LiangWang1,GiladAsharov2,RafaelPass2,ThomasRistenpart2,abhishelat3

BlindCertificateAuthorities

1PrincetonUniversity2CornellTech3NortheasternUniversity

Motivation

CertificateAuthorities(CA)issuecertificates

CA(identityprovider)

•  Email•  Websitelogin•  Anonymouscredentialsystems•  ….

User

Validateidentity

Certificatesbindpublickeystoidentities

Requestcert

Identity+

TheusermustrevealtrueidentitytotheCAduringidentityvalidation

Identityissensitive

Whistleblower JournalistIamworkingatUniversityABC...ProfessorXtookbribes!

OK.First,proveyouareworkingatABC…(AfriendofProfessorX?)

CA

Third-partyorfromUniversityABC

?

CA(identityprovider)

•  PGP•  Websitelogin•  Anonymouscredentialsystems•  ….

User

Validateidentity

Requestcert

Identity+

alice@domain.com:cert1bob@gmail.com:cert2…..

CA:singlepointofprivacyfailure

CanwemakeCA“blind”?

Mainchallenge:Validateanidentitywhilenotlearningit

YES!!!

Contributions•  SecureChannelInjection(SCI):

o  Aprimitiveallowsapartytoinjectasmallamountofinformationintoasecureconnectionbetweentwoparties

o  (SCI-TLS)Anefficient,special-purposeMPCprotocolfortwopartiestocomputeaTLSrecord

•  AnonymousProofofAccountOwnership(PAO):

o  Validateoneownssomeemailaccountsfromagivenorganizationwithoutknowingwhichaccount

•  BlindCA:o  Validateownershipofanaccountalice@domain.comandissueaX.509certificate

binding“alice”toapublickey,withoutlearningtheaccountandthekey

Emailisthemostcommonidentity

Myemailis:alice@domain.com To:alice@domain.com

Emailprovider

Username:alicePassword:???

User

CA

Conventionalemailverification

ProveaccountownershipbyshowingtheabilitytoREADanemailfromanaccount

SecureChannelInjection(SCI)

M1

Alice Bob

Carol

M*

M2 Mn……

M1

Alice Bob

CarolM*

M2 Mn……

MPC

SecureChannelInjection(SCI)

M1

Alice Bob

Carol

M* Mn…………

SecureChannelInjection(SCI)

Alice:LearnsnothingaboutM*Bob:Doesn’tknowM*isfromCarolCarol:LearnsnothingaboutothermessagesfromAlice

Myemailis:alice@domain.com To:alice@domain.com

Emailprovider

Username:alicePassword:???

User

CA

Conventionalemailverification

ProveaccountownershipbyshowingtheabilitytoREADanemailfromanaccount

UserSMTPserver@domain.com

Anonymousproofofaccountownership(PAO)

CA

Sendanemailfrom:alice@domain.comTo:alice1

SCI alice1

ProveaccountownershipbyshowingtheabilitytoSENDanemailfromanaccount

Goal:ValidateAliceownssomeemailaccountsfromdomain.com

PAOusecases

Whistleblower Journalist

IcansendanemailfromABC’ssmtpserverEmployee

AnonymousPAOneedstouseMPCtocomputeTLSrecords

SQN + HDR

HMAC tag

HMAC

AES-CBC

Ciphertext

M

M

M

Padding

HDR

IV

TLSAES-CBCwithSHA256

Fora512-byteemailand16-bytechallenge•  GenericMPC:32AESand8SHA256operationsà0.94M+ANDgates

Merkle–DamgårdConstruction

f f f

Block1 Bock2 BlockN

IV

Padding

M

Two-partySHA:“Outsource”SHAcomputation

f

BlockX

BlockX+1toX+K

User+CA

f

BlockX+K+1

f

CA UserUser

SendoutputofftoCA SendoutputofftoUser

M*Kblocks

Two-partyAESCBC

BlockX

BlockX+1toX+K

BlockX+K+1

MPC---Alice:keyCA:blocks UserUser

AES

CipherX

SendtoCA

AES

CipherX+1toX+K

AESSendtoUser

Kblocks

User+CA

M*

AnonymousPAOneedstouseMPCtocomputeTLSrecords

SQN + HDR

HMAC tag

HMAC

AES-CBC

Ciphertext

M

M

M

Padding

HDR

IV

TLSAES-CBCmode

Fora512-byteemailand16-bytechallenge•  GenericMPC:32AESand8SHA-256operationsà0.94M+ANDgates•  Ourprotocol:4AESoperationsà27K+ANDgates;NOMPCforHMAC

