Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ......
Transcript of Forschungsrichtungen in der IT-Sicherheit · New (ways of) businesses using personal data ......
Dr Jan CamenischPrinciple Researcher Member IBM Academy of TechnologyIBM Research ndash Zurich
jcazurichibmcom JanCamenisch ibmbizJanCamenisch
Forschungsrichtungen in der IT-Sicherheit
Dr Jan CamenischPrinciple Researcher Member IBM Academy of TechnologyIBM Research ndash Zurich
jcazurichibmcom JanCamenisch ibmbizJanCamenisch
Forschungsrichtungen in der IT-Sicherheit
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace
ᄅ
Houston we have a problem
ᄅ
Houston we have a problem
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace
ᄅ
Houston we have a problem
ᄅ
Houston we have a problem
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace
ᄅ
Houston we have a problem
ᄅ
Houston we have a problem
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
$15000000000 cost of identity theft worldwide (2015)
Facts
$15000000000 cost of identity theft worldwide (2015)
Facts
Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace
ᄅ
Houston we have a problem
ᄅ
Houston we have a problem
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Attackers hide easily in the vast of cyberspaceAttackers hide easily in the vast of cyberspace
ᄅ
Houston we have a problem
ᄅ
Houston we have a problem
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
ᄅ
Houston we have a problem
ᄅ
Houston we have a problem
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
The problem is thishellip The problem is thishellip
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
hellipcomputers never forget
Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data
Humans forget most things too quickly Paper collects dust in drawers
But thatrsquos how we design and build applications
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc9
You have no privacy get over it
Huge security problem Millions of hacked passwords (100000 followers $115 - 2013) Stolen credit card number ($5 ndash 2013 lt10$ - 2016) Stolen identity ($150 - 2005 $15 - 2009 $5 - 2013 $1 - 2016) Stolen accounts (eBay PayPal $2 - 2016) Lots of not reported issues (industrial espionage stock manipulation hellip)
Data is the new money ndash so we better protect it
and we have not event discussed social issues such as democracy etc
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Very Short Summary
Massive scale mass surveillance Meta data vs plain texts and what can be inferred Data from companies (eg Google) Industrial ldquocollaborationsrdquo industrial espionage But also from underwater cables
Technical sophistication (hardly a surprise) Rigged equipment chips subverted standards (PRG) Control of CAs rarr control of network
Not by breaking encryption schemes But using insecurity of systems etc However Snowden had limited access to docs (no crypt-analysis reports)
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
Learnings from Snowden ndash Take Aways
Many things doable by ordinary hackers or somewhat sophisticated crooks Some of CA infiltration Stealing data at rest
Other things require large budget and organization FPGA ASICS Deliberate weakening of infrastructure (PRG standards etc) - very bad idea
All hope is lost ndash no chance against three letter orgs amp no real harm done
Really
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
So it seems our environment is even nastierSo it seems our environment is even nastier
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
We need paradigm shift
build things for use on the moon rather than the sandy beach
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit
Good news Cryptography allows for that
Security amp Privacy is not a lost cause
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous CredentialsOT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
copy 2017 IBM CorporationCryptographic 4 People - IFIP SEC 2017 - ROME
Cryptography to the Aida few examples of rocket science
Multi Party Computation
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
f(data)
Data Protection
f(data)
Data Protection
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
f(data)
Secure Multi Party Computation for Data Protection
Can be done for any function ndash typically not considered efficient Two or three parties protocols today can be very efficient
eg computing AES in 100ms 3PC with one party corrupt
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
f(data)
+ +++
++
+
+
data Evaluate Circuit gate per gatewith distributed protocol
+
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Multi Party Computation ndash Basic Principles
+Main approaches
Computation of gates typically for free requires protocols
Encrypted data under shared key (Fully) homomorphic encryption
Secret-share data compute with shares
++
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
password
Paper-world approach - store password - better store hash of password
Password (hashes) useless against offline attacksndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
correct
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Homomorphic Encryption
Encryption scheme
KGen(l)-gt (PKSK) C = EncPK(m) m = DecSK(c)
Plaintext homomorphism
EncPK(m1) ⟐ EncPK(m2) lt=gt EncPK(m1lowastm2)
EncPK(m) ⟐ EncPK(m) = EncPK(m)2 lt=gt EncPK(m2)
Secret key homomorphism
SK = SK1 SKlowast 2 =gt DecSK1(DecSK2(EncPK(m))) = m = DecSK1(DecSK2(EncPK(m)))
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
Account Setup
p
Uid E=EncPK(p)
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
Drsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
Ersquo = (EncPK(1prsquo) ⟐ E)r1
= EncPK( (pprsquo)r1)
E
DrsquorsquoDrsquorsquorsquo
Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
Dedicated MPC Protocol ndash Today Getting Rid of Password Databases
prsquo
(Uid E)
E Ersquorsquo = Ersquor2
Drsquorsquo = Decsk2(Ersquorsquo)Drsquorsquo
Ersquorsquorsquo = Drsquorsquor3
Drsquorsquorsquo = Decsk3(Ersquorsquorsquo)
Drsquorsquorsquo
1 = decsk1(Drsquorsquorsquo)
Result 1 if password match random otherwisendash With ElGamal each server makes two exponentiations only
