Upgrade to Pro — share decks privately, control downloads, hide ads and more …

New Cryptography

New Cryptography

George Tankersley, Filippo Valsorda (with Jack Grigg, Ben Kreuter)

Cryptography is usually associated with encrypting and signing messages, but since the 1990s, the field developed new tools that bring completely new capabilities: from PAKE protocols that make bruteforcing passwords impossible, to zero-knowledge proofs enabling blind credentials. This talk will take a look at all those things modern cryptography can do beyond the old encryption and signatures.

HOPE XII
July 20, 2018

George Tankersley

July 20, 2018
Tweet

More Decks by George Tankersley

Other Decks in Technology

Transcript

  1. New Cryptography:
    The Most Dangerous
    Game
    George Tankersley
    (@gtank__)
    Filippo Valsorda
    (@FiloSottile)
    https://hivemill.com/collections/smbc/products/smbc-the-most-dangerous-game-shirt

    View Slide

  2. Crypto 1.0
    Symmetric Encryption
    Public-Key Encryption
    Key Exchange
    Signing
    Hashing

    View Slide

  3. View Slide

  4. Crypto 1.0
    Symmetric Encryption
    Public-Key Encryption
    Key Exchange
    Signing
    Hashing
    BORING

    View Slide

  5. Crypto 2.0
    Builds on Crypto 1.0 (Berry Schoenmakers).
    If Crypto 1.0 defends against outside attackers, 2.0 defends against malicious
    insiders.
    Much weirder. Mostly much newer. Not necessarily safe yet.

    View Slide

  6. Crypto 1.5: PAKE
    Password Authenticated Key Exchange
    Cooler than Crypto 1.0, but you can use it today!

    View Slide

  7. Before PAKE
    Client Server
    Encrypt
    password
    (random_key) —→ decrypt and use random_key
    See: WPA2
    Allows bruteforce!

    View Slide

  8. Diffie-Hellman refresher
    Client Server
    pick x pick y
    gx mod p —→ ←— gy mod p
    use gxy mod p use gyx mod p

    View Slide

  9. Example of PAKE: EKE2
    Client Server
    pick x pick y
    Encrypt
    password
    (gx mod p) —→ ←— Encrypt
    password
    (gy mod p)
    use gxy mod p use gyx mod p
    Can’t bruteforce Encrypt
    password
    (gx mod p)!
    (Requires special g and p.)

    View Slide

  10. PAKE
    Agree on a key when both sides share a password.
    No bruteforce opportunity for an attacker. Can use weak passwords!
    Examples:
    ● Magic Wormhole
    ● Pond
    ● WPA3
    Many types, use SPAKE2-EE.

    View Slide

  11. ⚠ Non-mainstream cryptography ⚠

    View Slide

  12. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N

    View Slide

  13. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,

    View Slide

  14. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,

    View Slide

  15. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,
    e is the public exponent, d is its inverse,

    View Slide

  16. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,
    e is the public exponent, d is its inverse,

    View Slide

  17. Blind Signatures (RSA)
    Public (N, e) and private d
    N = p*q and d = 1/e mod (N)
    Generate a signature S by
    S = Md mod N
    Verify it by checking that
    Se == M mod N
    (Md)e = M(1/e)*e = M1 = M mod N
    N is the modulus, product of two primes,
    e is the public exponent, d is its inverse,
    is magic, do not let it sense fear

    View Slide

  18. Blind Signatures (RSA)
    M is (~handwave~) just a number!
    The signatures still work if you do
    number things to it.
    So we’ll blind a signature by
    multiplying it with another big random
    number, so the signer never sees the
    real message.
    Generate a blinding factor re
    Blind the message:
    M
    blind
    = (re)M mod N
    S
    blind
    = (M
    blind
    )d mod N

    View Slide

  19. How can that possibly work?
    Generate a blinding factor re
    Blind the message:
    M
    blind
    = (re)M mod N
    S
    blind
    = (M
    blind
    )d mod N
    r also has an inverse, 1/r
    To unblind a signature:
    S = (S
    blind
    ) * (1/r) mod N
    = (M
    blind
    )d * (1/r)
    = (reM)d * (1/r)
    = (M)d(re)d * (1/r)
    = Md * red * (1/r)
    = Md mod N

    View Slide

  20. How can that possibly work?
    The signer has only ever seen Mr
    But we have a valid, unblind S!
    To unblind a signature:
    S = (S
    blind
    ) * (1/r) mod N
    = (M
    blind
    )d * (1/r)
    = (reM)d * (1/r)
    = (M)d(re)d * (1/r)
    = Md * red * (1/r)
    = Md mod N

    View Slide

  21. Why?
    Blind signatures allow you to receive tokens from an issuer and redeem them
    later without revealing who you are. The blind and unblind messages are
    unlinkable.
    This enables

    View Slide

  22. How?

    View Slide

  23. How?

    View Slide

  24. How?

    View Slide

  25. We want to prove more
    complicated statements, like...

    View Slide

  26. Transparent Transactions

    View Slide

  27. Shielded Transactions

    View Slide

  28. Proofs
    “Do you know the solution
    to today’s crossword?”

    View Slide

  29. Zero-usefulness proofs
    “Do you know the solution
    to today’s crossword?”
    “I know the solution.”

    View Slide

  30. Zero-privacy proofs
    “Do you know the solution
    to today’s crossword?”
    “Here is the solution.”

    View Slide

  31. Zero-knowledge proofs
    “Do you know the solution
    to today’s crossword?”
    “Here is a proof that
    I know the solution.”

