New Cryptography

New Cryptography:
The Most Dangerous
Game
George Tankersley
(@gtank__)
Filippo Valsorda
(@FiloSottile)
https://hivemill.com/collections/smbc/products/smbc-the-most-dangerous-game-shirt

View Slide

Crypto 1.0
Symmetric Encryption
Public-Key Encryption
Key Exchange
Signing
Hashing

View Slide

View Slide

Crypto 1.0
Symmetric Encryption
Public-Key Encryption
Key Exchange
Signing
Hashing
BORING

View Slide

Crypto 2.0
Builds on Crypto 1.0 (Berry Schoenmakers).
If Crypto 1.0 defends against outside attackers, 2.0 defends against malicious
insiders.
Much weirder. Mostly much newer. Not necessarily safe yet.

View Slide

Crypto 1.5: PAKE
Password Authenticated Key Exchange
Cooler than Crypto 1.0, but you can use it today!

View Slide

Before PAKE
Client Server
Encrypt
password
(random_key) —→ decrypt and use random_key
See: WPA2
Allows bruteforce!

View Slide

Diffie-Hellman refresher
Client Server
pick x pick y
gx mod p —→ ←— gy mod p
use gxy mod p use gyx mod p

View Slide

Example of PAKE: EKE2
Client Server
pick x pick y
Encrypt
password
(gx mod p) —→ ←— Encrypt
password
(gy mod p)
use gxy mod p use gyx mod p
Can’t bruteforce Encrypt
password
(gx mod p)!
(Requires special g and p.)

View Slide

PAKE
Agree on a key when both sides share a password.
No bruteforce opportunity for an attacker. Can use weak passwords!
Examples:
● Magic Wormhole
● Pond
● WPA3
Many types, use SPAKE2-EE.

View Slide

⚠ Non-mainstream cryptography ⚠

View Slide

Blind Signatures (RSA)
Public (N, e) and private d
N = p*q and d = 1/e mod (N)
Generate a signature S by
S = Md mod N
Verify it by checking that
Se == M mod N
(Md)e = M(1/e)*e = M1 = M mod N

View Slide

S = Md mod N
Se == M mod N
(Md)e = M(1/e)*e = M1 = M mod N
N is the modulus, product of two primes,

View Slide

S = Md mod N
Se == M mod N
(Md)e = M(1/e)*e = M1 = M mod N
e is the public exponent, d is its inverse,

View Slide

S = Md mod N
Se == M mod N
(Md)e = M(1/e)*e = M1 = M mod N
e is the public exponent, d is its inverse,
is magic, do not let it sense fear

View Slide

M is (~handwave~) just a number!
The signatures still work if you do
number things to it.
So we’ll blind a signature by
multiplying it with another big random
number, so the signer never sees the
real message.
Generate a blinding factor re
Blind the message:
M
blind
= (re)M mod N
S
blind
= (M
blind
)d mod N

View Slide

How can that possibly work?
Generate a blinding factor re
Blind the message:
M
blind
= (re)M mod N
S
blind
= (M
blind
)d mod N
r also has an inverse, 1/r
To unblind a signature:
S = (S
blind
) * (1/r) mod N
= (M
blind
)d * (1/r)
= (reM)d * (1/r)
= (M)d(re)d * (1/r)
= Md * red * (1/r)
= Md mod N

View Slide

How can that possibly work?
The signer has only ever seen Mr
But we have a valid, unblind S!
To unblind a signature:
S = (S
blind
) * (1/r) mod N
= (M
blind
)d * (1/r)
= (reM)d * (1/r)
= (M)d(re)d * (1/r)
= Md * red * (1/r)
= Md mod N

View Slide

Why?
Blind signatures allow you to receive tokens from an issuer and redeem them
later without revealing who you are. The blind and unblind messages are
unlinkable.
This enables

View Slide

How?

View Slide

We want to prove more
complicated statements, like...

View Slide

Transparent Transactions

View Slide

Shielded Transactions

View Slide

Proofs
“Do you know the solution
to today’s crossword?”

View Slide

Zero-usefulness proofs
“I know the solution.”

View Slide

Zero-privacy proofs
“Here is the solution.”

View Slide

Zero-knowledge proofs
“Here is a proof that
I know the solution.”

