Collective Authorities – Transparency and Decentralized Trust at Scale

by Philipp Jovanovic

Slide 1

Slide 1 text

Collective Authorities Transparency and Decentralized Trust at Scale Philipp Jovanovic @Daeinar

Slide 2

Slide 2 text

Deep Dependence on Internet Authorities Time Service Certiﬁcate Provider Software Update Center Naming Authority Current time? IP address of dotsecurity.io? TLS certiﬁcate of dotsecurity.io? New updates? 2 Client

Slide 3

Slide 3 text

Authorities Make and Sign Statements Time Service Certiﬁcate Provider Software Update Center Naming Authority It is 17:05. IP address is 104.24.103.23. TLS certiﬁcate is xyz. 3 New security update 1.0.1.2 available. Client

Slide 4

Slide 4 text

Time Service Certiﬁcate Provider Software Update Center Naming Authority It is 10:00. IP address is 104.24.103.23. TLS certiﬁcate is xyz. 4 New security update 1.0.1.2 available. Client Authority Compromise

Slide 5

Slide 5 text

Time Service Certiﬁcate Provider Software Update Center Naming Authority It is 10:00. IP address is 95.123.101.20. TLS certiﬁcate is xyz. 5 New security update 1.0.1.2 available. Client Authority Compromise

Slide 6

Slide 6 text

Time Service Certiﬁcate Provider Software Update Center Naming Authority It is 10:00. IP address is 95.123.101.20. TLS certiﬁcate is zyx. 6 New security update 1.0.1.2 available. Client Authority Compromise

Slide 7

Slide 7 text

Authority Compromise Time Service Certiﬁcate Provider Software Update Center Naming Authority 7 IP address is 95.123.101.20. TLS certiﬁcate is zyx. New security update 1.0.1.1 available. It is 10:00. Client

Slide 8

Slide 8 text

8 Technical Threats

Slide 9

Slide 9 text

9 Legal Threats vs. “Hey Lavabit, give us your crypto keys.   Ah and you can’t tell anybody about it.” Lavabit shutdown to avoid being complicit in crimes against customers. “Grml, here. To save space they are printed in 4pt font. You’re welcome.“

Slide 10

Slide 10 text

Legal Threats vs. 10 “Hey Apple, create and sign a backdoored iOS.” “Hahaha. No.” Public debate this time, but what about the next round?

Slide 11

Slide 11 text

11 Fact:   No Individual Entity is Immune to Compromise or Coercion

Slide 12

Slide 12 text

The FBI has not been here [watch very closely for removal of this sign] 12 A warrant canary An actual canary Legal Self-Defense

Slide 13

Slide 13 text

13 Ulysses Pacts* for Internet authorities? *Thanks to Cory Doctorow for pointing out to this analogy

Slide 14

Slide 14 text

Towards Ulysses Pacts for Internet Authorities 14 “There’s a new version of iOS.” Clients only accept an update if Apple and enough public witnesses signed it off. Public witnesses (“Ulysses’ crew”) (“Ulysses”)

Slide 15

Slide 15 text

15 Weakest link T = 1 Stronger link T = 2 … 10 Collective authorities T = 100++ Towards Ulysses Pacts for Internet Authorities Trust splitting has to scale and increase security, diversity, and independence.

Slide 16

Slide 16 text

Decentralized Witness Cosigning 16 It is 17:05. IP address is 104.24.103.23. TLS certiﬁcate is xyz. New security update 1.0.1.2 available. Witnesses Authority Veriﬁcation: Signed by authority and at least T witnesses? Client Public logs

Slide 17

Slide 17 text

Regular Versus Collective Signing 17 Collective signature Regular signatures Excerpt of a public petition from 1866 Signatures in superposition

Slide 18

Slide 18 text

Collective (Schnorr) signature: (c,r) Collective Signing (CoSi) 18 1. Announcement Send statement S now or later 2. Commitment Aggregate commits  V = ∑i(viG) 3. Challenge Send challenge  c = H(V, S) 4. Response Aggregate responses  r = ∑i(vi-cxi)

Slide 19

Slide 19 text

CoSi Features 19 Security • Strongest-link robustness • Proactive guarantees • Discourages misbehavior Scalability • Aggregation • Communication trees • Sign: O(log n) (8000 nodes, ~2 sec) • Verify: O(1) Transparency • Multi-eye-principle   sanity checks • Public logs

Slide 20

Slide 20 text

Security / Transparency Levels 20 Weakest Strongest Level 1 • Witness co-signing • Public log(s) • Check nothing • Generic • Easy to upgrade   existing authorities Level 2 • Witness co-signing • Public log(s) • Check authority  statements • E.g., reproducible   builds for software  updates Level 3 • Witness co-signing  BFT consensus • Public log(s) • Check consistency of  distributed processes • E.g., blockchain   extension in crypto-  currencies Level 0 • Traditional authorities • No witness co-signing • No public log(s)

Slide 21

Slide 21 text

Scalable Strongly Consistent Blockchains 21 Mining cothority = Consensus group Mining-blockchain (co-signed) TX-blockchain (co-signed) Miners Leader co-sign ByzCoin • Non-probabilistic BFT consensus • Scalable (1000+ nodes) • Low latency (< 20 sec) • High throughput (700+ TPS) • Permissioned and permissionless

Slide 22

Slide 22 text

Scalable Bias-Resistant Distributed Randomness 22 Secret sharing group 1 Secret sharing group 2 Requester Servers Servers RandHound Rand{Hound, Herd} • Randomness beacons • Distributed • Bias-resistant • 3rd-party veriﬁable • Scalable (1000+ nodes) • Low latency randomness & proof

Slide 23

Slide 23 text

Software Update Transparency 23 Chainiac • Software update system • Decentralized • Co-signed update timeline • Efficient source-to-binary verification Update cothority Update timeline (co-signed) co-signed release Verified builds Client pull & check Developers Pre-release

Slide 24

Slide 24 text

Further details https://github.com/dedis/cothority 24 Thanks @Daeinar