Quo Vadis PKI? IEEE International Conference on Public Key Infrastructure and its Applications: PKIA 2017 Bangalore 14-15, November 2017

Similar documents
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 1: Introduction to Public key cryptography

ECash and Anonymous Credentials

Security Protocols and Application Final Exam

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Cryptography for Blockchains beyond ECDSA and SHA256

Lecture 10: Zero-Knowledge Proofs

CPSC 467: Cryptography and Computer Security

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

Uncloneable Quantum Money

Dr George Danezis University College London, UK

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

CPSC 467: Cryptography and Computer Security

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Divisible E-cash Made Practical

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography Lecture 13

George Danezis Microsoft Research, Cambridge, UK

Question: Total Points: Score:

Winter 2011 Josh Benaloh Brian LaMacchia

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Security Analysis of Some Batch Verifying Signatures from Pairings

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Applied cryptography

Cryptographical Security in the Quantum Random Oracle Model

Blind Collective Signature Protocol

Fairness realized with Observer

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Public Key Algorithms

CPSC 467b: Cryptography and Computer Security

Public-key Cryptography and elliptic curves

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture V : Public Key Cryptography

Simple Proofs of Sequential Work

Cryptology. Vilius Stakėnas autumn

8 Elliptic Curve Cryptography

Katz, Lindell Introduction to Modern Cryptrography

An Anonymous Authentication Scheme for Trusted Computing Platform

An Introduction to Pairings in Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptography IV: Asymmetric Ciphers

CPSC 467: Cryptography and Computer Security

Public-Key Cryptosystems CHAPTER 4

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Cryptographic Hash Functions

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Post-Quantum Cryptography & Privacy. Andreas Hülsing

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

1 Number Theory Basics

New Commitment Schemes with Applications to Anonymous Bitcoin!

One Weird Trick to Stop Selfish Miners: Fresh Bitcoins, A Solution for the Honest Miner

Fundamentals of Modern Cryptography

On the Key-collisions in the Signature Schemes

Asymmetric Encryption

Introduction to Cryptography. Susan Hohenberger

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Lecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008

Quantum Computing: it s the end of the world as we know it? Giesecke+Devrient Munich, June 2018

Foundations of Network and Computer Security

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

A Fully-Functional group signature scheme over only known-order group

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Efficient Zero-Knowledge Range Proofs in Ethereum

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Mathematics of Public Key Cryptography

A New RSA-Based Signature Scheme

What are we talking about when we talk about post-quantum cryptography?

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Cryptographic Protocols. Steve Lai

Design Validations for Discrete Logarithm Based Signature Schemes

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES

Accumulators and U-Prove Revocation

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Intelligent Decentralized Cloud. EDCON 18th February 2017 (V1.0)

CS 355: Topics in Cryptography Spring Problem Set 5.

ID-Based Blind Signature and Ring Signature from Pairings

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Constructing Provably-Secure Identity-Based Signature Schemes

8.1 Principles of Public-Key Cryptosystems

ECS 189A Final Cryptography Spring 2011

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Quantum-resistant cryptography

Introduction to Modern Cryptography. Benny Chor

Fast, Quantum-Resistant Public-Key Solutions for Constrained Devices Using Group Theoretic Cryptography

Lattice-Based Non-Interactive Arugment Systems

Blockchains from Proofs of Space and Time: from Spacemint to Chia

Cryptographic Protocols Notes 2

Overcoming Cryptographic Impossibility Results using Blockchains

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

An Identification Scheme Based on KEA1 Assumption

Cryptography in Blockchain Part I: Crypto Basics and. Monero. Zhiguo Wan Shandong University

PAPER An Identification Scheme with Tight Reduction

March 19: Zero-Knowledge (cont.) and Signatures

A new conic curve digital signature scheme with message recovery and without one-way hash functions

Transcription:

Quo Vadis PKI? IEEE International Conference on Public Key Infrastructure and its Applications: PKIA 2017 Bangalore 14-15, November 2017 C.E.Veni Madhavan Informatics and Security Laboratory Department of Computer Science and Automation Indian Institute of Science, Bangalore 15 November 2017 C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 1 / 24