Passwords safe as long as not all servers are hackedndash off-line attacks no longer possiblendash on-line attacks can be throttled
Login
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
EncPK(p)
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p = prsquo p
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Cryptography to the Aidan example of rocket science
Authentication without Identification
Cryptography to the Aidan example of rocket science
Authentication without Identification
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I need proof of- be older than 12
I wish to see Alice in Wonderland
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Name = Alice DoeBirth date = April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
Aha you areAlice Doe born April 3 1997
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Anonymous Credentials
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Like PKI but better Issuing a credential
Privacy-protecting authentication with Anonymous Credentials
Name = Alice DoeBirth date = April 3 1997
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Privacy-protecting authentication with Anonymous Credentials
Alice
I wish to see Alice in Wonderland
Movie Streaming Service
I need proof of- be older than 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with Anonymous Credentials
Alice
Aha you are- older than 12
Movie Streaming ServiceMovie Streaming Service
(Public Verification Key of issuer)
Like PKI but does not send credential only minimal disclosure
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
Are you gt 12
(Public Verification Key)
Data Minimizing Authorization w ABCs
Only minimally necessary information is revealed
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
copy 2017 IBM Corporation
Research Directions
copy 2017 IBM Corporation
Research Directions
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
42
Crypto research is done since late 90
We know how to sign and encrypt so just need to use what we have
But wait we have blockchain and crypto can do magic
In truth more research needed than ever
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
43
Crypto can do magic ndash but how
Each sector and application needs its own solution More than (crypto) engineering or applied crypto Starts with
Security model Craft protocol Prove protocol secure
Example look at an arbitrary blockchain use case
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
Provable Security
Does realization behave as the specification
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
scheme specification
scheme realization
hard problem
security Proof
Provable Security ndash Research Directions
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Is this implied
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
Provable Security ndash Research Directions
Composable security framework (Canetti Maurer Kuumlsters) but
Properly modeling protocols (UC realistic attacks models ) Verifiable security proofs - humans and computers
Tools to tame the complexity Modular proofs templates for proof parts helper theorems
Computer aided verification ndash all cases covered etc Retaining efficiency Modeling and implementing setup assumptions (CRS RO ) Realistic threat models (power analysis virtual machines)
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
48
Quantum Computers are Coming
Quantum computers can factor and solve DL
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
49
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
50
Quantum Computers are Coming
Quantum computers can factor and solve DL Use Quantum resistant assumptions
But classical definitions and proofs consider ITM only
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
51
QS0 Classical security C C CQS1 Post-quantum security Q C CQS2 Superposition-based
quantum security Q Q CQS3 All quantum security Q Q Q
adversary Interactionw scheme
honest parties
Quantum Computers are Coming
Security Models
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
52
Quantum Computers are Coming
A broader view Mind the gap
Ciphertexts put on a blockchain now might not be safe in the near future
Classical crypto that resists quantum computers New security models and schemes are needed Efficient signature and encryption schemes known rarr use them now More complex primitives still not efficient enough for practical use
Hybrid schemes might be a midterm solution
Crypto for quantum computers How to encryptsign quantum states
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
53
Building a Crypto Toolbox
Goal Library of cryptographic primitives beyond encryption and signatures
Multiparty computation Zero-knowledge proofs (Schnorr-proofs SNARKS circuit based) Signatures amp encryption with protocols
Research Challenges Defining good API ndash not too low level yet not too specific Enable security proof of application using the primitives (plus formal
analysis)
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
54
Building a Crypto Toolbox ndash An Example ZKLang
Are you gt 12
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
55
Building a Crypto Toolbox ndash An Example
Proof of Knowledge of a signature on messages m1 mk
Cryptographer Signature (Ars) with A = (gh0
sh1m1 hk
mk )1(x+r) where public key y = gx
PoK (m1 mk r s) e(A y gr) = e( g gh0sh1
m1 hkmk )
Software Engineer
NIZK(m1m2m3)Credential(PKissuer m1m2m3m4) ANDEnc(PKauditor ciphertext m3)
Emerging activities ZKProoforg Hyperledger crypto lib
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog56
Research Directions
Securing the infrastructure amp IoT ldquoad-hocrdquo establishment of secure authentication and communication audit-ability amp privacy (where is my information crime traces) security services eg better CA oblivious TTPs anon routing hellip
Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
57
Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users Still lots of research to be done
Let engage in some rocket science
Conclusion
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
58
Thank you
Joint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
-