    View Slide

  32. Zero-knowledge proofs must have:
    ● Completeness
    ○ If the prover is telling the truth, they will eventually convince the verifier.
    ● Soundness
    ○ A prover can only convince a verifier if they are actually telling the truth.
    ● Zero-knowledgeness (yes, I know)
    ○ Verifier doesn’t learn anything about the prover’s information.
    [Goldwasser, Micali, Rackoff 1985]

    View Slide

  33. Full [PGHR13] protocol ([BCTV14USENIX] variant)

    View Slide

  34. Writing Circuits
    a
    0
    := boolean value
    a
    1
    := boolean value

    a
    6
    := boolean value
    a
    7
    := boolean value
    a
    0
    * (1 - a
    0
    ) = 0
    a
    1
    * (1 - a
    1
    ) = 0

    a
    6
    * (1 - a
    6
    ) = 0
    a
    7
    * (1 - a
    7
    ) = 0
    a := byte value 1 * (20 a
    0
    + 21 a
    1
    + … + 26 a
    7
    + 27 a
    7
    - a) = 0
    Now constrain those numbers to satisfy other equations,
    like elliptic curves or SHA-256

    View Slide

  35. Implementations!
    ● Proving systems
    ○ libsnark - C++
    ○ bellman - Rust
    ● Medium-level libraries / DSLs
    ○ jsnark - Java
    ○ Snarky - OCaml
    ○ ZoKrates - Ethereum
    Papers, links, examples: https://zkp.science

    View Slide

  36. ZKP
    Hide the information you are proving
    MPC
    Run complex computations on information you don’t know

    View Slide

  37. MPC
    Example:
    Compute parameters for Zcash

    View Slide

  38. MPC
    Example:
    Compute parameters for Zcash
    (securely)

    View Slide

  39. Defining Security

    View Slide

  40. Defining Security
    Real Protocol Ideal World

    View Slide

  41. Defining Security
    Real Protocol
    A B
    C
    Ideal World
    A' B'
    C'
    Security: {A, B, C} indistinguishable from {A', B', C'}

    View Slide

  42. Defining Security
    A' B'
    C'
    Sim
    Secure if Sim can produce
    output with the same
    distribution as the original
    party A (resp. B, C)

    View Slide

  43. Strategy

    First create protocol that protects privacy as long as
    all parties send valid (as prescribed by the protocol)
    messages at each step.

    Then add logic to enforce sending valid messages.
    − Use ZK proofs to preserve privacy and force honest
    behavior

    View Slide

  44. One Protocol to Rule Them All

    View Slide

  45. Oblivious Transfer
    Receiver learns exactly one of Sender's
    strings, and nothing more. Sender learns
    nothing.

    View Slide

  46. Input Sharing

    Alice chooses random r_i, r_j, … for each of her
    input bits and sends these to Bob. Alice keeps a_i
    XOR r_i as her shares.

    Bob chooses random s_i, s_j, … for his bits and
    sends (b_i+s_i), … to Alice, keeping s_i as his
    shares.

    Note that XORing shares gives true wire values!

    View Slide

  47. Computing an AND with OT

    For two inputs a and b, Alice has (a+r) and (b+s),
    and Bob has r and s.

    Bob can select w and keep ouput share rs+w; he
    can compute four possible:
    (a+r)s + (b+s)r + w = as+rs+br+rs+w = as+br+w

    Alice can compute:
    (a+r)(b+s) = ab+as+br+rs = ab+(as+br)+rs

    So Alice just needs to learn as+br+w to compute a
    share of the output, ab+rs+w

    View Slide

  48. Computing an AND with OT

    Bob computes as+br+w but there are four
    possibilities – only Alice knows which is the right
    one

    Alice should not learn any of the other possibilities

    So use a 1-of-4 OT!

    View Slide

  49. Computing an AND with OT

    Bob will keep rs+w as his share; Alice will get
    as+br+w and will compute her new share

    We have XOR shares of the output – so we can
    use this as the input for another AND gate!

    View Slide

  50. Building a Circuit

    Use this process to connect lots of ANDs

    XORs can just be computed locally, no interactions
    needed (just XOR the shares)

    Any circuit can be expressed with just ANDs and
    XORs

    View Slide

  51. More than Two Parties

    Send XOR shares of each input bit to each other
    party

    Act as OT sender for parties with smaller ID, OT
    receiver for parties with larger ID.

    Still uses 1-of-4 OT

    XOR all received share “pieces” to get output wire
    shares.

    View Slide

  52. Putting it all Together

    This is the GMW protocol

    Only one party needs to be honest for security to be
    maintained
    − If more than half are honest, small adaptation allows
    computation can be completed even if some parties drop
    out

    Not very practical – only proves that a protocol
    exists for any function

    View Slide

  53. Remember
    We are cryptographers,
    not your cryptographers!
    George Tankersley (@gtank__)
    Filippo Valsorda (@FiloSottile)
    Benjamin Kreuter
    Jack Grigg (@str4d)

    View Slide