe yet.

    View full-size slide

  5. Crypto 1.5: PAKE
    Password Authenticated Key Exchange
    Cooler than Crypto 1.0, but you can use it today!

    View full-size slide

  6. Before PAKE
    Client Server
    Encrypt
    password
    (random_key) —→ decrypt and use random_key
    See: WPA2
    Allows bruteforce!

    View full-size slide

  7. Diffie-Hellman refresher
    Client Server
    pick x pick y
    gx mod p —→ ←— gy mod p
    use gxy mod p use gyx mod p

    View full-size slide

  8. Example of PAKE: EKE2
    Client Server
    pick x pick y
    Encrypt
    password
    (gx mod p) —→ ←— Encrypt
    password
    (gy mod p)
    use gxy mod p use gyx mod p
    Can’t bruteforce Encrypt
    password
    (gx mod p)!
    (Requires special g and p.)

    View full-size slide

  9. PAKE
    Agree on a key when both sides share a password.
    No bruteforce opportunity for an attacker. Can use weak passwords!
    Examples:
    ● Magic Wormhole
    ● Pond
    ● WPA3
    Many types, use SPAKE2-EE.

    View full-size slide

  10. ⚠ Non-mainstream cryptography ⚠

    View full-size slide

  11. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N

    View full-size slide

  12. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,

    View full-size slide

  13. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,

    View full-size slide

  14. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,
    e is the public exponent, d is its inverse,

    View full-size slide

  15. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,
    e is the public exponent, d is its inverse,

    View full-size slide

  16. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,
    e is the public exponent, d is its inverse,
    is magic, do not let it sense fear

    View full-size slide

  17. Blind Signatures (RSA)
    M is (~handwave~) just a number!
    The signatures still work if you do
    number things to it.
    So we’ll blind a signature by
    multiplying it with another big random
    number, so the signer never sees the
    real message.
    Generate a blinding factor re
    Blind the message:
    M
    blind
    = (re)M mod N
    S
    blind
    = (M
    blind
    )d mod N

    View full-size slide

  18. How can that possibly work?
    Generate a blinding factor re
    Blind the message:
    M
    blind
    = (re)M mod N
    S
    blind
    = (M
    blind
    )d mod N
    r also has an inverse, 1/r
    To unblind a signature:
    S = (S
    blind
    ) * (1/r) mod N
    = (M
    blind
    )d * (1/r)
    = (reM)d * (1/r)
    = (M)d(re)d * (1/r)
    = Md * red * (1/r)
    = Md mod N

    View full-size slide

  19. How can that possibly work?
    The signer has only ever seen Mr
    But we have a valid, unblind S!
    To unblind a signature:
    S = (S
    blind
    ) * (1/r) mod N
    = (M
    blind
    )d * (1/r)
    = (reM)d * (1/r)
    = (M)d(re)d * (1/r)
    = Md * red * (1/r)
    = Md mod N

    View full-size slide

  20. Why?
    Blind signatures allow you to receive tokens from an issuer and redeem them
    later without revealing who you are. The blind and unblind messages are
    unlinkable.
    This enables

    View full-size slide

  21. We want to prove more
    complicated statements, like...

    View full-size slide

  22. Transparent Transactions

    View full-size slide

  23. Shielded Transactions

    View full-size slide

  24. Proofs
    “Do you know the solution
    to today’s crossword?”

    View full-size slide

  25. Zero-usefulness proofs
    “Do you know the solution
    to today’s crossword?”
    “I know the solution.”

    View full-size slide

  26. Zero-privacy proofs
    “Do you know the solution
    to today’s crossword?”
    “Here is the solution.”

    View full-size slide

  27. Zero-knowledge proofs
    “Do you know the solution
    to today’s crossword?”
    “Here is a proof that
    I know the solution.”

    View full-size slide

  28. Zero-knowledge proofs must have:
    ● Completeness
    ○ If the prover is telling the truth, they will eventually convince the verifier.
    ● Soundness
    ○ A prover can only convince a verifier if they are actually telling the truth.
    ● Zero-knowledgeness (yes, I know)
    ○ Verifier doesn’t learn anything about the prover’s information.
    [Goldwasser, Micali, Rackoff 1985]

