Tweet
Tweet

Slide 1

Slide 1 text

New Cryptography: The Most Dangerous Game George Tankersley (@gtank__) Filippo Valsorda (@FiloSottile) https://hivemill.com/collections/smbc/products/smbc-the-most-dangerous-game-shirt

Slide 2

Slide 2 text

Crypto 1.0 Symmetric Encryption Public-Key Encryption Key Exchange Signing Hashing

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Crypto 1.0 Symmetric Encryption Public-Key Encryption Key Exchange Signing Hashing BORING

Slide 5

Slide 5 text

Crypto 2.0 Builds on Crypto 1.0 (Berry Schoenmakers). If Crypto 1.0 defends against outside attackers, 2.0 defends against malicious insiders. Much weirder. Mostly much newer. Not necessarily safe yet.

Slide 6

Slide 6 text

Crypto 1.5: PAKE Password Authenticated Key Exchange Cooler than Crypto 1.0, but you can use it today!

Slide 7

Slide 7 text

Before PAKE Client Server Encrypt password (random_key) —→ decrypt and use random_key See: WPA2 Allows bruteforce!

Slide 8

Slide 8 text

Diffie-Hellman refresher Client Server pick x pick y gx mod p —→ ←— gy mod p use gxy mod p use gyx mod p

Slide 9

Slide 9 text

Example of PAKE: EKE2 Client Server pick x pick y Encrypt password (gx mod p) —→ ←— Encrypt password (gy mod p) use gxy mod p use gyx mod p Can’t bruteforce Encrypt password (gx mod p)! (Requires special g and p.)

Slide 10

Slide 10 text

PAKE Agree on a key when both sides share a password. No bruteforce opportunity for an attacker. Can use weak passwords! Examples: ● Magic Wormhole ● Pond ● WPA3 Many types, use SPAKE2-EE.

Slide 11

Slide 11 text

⚠ Non-mainstream cryptography ⚠

Slide 12

Slide 12 text

Blind Signatures (RSA) Public (N, e) and private d N = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N

Slide 13

Slide 13 text

Blind Signatures (RSA) Public (N, e) and private d N = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes,

Slide 14

Slide 14 text

Blind Signatures (RSA) Public (N, e) and private d N = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes,

Slide 15

Slide 15 text

Blind Signatures (RSA) Public (N, e) and private d N = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes, e is the public exponent, d is its inverse,

Slide 16

Slide 16 text

Blind Signatures (RSA) Public (N, e) and private d N = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes, e is the public exponent, d is its inverse,

Slide 17

Slide 17 text

Blind Signatures (RSA) Public (N, e) and private d N = p*q and d = 1/e mod (N) Generate a signature S by S = Md mod N Verify it by checking that Se == M mod N (Md)e = M(1/e)*e = M1 = M mod N N is the modulus, product of two primes, e is the public exponent, d is its inverse, is magic, do not let it sense fear

Slide 18

Slide 18 text

Blind Signatures (RSA) M is (~handwave~) just a number! The signatures still work if you do number things to it. So we’ll blind a signature by multiplying it with another big random number, so the signer never sees the real message. Generate a blinding factor re Blind the message: M blind = (re)M mod N S blind = (M blind )d mod N

Slide 19

Slide 19 text

How can that possibly work? Generate a blinding factor re Blind the message: M blind = (re)M mod N S blind = (M blind )d mod N r also has an inverse, 1/r To unblind a signature: S = (S blind ) * (1/r) mod N = (M blind )d * (1/r) = (reM)d * (1/r) = (M)d(re)d * (1/r) = Md * red * (1/r) = Md mod N

Slide 20

Slide 20 text

How can that possibly work? The signer has only ever seen Mr But we have a valid, unblind S! To unblind a signature: S = (S blind ) * (1/r) mod N = (M blind )d * (1/r) = (reM)d * (1/r) = (M)d(re)d * (1/r) = Md * red * (1/r) = Md mod N

Slide 21

Slide 21 text

Why? Blind signatures allow you to receive tokens from an issuer and redeem them later without revealing who you are. The blind and unblind messages are unlinkable. This enables

Slide 22

Slide 22 text

How?

Slide 23

Slide 23 text

How?

Slide 24

Slide 24 text

How?

Slide 25

Slide 25 text

We want to prove more complicated statements, like...

Slide 26

Slide 26 text

Transparent Transactions

Slide 27

Slide 27 text

Shielded Transactions

Slide 28

Slide 28 text

Proofs “Do you know the solution to today’s crossword?”

Slide 29

Slide 29 text

Zero-usefulness proofs “Do you know the solution to today’s crossword?” “I know the solution.”

Slide 30

Slide 30 text

Zero-privacy proofs “Do you know the solution to today’s crossword?” “Here is the solution.”

Slide 31

Slide 31 text

Zero-knowledge proofs “Do you know the solution to today’s crossword?” “Here is a proof that I know the solution.”