Contents 1 Digital Evolutionary Threads 2 AAAARGH - PAIN, SKC, PKC, PKI 3 applications - documents, finance,... 4 blockchains, consensus, proof-of-work,... 5 ecash, cryptocurrencies, cryptonomics,... 6 alternatives to present form of PKI... 7 many signatures : technical departure... 8 quo vadis? : future : PKI, TTP, TKG, TaaS, PaaS, PKMaaS,... C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 2 / 24

1. Digital Evolutionary Threads DDBMS blockchains ecash cryptocurrencies PKI TSI (Trust Systems Infrastructure) C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 3 / 24

2. AAAARGH - PAIN, SKC, PKC, PKI accountability, auditability, authority, anonymity, governance, hype privacy, authenticity, integrity, non-repudiability symmetric key cryptography public key cryptography public key infrastructure C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 4 / 24

3. applications - documents, finance... digital tokens - dongles, wallets,... digital money - transactions, commerce,... digital finance - loans, deposits, inclusion,... digital lockers - certificates, contracts,... digital trust - PKI, KMC, TTP, blockchains,... C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 5 / 24

4. Blockchain Technology - Summary a trusted and immutable ledger work factor for proof-generation - worst-case 2 72 per block each block header contains hash of previous block header each block header contains root-hash of Merkle-hash-tree of the transactions included verifiability - one time application of hash function a distributed, publicly verifiable ledger anyone can check validity of blocks & transactions: using user public keys tracing all previous blocks & transactions very expensive integrity proofs a public (anyone can join/verify data) blockchain is called permissionless blockchain C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 6 / 24

Consensus in Blockchain other hard problems used in consensus rules: proof-of-stake: based on number of coins hold by the miner proof-of-space or proof-of-capacity: specified amount of disc space proof-of-activity: combination of proof-of-work & proof-of-stake proof-of-storage: specified disc space proof-of-burn: prove that certain amount of coins are burned (lost for ever) C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 7 / 24

Blockchains Vs Traditional data integrity blockchains provided trust, and data integrity based on hardness of solving mathematical problems (i.e., proof-of-work) traditional approach: Digital signature based on computational hardness of DLP/Integer Factoring/ECDSA a comparison: blockchains - A single node (honest or dishonest), has to spend same amount of work ( 2 72 hash computations) traditional (RSA1024 bit) - honest node (with private key) can produce signature in few milliseconds dishonest node (for forgery) would try to factor RSA1024 (will need only few hours of the proof-of-work network cited - computing 2 72 hashes in 10 mins) C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 8 / 24

5. ecash, cryptocurrencies cryptonomics D.Chaum [1982], S.Brandt Micromint, Millicent, Netcard ecash - electronic analog of fiat cash withdrawal, spending, deposit protocols blind signatures, double-spending controls anonymity, privacy, fungibility, transferability mutual authentication, distributed operations hash chains with signatures on terminal coins large volume, small value, micro-finance operations our earlier paper - transferable ecash [Indocrypt 2000] our previous work - semi-distributed ecash [our CEFIPRA Project] our recent paper - VSKchains- semi-centralized [ADCOM Sep 2017] our recent paper - Cryptocurrencies: Science and Socio-Economics our current work - alternative proofs-of-work, algo, complexity, SUPW C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 9 / 24

The Bitcoin (Contd.) every transaction is recorded in a public ledger called blockchain blocks of chains are inked by a system of hash addresses i.e., each block contains hash of the previous block, hence immutable each block contains a collection of new transactions each block created by a process called mining or proof-generation mining, or finding a specific hash value, is computationally expensive miner is rewarded with a bitcoin in return for the computational effort C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 10 / 24

Transactions each transaction is like a double-entry bookkeeping ledger entry, containing several input and output entries each input refers to a (previous) transaction ID with unused bitcoin output entry each output refers to payee bitcoin address and bitcoin amount to be transferred bitcoin address is derived from user s public-private key pair (hence pseudo-anonymity) each transaction is digitally signed for payer authentication only valid transactions (i.e., previously unspent bitcoins checked by an address search) will be included in a new block (hence no double-spending) C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 11 / 24

