Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ......

58
Dr. Jan Camenisch Principle Researcher; Member, IBM Academy of Technology IBM Research – Zurich [email protected] @JanCamenisch ibm.biz/JanCamenisch Forschungsrichtungen in der IT-Sicherheit

Transcript of Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ......

Page 1: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dr Jan CamenischPrinciple Researcher Member IBM Academy of TechnologyIBM Research ndash Zurich

jcazurichibmcom JanCamenisch ibmbizJanCamenisch

Forschungsrichtungen in der IT-Sicherheit

Dr Jan CamenischPrinciple Researcher Member IBM Academy of TechnologyIBM Research ndash Zurich

jcazurichibmcom JanCamenisch ibmbizJanCamenisch

Forschungsrichtungen in der IT-Sicherheit

33 of cyber crimes including identity theft take less time than to make a cup of tea

Facts

33 of cyber crimes including identity theft take less time than to make a cup of tea

Facts

10 Years ago your identity information on the black market was worth $150 Todayhellip

Facts

10 Years ago your identity information on the black market was worth $150 Todayhellip

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace

Houston we have a problem

Houston we have a problem

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 2: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

33 of cyber crimes including identity theft take less time than to make a cup of tea

Facts

33 of cyber crimes including identity theft take less time than to make a cup of tea

Facts

10 Years ago your identity information on the black market was worth $150 Todayhellip

Facts

10 Years ago your identity information on the black market was worth $150 Todayhellip

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace

Houston we have a problem

Houston we have a problem

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 3: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

10 Years ago your identity information on the black market was worth $150 Todayhellip

Facts

10 Years ago your identity information on the black market was worth $150 Todayhellip

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace

Houston we have a problem

Houston we have a problem

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 4: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

$15000000000 cost of identity theft worldwide (2015)

Facts

$15000000000 cost of identity theft worldwide (2015)

Facts

Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace

Houston we have a problem

Houston we have a problem

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 5: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace

Houston we have a problem

Houston we have a problem

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 6: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Houston we have a problem

Houston we have a problem

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 7: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

The problem is thishellip The problem is thishellip

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 8: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

hellipcomputers never forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers

But thatrsquos how we design and build applications

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 9: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc9

You have no privacy get over it

Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)

Data is the new money ndash so we better protect it

and we have not event discussed social issues such as democracy etc

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 10: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Very Short Summary

Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables

Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network

Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 11: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

Learnings from Snowden ndash Take Aways

Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest

Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea

All hope is lost ndash no chance against three letter orgs amp no real harm done

Really

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 12: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

So it seems our environment is even nastierSo it seems our environment is even nastier

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 13: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

We need paradigm shift

build things for use on the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 14: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Security amp Privacy is not a lost cause

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 15: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 16: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME

Cryptography to the Aida few examples of rocket science

Multi Party Computation

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 17: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

f(data)

Data Protection

f(data)

Data Protection

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 18: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

f(data)

Secure Multi Party Computation for Data Protection

Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient

eg computing AES in 100ms 3PC with one party corrupt

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 19: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

f(data)

+ +++

++

+

+

data Evaluate Circuit gate per gatewith distributed protocol

+

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 20: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Multi Party Computation ndash Basic Principles

+Main approaches

Computation of gates typically for free requires protocols

Encrypted data under shared key (Fully) homomorphic encryption

Secret-share data compute with shares

++

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 21: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 22: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

password

Paper-world approach - store password - better store hash of password

Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

correct

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 23: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Homomorphic Encryption

Encryption scheme

KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)

Plaintext homomorphism

EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)

EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)

Secret key homomorphism

SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 24: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

Account Setup

p

Uid E=EncPK(p)

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 25: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 26: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

Drsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 27: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

Ersquo = (EncPK(1prsquo) ⟐ E)r1

= EncPK( (pprsquo)r1)

E

DrsquorsquoDrsquorsquorsquo

Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 28: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

Dedicated MPC Protocol ndash Today Getting Rid of Password Databases

prsquo

(Uid E)

E Ersquorsquo = Ersquor2

Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo

Ersquorsquorsquo = Drsquorsquor3

Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)

Drsquorsquorsquo

1 = decsk1(Drsquorsquorsquo)

Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only

Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled

Login

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 29: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

EncPK(p)

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 30: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p = prsquo p

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 31: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Cryptography to the Aidan example of rocket science

Authentication without Identification

Cryptography to the Aidan example of rocket science

Authentication without Identification

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 32: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

I need proof of- be older than 12

I wish to see Alice in Wonderland

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 33: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Name = Alice DoeBirth date = April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 34: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Alice wants to watch a movie at Mplex

Alice

Movie Streaming Service

Aha you areAlice Doe born April 3 1997

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 35: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Anonymous Credentials

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 36: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Like PKI but better Issuing a credential

Privacy-protecting authentication with Anonymous Credentials

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 37: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Privacy-protecting authentication with Anonymous Credentials

Alice

I wish to see Alice in Wonderland

Movie Streaming Service

I need proof of- be older than 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 38: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Movie Streaming Service

- valid subscription - eID with age ge 12

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 39: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Privacy-protecting authentication with Anonymous Credentials

Alice

Aha you are- older than 12

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Like PKI but does not send credential only minimal disclosure

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 40: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

Are you gt 12

(Public Verification Key)