Slide 32

Slide 32 text

Zero-knowledge proofs must have: ● Completeness ○ If the prover is telling the truth, they will eventually convince the verifier. ● Soundness ○ A prover can only convince a verifier if they are actually telling the truth. ● Zero-knowledgeness (yes, I know) ○ Verifier doesn’t learn anything about the prover’s information. [Goldwasser, Micali, Rackoff 1985]

Slide 33

Slide 33 text

Full [PGHR13] protocol ([BCTV14USENIX] variant)

Slide 34

Slide 34 text

Writing Circuits a 0 := boolean value a 1 := boolean value … a 6 := boolean value a 7 := boolean value a 0 * (1 - a 0 ) = 0 a 1 * (1 - a 1 ) = 0 … a 6 * (1 - a 6 ) = 0 a 7 * (1 - a 7 ) = 0 a := byte value 1 * (20 a 0 + 21 a 1 + … + 26 a 7 + 27 a 7 - a) = 0 Now constrain those numbers to satisfy other equations, like elliptic curves or SHA-256

Slide 35

Slide 35 text

Implementations! ● Proving systems ○ libsnark - C++ ○ bellman - Rust ● Medium-level libraries / DSLs ○ jsnark - Java ○ Snarky - OCaml ○ ZoKrates - Ethereum Papers, links, examples: https://zkp.science

Slide 36

Slide 36 text

ZKP Hide the information you are proving MPC Run complex computations on information you don’t know

Slide 37

Slide 37 text

MPC Example: Compute parameters for Zcash

Slide 38

Slide 38 text

MPC Example: Compute parameters for Zcash (securely)

Slide 39

Slide 39 text

Defining Security

Slide 40

Slide 40 text

Defining Security Real Protocol Ideal World

Slide 41

Slide 41 text

Defining Security Real Protocol A B C Ideal World A' B' C' Security: {A, B, C} indistinguishable from {A', B', C'}

Slide 42

Slide 42 text

Defining Security A' B' C' Sim Secure if Sim can produce output with the same distribution as the original party A (resp. B, C)

Slide 43

Slide 43 text

Strategy ● First create protocol that protects privacy as long as all parties send valid (as prescribed by the protocol) messages at each step. ● Then add logic to enforce sending valid messages. − Use ZK proofs to preserve privacy and force honest behavior

Slide 44

Slide 44 text

One Protocol to Rule Them All

Slide 45

Slide 45 text

Oblivious Transfer Receiver learns exactly one of Sender's strings, and nothing more. Sender learns nothing.

Slide 46

Slide 46 text

Input Sharing ● Alice chooses random r_i, r_j, … for each of her input bits and sends these to Bob. Alice keeps a_i XOR r_i as her shares. ● Bob chooses random s_i, s_j, … for his bits and sends (b_i+s_i), … to Alice, keeping s_i as his shares. ● Note that XORing shares gives true wire values!

Slide 47

Slide 47 text

Computing an AND with OT ● For two inputs a and b, Alice has (a+r) and (b+s), and Bob has r and s. ● Bob can select w and keep ouput share rs+w; he can compute four possible: (a+r)s + (b+s)r + w = as+rs+br+rs+w = as+br+w ● Alice can compute: (a+r)(b+s) = ab+as+br+rs = ab+(as+br)+rs ● So Alice just needs to learn as+br+w to compute a share of the output, ab+rs+w

Slide 48

Slide 48 text

Computing an AND with OT ● Bob computes as+br+w but there are four possibilities – only Alice knows which is the right one ● Alice should not learn any of the other possibilities ● So use a 1-of-4 OT!

Slide 49

Slide 49 text

Computing an AND with OT ● Bob will keep rs+w as his share; Alice will get as+br+w and will compute her new share ● We have XOR shares of the output – so we can use this as the input for another AND gate!

Slide 50

Slide 50 text

Building a Circuit ● Use this process to connect lots of ANDs ● XORs can just be computed locally, no interactions needed (just XOR the shares) ● Any circuit can be expressed with just ANDs and XORs

Slide 51

Slide 51 text

More than Two Parties ● Send XOR shares of each input bit to each other party ● Act as OT sender for parties with smaller ID, OT receiver for parties with larger ID. ● Still uses 1-of-4 OT ● XOR all received share “pieces” to get output wire shares.

Slide 52

Slide 52 text

Putting it all Together ● This is the GMW protocol ● Only one party needs to be honest for security to be maintained − If more than half are honest, small adaptation allows computation can be completed even if some parties drop out ● Not very practical – only proves that a protocol exists for any function

Slide 53

Slide 53 text

Remember We are cryptographers, not your cryptographers! George Tankersley (@gtank__) Filippo Valsorda (@FiloSottile) Benjamin Kreuter Jack Grigg (@str4d)