View Slide

Zero-knowledge proofs must have:
● Completeness
○ If the prover is telling the truth, they will eventually convince the verifier.
● Soundness
○ A prover can only convince a verifier if they are actually telling the truth.
● Zero-knowledgeness (yes, I know)
○ Verifier doesn’t learn anything about the prover’s information.
[Goldwasser, Micali, Rackoff 1985]

View Slide

Full [PGHR13] protocol ([BCTV14USENIX] variant)

View Slide

Writing Circuits
a
0
:= boolean value
a
1
:= boolean value
…
a
6
:= boolean value
a
7
:= boolean value
a
0
* (1 - a
0
) = 0
a
1
* (1 - a
1
) = 0
…
a
6
* (1 - a
6
) = 0
a
7
* (1 - a
7
) = 0
a := byte value 1 * (20 a
0
+ 21 a
1
+ … + 26 a
7
+ 27 a
7
- a) = 0
Now constrain those numbers to satisfy other equations,
like elliptic curves or SHA-256

View Slide

Implementations!
● Proving systems
○ libsnark - C++
○ bellman - Rust
● Medium-level libraries / DSLs
○ jsnark - Java
○ Snarky - OCaml
○ ZoKrates - Ethereum
Papers, links, examples: https://zkp.science

View Slide

ZKP
Hide the information you are proving
MPC
Run complex computations on information you don’t know

View Slide

MPC
Example:
Compute parameters for Zcash

View Slide

MPC
Example:
Compute parameters for Zcash
(securely)

View Slide

Defining Security

View Slide

Defining Security
Real Protocol Ideal World

View Slide

Defining Security
Real Protocol
A B
C
Ideal World
A' B'
C'
Security: {A, B, C} indistinguishable from {A', B', C'}

View Slide

Defining Security
A' B'
C'
Sim
Secure if Sim can produce
output with the same
distribution as the original
party A (resp. B, C)

View Slide

Strategy
●
First create protocol that protects privacy as long as
all parties send valid (as prescribed by the protocol)
messages at each step.
●
Then add logic to enforce sending valid messages.
− Use ZK proofs to preserve privacy and force honest
behavior

View Slide

One Protocol to Rule Them All

View Slide

Oblivious Transfer
Receiver learns exactly one of Sender's
strings, and nothing more. Sender learns
nothing.

View Slide

Input Sharing
●
Alice chooses random r_i, r_j, … for each of her
input bits and sends these to Bob. Alice keeps a_i
XOR r_i as her shares.
●
Bob chooses random s_i, s_j, … for his bits and
sends (b_i+s_i), … to Alice, keeping s_i as his
shares.
●
Note that XORing shares gives true wire values!

View Slide

Computing an AND with OT
●
For two inputs a and b, Alice has (a+r) and (b+s),
and Bob has r and s.
●
Bob can select w and keep ouput share rs+w; he
can compute four possible:
(a+r)s + (b+s)r + w = as+rs+br+rs+w = as+br+w
●
Alice can compute:
(a+r)(b+s) = ab+as+br+rs = ab+(as+br)+rs
●
So Alice just needs to learn as+br+w to compute a
share of the output, ab+rs+w

View Slide

●
Bob computes as+br+w but there are four
possibilities – only Alice knows which is the right
one
●
Alice should not learn any of the other possibilities
●
So use a 1-of-4 OT!

View Slide

●
Bob will keep rs+w as his share; Alice will get
as+br+w and will compute her new share
●
We have XOR shares of the output – so we can
use this as the input for another AND gate!

View Slide

Building a Circuit
●
Use this process to connect lots of ANDs
●
XORs can just be computed locally, no interactions
needed (just XOR the shares)
●
Any circuit can be expressed with just ANDs and
XORs

View Slide

More than Two Parties
●
Send XOR shares of each input bit to each other
party
●
Act as OT sender for parties with smaller ID, OT
receiver for parties with larger ID.
●
Still uses 1-of-4 OT
●
XOR all received share “pieces” to get output wire
shares.

View Slide

Putting it all Together
●
This is the GMW protocol
●
Only one party needs to be honest for security to be
maintained
− If more than half are honest, small adaptation allows
computation can be completed even if some parties drop
out
●
Not very practical – only proves that a protocol
exists for any function

View Slide

Remember
We are cryptographers,
not your cryptographers!
George Tankersley (@gtank__)
Filippo Valsorda (@FiloSottile)
Benjamin Kreuter
Jack Grigg (@str4d)

View Slide

New Cryptography

New Cryptography

George Tankersley

More Decks by George Tankersley

Other Decks in Technology

Featured

Transcript