Data Minimizing Authorization w ABCs

Only minimally necessary information is revealed

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 41: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

copy 2017 IBM Corporation

Research Directions

copy 2017 IBM Corporation

Research Directions

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 42: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

42

Crypto research is done since late 90

We know how to sign and encrypt so just need to use what we have

But wait we have blockchain and crypto can do magic

In truth more research needed than ever

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 43: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

43

Crypto can do magic ndash but how

Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with

Security model Craft protocol Prove protocol secure

Example look at an arbitrary blockchain use case

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 44: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

Provable Security

Does realization behave as the specification

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 45: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

scheme specification

scheme realization

hard problem

security Proof

Provable Security ndash Research Directions

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 46: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Is this implied

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 47: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

Provable Security ndash Research Directions

Composable security framework (Canetti Maurer Kuumlsters) but

Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers

Tools to tame the complexity Modular proofs templates for proof parts helper theorems

Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 48: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

48

Quantum Computers are Coming

Quantum computers can factor and solve DL

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 49: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

49

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 50: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

50

Quantum Computers are Coming

Quantum computers can factor and solve DL Use Quantum resistant assumptions

But classical definitions and proofs consider ITM only

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 51: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

51

QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based

quantum security Q Q CQS3 All quantum security Q Q Q

adversary Interactionw scheme

honest parties

Quantum Computers are Coming

Security Models

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 52: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

52

Quantum Computers are Coming

A broader view Mind the gap

Ciphertexts put on a blockchain now might not be safe in the near future

Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use

Hybrid schemes might be a midterm solution

Crypto for quantum computers How to encryptsign quantum states

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 53: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

53

Building a Crypto Toolbox

Goal Library of cryptographic primitives beyond encryption and signatures

Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols

Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal

analysis)

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 54: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

54

Building a Crypto Toolbox ndash An Example ZKLang

Are you gt 12

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 55: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

55

Building a Crypto Toolbox ndash An Example

Proof of Knowledge of a signature on messages m1 mk

Cryptographer Signature (Ars) with A = (gh0

sh1m1 hk

mk )1(x+r) where public key y = gx

PoK (m1 mk r s) e(A y gr) = e( g gh0sh1

m1 hkmk )

Software Engineer

NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)

Emerging activities ZKProoforg Hyperledger crypto lib

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 56: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56

Research Directions

Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip

Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 57: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

57

Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done

Let engage in some rocket science

Conclusion

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58
Page 58: Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ... Dedicated MPC Protocol – Today: Getting Rid of Password Databases password Paper-world

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

58

Thank you

Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Slide 19
  • Slide 20
  • Slide 21
  • Slide 22
  • Slide 23
  • Slide 24
  • Slide 25
  • Slide 26
  • Slide 27
  • Slide 28
  • Slide 29
  • Slide 30
  • Slide 31
  • Slide 32
  • Slide 33
  • Slide 34
  • Slide 35
  • Slide 36
  • Slide 37
  • Slide 38
  • Slide 39
  • Slide 40
  • Slide 41
  • Slide 42
  • Slide 43
  • Slide 44
  • Slide 45
  • Slide 46
  • Slide 47
  • Slide 48
  • Slide 49
  • Slide 50
  • Slide 51
  • Slide 52
  • Slide 53
  • Slide 54
  • Slide 55
  • Slide 56
  • Slide 57
  • Slide 58

BIGGEST CHALLENGES BUSINESSES · 2019-10-31 · BIGGEST CHALLENGES BUSINESSES A global perspective is a matter of survival for businesses. Digital Technology is a vital strategic

BIGGEST CHALLENGES BUSINESSES · 2019-10-31 · BIGGEST CHALLENGES BUSINESSES A global perspective is a matter of survival for businesses. Digital Technology is a vital strategic

Sail through databases

Sail through databases

Distributed Databases Overview

Distributed Databases Overview

Databases I Normaliseren

Databases I Normaliseren

Rilsahybrid12 databases

Rilsahybrid12 databases

Multilingual Health Databases

Multilingual Health Databases

Bleeding Edge Databases

Bleeding Edge Databases

MIS Ch7 Databases

MIS Ch7 Databases

lecture 2 - databases

lecture 2 - databases

Mining Sequence Data - Poznań University of Technology · Sequence Databases and Sequential Pattern Analysis Transaction databases →sequence databases Frequent patterns vs. (frequent)

Mining Sequence Data - Poznań University of Technology · Sequence Databases and Sequential Pattern Analysis Transaction databases →sequence databases Frequent patterns vs. (frequent)

scalability of databases

scalability of databases

Databases in hadoop

Databases in hadoop

Databases Marketing

Databases Marketing

Rethinking Subscription Databases

Rethinking Subscription Databases

6. Lecture Introduction to Databases Advances in databases: … · 2020. 10. 22. · 6. Lecture Introduction to Databases Advances in databases: NoSQL databases Cheng Fu Dept. of

6. Lecture Introduction to Databases Advances in databases: … · 2020. 10. 22. · 6. Lecture Introduction to Databases Advances in databases: NoSQL databases Cheng Fu Dept. of

Building Data-Centric Businesses

Building Data-Centric Businesses

Databases en databasesystemen

Databases en databasesystemen

Refactoring Databases

Refactoring Databases

Databases - BH

Databases - BH

Distributed Databases

Distributed Databases