    View full-size slide

  29. Full [PGHR13] protocol ([BCTV14USENIX] variant)

    View full-size slide

  30. Writing Circuits
    a
    0
    := boolean value
    a
    1
    := boolean value

    a
    6
    := boolean value
    a
    7
    := boolean value
    a
    0
    * (1 - a
    0
    ) = 0
    a
    1
    * (1 - a
    1
    ) = 0

    a
    6
    * (1 - a
    6
    ) = 0
    a
    7
    * (1 - a
    7
    ) = 0
    a := byte value 1 * (20 a
    0
    + 21 a
    1
    + … + 26 a
    7
    + 27 a
    7
    - a) = 0
    Now constrain those numbers to satisfy other equations,
    like elliptic curves or SHA-256

    View full-size slide

  31. Implementations!
    ● Proving systems
    ○ libsnark - C++
    ○ bellman - Rust
    ● Medium-level libraries / DSLs
    ○ jsnark - Java
    ○ Snarky - OCaml
    ○ ZoKrates - Ethereum
    Papers, links, examples: https://zkp.science

    View full-size slide

  32. ZKP
    Hide the information you are proving
    MPC
    Run complex computations on information you don’t know

    View full-size slide

  33. MPC
    Example:
    Compute parameters for Zcash

    View full-size slide

  34. MPC
    Example:
    Compute parameters for Zcash
    (securely)

    View full-size slide

  35. Defining Security

    View full-size slide

  36. Defining Security
    Real Protocol Ideal World

    View full-size slide

  37. Defining Security
    Real Protocol
    A B
    C
    Ideal World
    A' B'
    C'
    Security: {A, B, C} indistinguishable from {A', B', C'}

    View full-size slide

  38. Defining Security
    A' B'
    C'
    Sim
    Secure if Sim can produce
    output with the same
    distribution as the original
    party A (resp. B, C)

    View full-size slide

  39. Strategy

    First create protocol that protects privacy as long as
    all parties send valid (as prescribed by the protocol)
    messages at each step.

    Then add logic to enforce sending valid messages.
    − Use ZK proofs to preserve privacy and force honest
    behavior

    View full-size slide

  40. One Protocol to Rule Them All

    View full-size slide

  41. Oblivious Transfer
    Receiver learns exactly one of Sender's
    strings, and nothing more. Sender learns
    nothing.

    View full-size slide

  42. Input Sharing

    Alice chooses random r_i, r_j, … for each of her
    input bits and sends these to Bob. Alice keeps a_i
    XOR r_i as her shares.

    Bob chooses random s_i, s_j, … for his bits and
    sends (b_i+s_i), … to Alice, keeping s_i as his
    shares.

    Note that XORing shares gives true wire values!

    View full-size slide

  43. Computing an AND with OT

    For two inputs a and b, Alice has (a+r) and (b+s),
    and Bob has r and s.

    Bob can select w and keep ouput share rs+w; he
    can compute four possible:
    (a+r)s + (b+s)r + w = as+rs+br+rs+w = as+br+w

    Alice can compute:
    (a+r)(b+s) = ab+as+br+rs = ab+(as+br)+rs

    So Alice just needs to learn as+br+w to compute a
    share of the output, ab+rs+w

    View full-size slide

  44. Computing an AND with OT

    Bob computes as+br+w but there are four
    possibilities – only Alice knows which is the right
    one

    Alice should not learn any of the other possibilities

    So use a 1-of-4 OT!

    View full-size slide

  45. Computing an AND with OT

    Bob will keep rs+w as his share; Alice will get
    as+br+w and will compute her new share

    We have XOR shares of the output – so we can
    use this as the input for another AND gate!

    View full-size slide

  46. Building a Circuit

    Use this process to connect lots of ANDs

    XORs can just be computed locally, no interactions
    needed (just XOR the shares)

    Any circuit can be expressed with just ANDs and
    XORs

    View full-size slide

  47. More than Two Parties

    Send XOR shares of each input bit to each other
    party

    Act as OT sender for parties with smaller ID, OT
    receiver for parties with larger ID.

    Still uses 1-of-4 OT

    XOR all received share “pieces” to get output wire
    shares.

    View full-size slide

  48. Putting it all Together

    This is the GMW protocol

    Only one party needs to be honest for security to be
    maintained
    − If more than half are honest, small adaptation allows
    computation can be completed even if some parties drop
    out

    Not very practical – only proves that a protocol
    exists for any function

    View full-size slide

  49. Remember
    We are cryptographers,
    not your cryptographers!
    George Tankersley (@gtank__)
    Filippo Valsorda (@FiloSottile)
    Benjamin Kreuter
    Jack Grigg (@str4d)

    View full-size slide