Distributed Consensus consensus rules: pertaining to validity of blocks and transactions in it consensus throughout the network (without a central authority) achieved by mining mining involves solving a computationally hard problem that serves as a proof-of-work proof-of-work algorithm used in the Bitcoin is from a hash function SHA-256 each node can independently verify the validity of a new block (including transactions in it) only a valid block will enter into blockchain, hence lead to precessing of new valid transactions C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 12 / 24

Proof-of-Work the hash function H = SHA256 is used in the Bitcoin hard Problem: find a string (or part of a string), called nonce, which gives specified hash (say, certain leading bits are zero) given x, y = H(x), find nonce n, such that H(x + n) = z, where x =< 0,..., 0, b 72,..., b 255 is a specified form of bit-string output verification is easy: Apply SHA256 once to check whether the leading bits of hash of solution string are zero How HARD is hard? prob (b i = 0) = 1 2, (i.e.,i th -bit zero) Probability that first l bits are zeros is 1 2 l Need to try 2 l nonces C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 13 / 24

Proof-of-Work difficulty level : No. of first l bits difficulty level maintained so that new valid block can be found in around 10 minutes based on avg. computation time for last 2100 blocks current status (Oct. 2017): (source: blockchain.info) total hash rate available 8 10 18 2 62.795 per second total hashes per block for 10 minute tasking 8 10 18 10 60 2 72 equivalent : first 72 bits are zeros hard problem is equivalent to: given a hash function and a partial output find a pre-image C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 14 / 24

Zerocash Zk-SNARK - efficient variant of zero-knowledge proof of knowledge (GMR89) to show some proof that one owns k coins, without showing the coins, by giving only 1 bit that one knows secret keys controlling the k coins succinct non-interactive arguments of knowledge (Ben-Sasson, Chiesa, Garman, Green, 2014) zerocash : decentralized anonymous payment from bitcoin Bitcoin not completely anonymous, although multiple identities are used de-anonymization is possible with blockchain ledger transaction graphs use of mixes (or laundries) of coin pools has limitations privacy : fiat cash >> ecash >> Bitcoin Zerocoin (MGGR13) uses, like ecash, zero knowledge proofs to thwart transaction graph analyses redeeming zero-coins requires double discrete log proofs of knowledge C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 15 / 24

Pinocchio Pinocchio Coin: building Zerocoin from a Pairing-based Proof System (DanezisFournetKohlweissParno13) The original Zerocoin protocol relies on the Strong RSA assumption and double-discrete logarithm proofs - performance constraints a variant of the Zerocoin protocol using instead elliptic curves and bilinear pairings. The proof system makes use of modern techniques based on quadratic arithmetic programs resulting in smaller proofs and quicker verification. C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 16 / 24

Our Reckoning: TKG, BC-CC PoW as a Service (PoWaaS); quantum indulgence, quantum readiness Trust-as-a-Service (TaaS) : authorized TKG (with digital certificate) Proof-of-Work as a Service (PaaS) algorithm cycles for sale! independent TTP / TKG as service for identity based signatures high-throughput, custom hash functions research services petahash/sec arbiter networks grid resource services cryptocurrency exchange networks cryptonomics services quantum cryptanalysis of BC, CC: quantum search (Grover), quantum DLP, IFP (Shor), realistic quantum attacks (ABTLST, ArXiv: [quant-ph] 28 Oct 2017) some quantum-safety-measures: extreme parametrics; ASIC-agnostics; (Memory-Hard (MH) computations) (egalitarian mining!) MH candidates: finding predicated hash-collisions; finding special subgraphs; Equihash - generalized birthday problem (MY thoughts: problems from number theory and cryptography) C.E.Veni post-quantum Madhavan (IISc) crypto algorithms Quo Vadis and PKI? quantum-safe signatures 15 November 2017 17 / 24

6. alternatives to present form of PKI pomcor.com: [K.Lewison and F.Corella, Oct 2016] traditional: knowledge-based verification (KBV) for remote identity proofing new : rich credential enabling a 3-factor authentication - ( has, knows, is ) asserting credentials on the blockchain with on-chain storage backing them with a PKI implemented on the blockchain (without CRL, OCSP (online certificate status protocol) queries utilize NFC payment or h/w identity tokens used for in-person transactions C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 18 / 24