AsimplifiedSMTPsessionSMTPclient

STARTTLSSMTPserver

EHLO

DATA

AUTHStep2:Authentication

Step1:SetupTLSandprepareforauth

Step3:PrepareforemailRCPT MAIL

Step4:SendemailEMAIL

SMTPclient(user)STARTTLS

SMTPserverEHLO

DATA

AUTHStep2:Authentication

Step1:SetupTLSandprepareforauth

Step3:PrepareforemailRCPT MAIL

Step4:SendemailEMAIL

BlindCA:TLSrecordascommitment

TheSMTPAUTHmessagecontainsemailaccount(useridentity)

CA

SMTPclient(user)STARTTLS

SMTPserverEHLO

DATA

AUTHStep2:Authentication

Step1:SetupTLSandprepareforauth

Step3:PrepareforemailRCPT MAIL

Step4:SendemailEMAIL

BlindCA:AnonymousPAOCA

SMTPclient(user)STARTTLS

SMTPserverEHLO

DATA

AUTHStep2:Authentication

Step1:SetupTLSandprepareforauth

Step3:PrepareforemailRCPT MAIL

Step4:SendemailEMAIL

BlindCA:AnonymousPAOCA

Challenge Commitment …

abc eee… …123 fff… …

... ... …

ProverproducesaZKBooproof

CA:Sharesacertificatetemplatewiththeusero  Allfieldsareknownexceptforsubjectandpublickey

Issuer:BlindCASubject:?@abcPublickey:?Version:…

•  Theemailaccount(e1)andpublickeyforformingthecertificate•  TheopeningoftheTLScommitment:

o  secretkeys,emailaccount(e2)andpassword•  e1=e2

SingleBooleancircuit!

Giacomelli,Irene,JesperMadsen,andClaudioOrlandi."Zkboo:Fasterzero-knowledgeforbooleancircuits."USENIXSecurity2016.

User:Fillsinmissinginfo,producesthehashofthecert;Generatesazkbooprooftoshowtheknowledgeof:

CAverifiesproofsandsignsChallenge:123Hashofcert:hZKbooproof

User CA

Sign(h)

Challenge Commitment …

abc eee… …123 fff… …

... ... …

BlindCAoverheadLoc1(NoTor) Loc2(NoTor) Loc1(WithTor)

2P-HMAC 0.01 0.03 0.31

2P-CBC 0.20 0.35 0.36

PAO 0.76 1.68 4.31

SMTPBaseline 0.31 0.77 3.33

Themediantime(seconds)tocompletethe2P-HMAC,2P-CBC(withoutoffline),PAO(withoutoffline)andnormalSMTP-TLS

•  PAOTestwithGmail,UW-Madison,andCornellSMTPservers:o  PAO(withoutoffline):1.01s,1.64s,1.53so  WithoutPAO:0.44s,0.94s,0.79s

•  BlindCAproof(136ZKBooproofs):o  Size:85M+o  Generation:2.9so  Verification:2.3s

Sessiondurationisnotagooddetector

ThedistributionoftheSMTPdurationsislong-tailed(basedon8K+SMTP-TLSsessions).

15%>10s!

Summary•  Wedesignthefirst“blind”CA:aCAthatcanvalidateidentitiesandissuecertificateswithoutlearningtheidentityo  SCIforTLSAES-CBCandAES-GCM(seepaper)

•  Participationprivacy:doesnotdisclosetoanypartytheidentitiesofusers

•  Pleaseseeourpaperformoredetails(securityproofs,securityanalysis,etc.)!

Thankyou!

Title