Pro Yearly is on sale from $80 to $50! »

New Cryptography

New Cryptography

George Tankersley, Filippo Valsorda (with Jack Grigg, Ben Kreuter)

Cryptography is usually associated with encrypting and signing messages, but since the 1990s, the field developed new tools that bring completely new capabilities: from PAKE protocols that make bruteforcing passwords impossible, to zero-knowledge proofs enabling blind credentials. This talk will take a look at all those things modern cryptography can do beyond the old encryption and signatures.

HOPE XII
July 20, 2018

702d182dc365825040b1ad0b85c0fa3c?s=128

George Tankersley

July 20, 2018
Tweet

Transcript

  1. New Cryptography: The Most Dangerous Game George Tankersley (@gtank__) Filippo

    Valsorda (@FiloSottile) https://hivemill.com/collections/smbc/products/smbc-the-most-dangerous-game-shirt
  2. Crypto 1.0 Symmetric Encryption Public-Key Encryption Key Exchange Signing Hashing

  3. None
  4. Crypto 1.0 Symmetric Encryption Public-Key Encryption Key Exchange Signing Hashing

    BORING
  5. Crypto 2.0 Builds on Crypto 1.0 (Berry Schoenmakers). If Crypto

    1.0 defends against outside attackers, 2.0 defends against malicious insiders. Much weirder. Mostly much newer. Not necessarily safe yet.
  6. Crypto 1.5: PAKE Password Authenticated Key Exchange Cooler than Crypto

    1.0, but you can use it today!
  7. Before PAKE Client Server Encrypt password (random_key) —→ decrypt and

    use random_key See: WPA2 Allows bruteforce!
  8. Diffie-Hellman refresher Client Server pick x pick y gx mod

    p —→ ←— gy mod p use gxy mod p use gyx mod p
  9. Example of PAKE: EKE2 Client Server pick x pick y

    Encrypt password (gx mod p) —→ ←— Encrypt password (gy mod p) use gxy mod p use gyx mod p Can’t bruteforce Encrypt password (gx mod p)! (Requires special g and p.)
  10. PAKE Agree on a key when both sides share a

    password. No bruteforce opportunity for an attacker. Can use weak passwords! Examples: • Magic Wormhole • Pond • WPA3 Many types, use SPAKE2-EE.
  11. ⚠ Non-mainstream cryptography ⚠

  12. Blind Signatures (RSA) Public (N, e) and private d N

    = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N
  13. Blind Signatures (RSA) Public (N, e) and private d N

    = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes,
  14. Blind Signatures (RSA) Public (N, e) and private d N

    = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes,
  15. Blind Signatures (RSA) Public (N, e) and private d N

    = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes, e is the public exponent, d is its inverse,
  16. Blind Signatures (RSA) Public (N, e) and private d N

    = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes, e is the public exponent, d is its inverse,
  17. Blind Signatures (RSA) Public (N, e) and private d N

    = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes, e is the public exponent, d is its inverse, is magic, do not let it sense fear
  18. Blind Signatures (RSA) M is (~handwave~) just a number! The

    signatures still work if you do number things to it. So we’ll blind a signature by multiplying it with another big random number, so the signer never sees the real message. Generate a blinding factor re Blind the message: M blind = (re)M mod N S blind = (M blind )d mod N
  19. How can that possibly work? Generate a blinding factor re

    Blind the message: M blind = (re)M mod N S blind = (M blind )d mod N r also has an inverse, 1/r To unblind a signature: S = (S blind ) * (1/r) mod N = (M blind )d * (1/r) = (reM)d * (1/r) = (M)d(re)d * (1/r) = Md * red * (1/r) = Md mod N
  20. How can that possibly work? The signer has only ever

    seen Mr But we have a valid, unblind S! To unblind a signature: S = (S blind ) * (1/r) mod N = (M blind )d * (1/r) = (reM)d * (1/r) = (M)d(re)d * (1/r) = Md * red * (1/r) = Md mod N
  21. Why? Blind signatures allow you to receive tokens from an

    issuer and redeem them later without revealing who you are. The blind and unblind messages are unlinkable. This enables
  22. How?

  23. How?

  24. How?

  25. We want to prove more complicated statements, like...

  26. Transparent Transactions

  27. Shielded Transactions

  28. Proofs “Do you know the solution to today’s crossword?”

  29. Zero-usefulness proofs “Do you know the solution to today’s crossword?”

    “I know the solution.”
  30. Zero-privacy proofs “Do you know the solution to today’s crossword?”

    “Here is the solution.”
  31. Zero-knowledge proofs “Do you know the solution to today’s crossword?”

    “Here is a proof that I know the solution.”
  32. Zero-knowledge proofs must have: • Completeness ◦ If the prover

    is telling the truth, they will eventually convince the verifier. • Soundness ◦ A prover can only convince a verifier if they are actually telling the truth. • Zero-knowledgeness (yes, I know) ◦ Verifier doesn’t learn anything about the prover’s information. [Goldwasser, Micali, Rackoff 1985]
  33. Full [PGHR13] protocol ([BCTV14USENIX] variant)

  34. Writing Circuits a 0 := boolean value a 1 :=

    boolean value … a 6 := boolean value a 7 := boolean value a 0 * (1 - a 0 ) = 0 a 1 * (1 - a 1 ) = 0 … a 6 * (1 - a 6 ) = 0 a 7 * (1 - a 7 ) = 0 a := byte value 1 * (20 a 0 + 21 a 1 + … + 26 a 7 + 27 a 7 - a) = 0 Now constrain those numbers to satisfy other equations, like elliptic curves or SHA-256
  35. Implementations! • Proving systems ◦ libsnark - C++ ◦ bellman

    - Rust • Medium-level libraries / DSLs ◦ jsnark - Java ◦ Snarky - OCaml ◦ ZoKrates - Ethereum Papers, links, examples: https://zkp.science
  36. ZKP Hide the information you are proving MPC Run complex

    computations on information you don’t know
  37. MPC Example: Compute parameters for Zcash

  38. MPC Example: Compute parameters for Zcash (securely)

  39. Defining Security

  40. Defining Security Real Protocol Ideal World

  41. Defining Security Real Protocol A B C Ideal World A'

    B' C' Security: {A, B, C} indistinguishable from {A', B', C'}
  42. Defining Security A' B' C' Sim Secure if Sim can

    produce output with the same distribution as the original party A (resp. B, C)
  43. Strategy • First create protocol that protects privacy as long

    as all parties send valid (as prescribed by the protocol) messages at each step. • Then add logic to enforce sending valid messages. − Use ZK proofs to preserve privacy and force honest behavior
  44. One Protocol to Rule Them All

  45. Oblivious Transfer Receiver learns exactly one of Sender's strings, and

    nothing more. Sender learns nothing.
  46. Input Sharing • Alice chooses random r_i, r_j, … for

    each of her input bits and sends these to Bob. Alice keeps a_i XOR r_i as her shares. • Bob chooses random s_i, s_j, … for his bits and sends (b_i+s_i), … to Alice, keeping s_i as his shares. • Note that XORing shares gives true wire values!
  47. Computing an AND with OT • For two inputs a

    and b, Alice has (a+r) and (b+s), and Bob has r and s. • Bob can select w and keep ouput share rs+w; he can compute four possible: (a+r)s + (b+s)r + w = as+rs+br+rs+w = as+br+w • Alice can compute: (a+r)(b+s) = ab+as+br+rs = ab+(as+br)+rs • So Alice just needs to learn as+br+w to compute a share of the output, ab+rs+w
  48. Computing an AND with OT • Bob computes as+br+w but

    there are four possibilities – only Alice knows which is the right one • Alice should not learn any of the other possibilities • So use a 1-of-4 OT!
  49. Computing an AND with OT • Bob will keep rs+w

    as his share; Alice will get as+br+w and will compute her new share • We have XOR shares of the output – so we can use this as the input for another AND gate!
  50. Building a Circuit • Use this process to connect lots

    of ANDs • XORs can just be computed locally, no interactions needed (just XOR the shares) • Any circuit can be expressed with just ANDs and XORs
  51. More than Two Parties • Send XOR shares of each

    input bit to each other party • Act as OT sender for parties with smaller ID, OT receiver for parties with larger ID. • Still uses 1-of-4 OT • XOR all received share “pieces” to get output wire shares.
  52. Putting it all Together • This is the GMW protocol

    • Only one party needs to be honest for security to be maintained − If more than half are honest, small adaptation allows computation can be completed even if some parties drop out • Not very practical – only proves that a protocol exists for any function
  53. Remember We are cryptographers, not your cryptographers! George Tankersley (@gtank__)

    Filippo Valsorda (@FiloSottile) Benjamin Kreuter Jack Grigg (@str4d)