Alternatives: PKI, Algorithms, Architectures PKI: complex to install, maintain; costly to issue and distribute; costly to recover and validate; certificate revocation QuoVadis Netherlands : PKI Root Signing enterprise CAs to chain themselves under QuoVadis trusted root embedded in main-stream browsers identity based encryption (IBE) - uses Private Key generator (PKG/TKG) certificate-less PKC CEBOT: certificate enrollment for billions of things (Sep 2015, Sweden) (super-lightweight protocol) Authenticated key-exchange without PKI [Hao, Ryan, 2006] (uses double DLP Diffie-Hellman with ZKIP) C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 19 / 24

7. many signatures: technical departure (*) bilinear pairings (*) challenge-response ( ) identity based encryption ( ) blind, undeniable, multi-party ( ) algorithms, protocols for blockchains (*) zero-knowledge interactive proof (ZKIP) ( ) attacks on algorithms, protocols, computations C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 20 / 24

Pairing based Signatures Bilinear Pair : e : G 1 XG 2 H, where e is poly-time computable, m, n Z, P 1 G 1, P 2 G 2 e(n P 1, m P 2 ) = n.m (P 1, P2) a pair of groups is G 1 = Z p and G 2 = E(F q ) a pair of groups is G 1 = E(F q1 ) and G 2 = E(F q2 ) a pairing based short signature scheme in the above case ( using the Tate-Lichtenbaum pairing) is as follows: signature setup : Let G = G 1 = G 2 be the additive group of points on elliptic curve G = E(F q ) and let B be the base point of large order in G. Let α P and E P = α P B be the private and public keys of P. signature generation : P V : compute M = h 1 (m), M G, S = α P M, send < S, m >. signature verification : V : M = h 1 (m), u = e(e P, M), v = e(b, S) and check u = v proof : u = e(e P, M) = α P.1 e(b, M) = 1.α P e(b, M) = e(b, S) C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 21 / 24

CR Schemes Challenge-Response (CR Schemes) (based on digital signatures) Let e P, d P be the public and private keys of P V P : r V R Z P V : r P R Z, sends C =< r P, s(= E(r P r V, d P )) > V : recovers from C the components corresponding to r P and r V (from s by computing E(s, e P )) and checks for match C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 22 / 24

ZKIP Schemes - Idea a system setup - (TTP, TKG, TSI) P holds a public-private key pair a three pass interaction between P and V P chooses a random commitment and sends a witness to V V sends a random challenge to P P sends a response using, the private key, the commitment and the challenge V computes the expected response using the commitment, the challenge, public key, and establishes probabilistically, the possession of knowledge by P All the ZKIP schemes, described as authentication or identification schemes, also serve as signature schemes by treating the challenge as the message/digest to be signed C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 23 / 24

ZKIP Schemes - Realization Feige-Fiat-Shamir Scheme system setup: p, q 3 (mod 4); n = p.q P setup: x 1,..., x t R Z n ; u 1,..., u t R {0, 1} compute y i = ( 1) u i.(x 2 i ) 1 (mod n), i = 1,..., t make < y 1,..., y t > public and keep < x 1,..., x t > private protocol: P V : c R Zn, z R {0, 1}, w ( 1) z.c 2 (mod n) (commitment) V P :< h 1,..., h t >, h i R {0, 1} (challenge) P V : r c. t i=1 x h i i (mod n) (response) V computes v r 2 t i=1 (y i) h i (mod n), verifies v ±w (mod n) FFS scheme is based on hardness of the SQRT modulo composite problem Other, protocols are : GQ scheme based on hardness of the RSA problem and Schnorr scheme based on hardness of the DLP problem C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 24 / 24

Quo Vadis PKI? Cryptography is a tale of many intrigues from state-craft to PKI, with a rich blend of math, computing, trade, and commerce variety. Algebra, number theory, statistics, algorithmics based schemata are the bases for securing, citizen, business and government data. Hence PKI evolution is of great concern to society and crypto community. cevm 15 November, 2017 C.E.Veni Madhavan (IISc) Quo Vadis PKI? 15 November 2017 24 / 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback