decentralizing authorities into scalable strongest-link ...decentralizing authorities into scalable...
TRANSCRIPT
![Page 1: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/1.jpg)
Decentralizing Authorities into Scalable Strongest-Link Cothorities
Ewa Syta, Iulia Tamas, Dylan Visher, David Wolinsky – Yale UniversityBryan Ford, Linus Gasser, Nicolas Gailly – Swiss Federal Institute of Technology (EPFL)
Stanford Univerisity – October 9, 2015
![Page 2: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/2.jpg)
We depend on many authoritiesConceptually simple but security-critical services
• Logging, Time-stamping Services,Digital Notaries
• Naming Authorites (ICANN logo)
• Certificate Authorities
• Randomness Authorities (e.g., Lotteries)
• Software Update Services
![Page 3: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/3.jpg)
But are authorities trustworthy?
![Page 4: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/4.jpg)
But are authorities trustworthy?
![Page 5: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/5.jpg)
But are authorities trustworthy?
![Page 6: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/6.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 7: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/7.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 8: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/8.jpg)
Why do we have authorities?
Alice
Check E-mail
Send Text-Message
Downloadsoftware update
Bob
![Page 9: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/9.jpg)
Why do we have authorities?
AliceBob
?What is:● Gmail's SSL public key?● Bob's IM public key?● Latest version of App?
Respect my Authoritah!
![Page 10: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/10.jpg)
When authorities go bad
Alice
Respect my Authoritah!
Bob
Fake
Fake Bob
Fake
![Page 11: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/11.jpg)
Key Problem #1
Authorities (and their private keys) are powerful
● Bad CA → MITM any web site
● Bad keyserver → impersonate any user
● Bad update server → instant backdoor
Attractive targets for hackers, criminals,spy agencies
![Page 12: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/12.jpg)
Key Problem #2There are many authorities:e.g., hundreds of CAs trusted by web browsers● Any CA can issue cert for any domain name
Hacker (or spy agency) needs only one CA key● Weakest-link security● @#$% happens
– DigiNotar,Comodo,CNNIC/MCS
![Page 13: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/13.jpg)
Challenge: Decentralize Authorities
Split important authority functions acrossmultiple participants (preferably independent)
● So authority isn't compromised unlessmultiple participants compromised
From weakest-link to strongest-link security
![Page 14: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/14.jpg)
Decentralizing Trust
We have many technical tools already
● “Anytrust”: 1-of-k servers honest, all k live
● Byzantine replication: 2/3 honest, 2/3 live
● Threshold cryptography, multisignatures
Example: Tor directory authority (8 servers)
![Page 15: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/15.jpg)
Limitations of Trust-Splitting
Trust-splitting is rare, challenging to implement,usually scales only to small groups.
● Is splitting across 5-10 servers enough?
● Are they truly independent and diverse?
● Who chooses the composition and how?
Are we convinced there is no adversary powerful enough to hack 5 of 8 directory servers?
![Page 16: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/16.jpg)
Grand Challenge: Trust Scaling
Large-scale collective authorities: “Cothorities”
● Split trust over hundreds, thousands of parties
● Correct unless large fraction compromised
E.g.: replace hundreds of CAs with one CA with authority split across hundreds of parties
● Diversity of servers, operators, organizations, countries, interests, software, hardware, …
● Make adding participants cheap, efficient
● Ensure security scales with size and sensitivity
![Page 17: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/17.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• CoSi: Scalable Collective Multisignatures
• Implementation and Preliminary Experimental Results
• Applications: Secure Logging, Proactive Transparency
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 18: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/18.jpg)
A First-Step Goal
Generically improve security of any authority,independent of authority type or semantics
Introducing Witness Cothorities...
![Page 19: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/19.jpg)
Witness Cothorities
“Who watches the watchers?”
Public witnesses!
Enforce two security properties:
● Any signed authoritative statementhas been widely witnessed
● Any signed authoritative statementconforms to checkable standards
Witnesses
Respect my Authoritah!
![Page 20: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/20.jpg)
CoSi: Collective Signing
Operation:● Authority server generates statements● Witness servers collectively sanity-check
and contribute to authority's signature● Each statement gets a collective signature:
small, quick and easy for anyone to verify
→ Authority (or key thief) can't sign anythingin secret without many colluding followers
![Page 21: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/21.jpg)
CoSi: Collective Signing
Authority(leader)
WitnessesWitnessCothority
“Bob's public key is Y.”
“The time is 3PM.”
“Gmail's public key is X.”
“The latest version of Firefox is Z.”
![Page 22: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/22.jpg)
CoSi Crypto Primitives
Builds on well-known primitives:• Merkle Trees• Schnorr Signature and Multisignatures
CoSi builds upon existing primitives but makes it possible to scale to thousands of nodes• Using communication trees and aggregation,
as in scalable multicast protocols
![Page 23: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/23.jpg)
Merkle Trees• Every non-leaf node labeled with the hash of the
labels of its children. • Efficient verification of items added into the tree• Authentication path - top hash and siblings hashes
A B C D
E=H(H(A)|H(B))
top hash
H(A) H(B) H(C) H(D)
F=H(H(C)|H(D))
?
G=H(H(E)|H(F))
![Page 24: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/24.jpg)
Schnorr Signature• Generator g of prime order q group• Public/private key pair: (K=gk, k)
Signer Verifier
Commitment
Challenge
Response
V=gv
r = (v – kc)
c = H(M|V)
Commitment recovery
Challenge recovery
Decision
V' = grKc
c’ = H(M|V’)
c’ = c ?
Signature on M: (c, r)
= gv-kcgkc = gv = V
V
c
r
![Page 25: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/25.jpg)
Collective Signing
● Goal: collective signing with N signers– Strawman: everyone produces a signature
– N signers-> N signatures -> N verifications
– Bad if we have thousands of signers
● Better choice: multisignatures
![Page 26: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/26.jpg)
Schnorr Multisignature• Key pairs: (K1=gk1, k1) and (K2=gk2, k2)
Signer 1 Verifier
Commitment
Challenge
Response
V1=gv1
r1 = (v1 – k1c)
c = H(M|V1)
Commitment recovery
Challenge recovery
Decision
V' = grKc
c’ = H(M|V’)
c’ = c ?
Signature on M: (c, r)
V1
c
r1
c = H(M|V)
V2
r2
Signer 2
r2 = (v2 – k2c)
V2=gv2
c
Signature on M: (c, r1)
K=K1*K2
V=V1*V2
r=r1+r2
Same signature!
Same verification!Done once!
![Page 27: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/27.jpg)
K3, PK{k3 | K3=gk3}K3 = K3
CoSi Protocol Setup
Merkle tree containing:
● Public keys Ki(discrete-log)
● Self-signed Certificates
● Aggregate keys Ki
O(n) one-time verify costO(|n'-n|) group change
K4, PK{k4 | K4=gk4}K4 = K4
K2, PK{k2 | K2=gk2}K2 = K2K3K4
K1, PK{k1 | K1=gk1}K1 = K1K2...KN
![Page 28: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/28.jpg)
CoSi Protocol Rounds
1. Announcement Phase
2. Commitment Phase
3. Challenge Phase
4. Response Phase
![Page 29: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/29.jpg)
V3 = gv3,V3 = V3
CoSi Commit Phase
Merkle tree containing:
● Commits Vi
● Aggregatecommits Vi
Collective challenge cis root hash ofper-roundMerkle tree
V4 = gv4,V4 = V4
V2 = gv2,V2 = V2V3V4
V1 = gv1,V1 = V1V2...VN
Challengec = H( )
![Page 30: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/30.jpg)
r3 = v3 - k3c,r3 = r3
CoSi Response Phase
Compute
● Responses ri
● Aggregateresponses ri
Each (c,ri) formsvalid partial signature
(c,r1) formscompletesignature r4 = v4 - k4c,
r4 = r4
r2 = v2 - k2c,r2 = r2+r3+r4
r1 = v1 - k1c,r1 = r1+r2+...+rN
![Page 31: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/31.jpg)
The Availability Problem
Assume server failures are rare but non-negligible● Availability loss, DoS vulnerability if not addressed
● But persistently bad servers administratively booted
Two approaches:
● Exceptions – currently implemented, working
● Life Insurance – partially implemented, in-progress
![Page 32: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/32.jpg)
Simple Solution: Exceptions• If node A fails, remaining nodes create signature• For a modified collective key: K’= K * K-1A
• Using a modified commitment: V’= V * V-1A
• And modified response: r’= r – rA
• Client gets a signature under K’ along withexception metadata eA
• eA also lists conditions under which it was issued
• Client accepts only if a quorum of nodes maintained
![Page 33: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/33.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• CoSi: Scalable Collective Multisignatures
• Implementation and Preliminary Results
• Applications: Secure Logging, Proactive Transparency
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 34: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/34.jpg)
Implementation
● Implemented in Go with dedis crypto library– https://github.com/DeDiS/crypto
● Schnorr multisignatures on Ed25519 curve– AGL's Go port of DJB's optimized code
● Run experiments on DeterLab– Up to 8192 virtual CoSi nodes
– Multiplexed atop up 64 physical machines
– Latency: 100ms roundtrip between two servers
![Page 35: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/35.jpg)
Results: Collective Signing Time
![Page 36: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/36.jpg)
Results: Computation Cost
![Page 37: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/37.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• CoSi: Scalable Collective Multisignatures
• Implementation and Preliminary Experimental Results
• Applications: Logging, Proactive Transparency
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 38: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/38.jpg)
Application: Secure Logging● Many authorities make “public statements”
● Often recorded in tamper-evident public log– Hash chains for consistency verification
● But hashes don't address equivocation…
● Or freshness…
record1 record2 record3
Head
record1 record2record3
record3
Head 1
Head 2
record1 record2 record3
“Head”
![Page 39: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/39.jpg)
Witnessing Public Log Servers● Witnesses collectively verify log structure,
Leader can't equivocate without being busted
Log Server
WitnessesWitness
Cothority
record1 record2 record3
each record collectively signed
![Page 40: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/40.jpg)
The Transparency Challenge
Alice
Respect my Authoritah!
Bob
Fake
Fake Bob
Fake
![Page 41: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/41.jpg)
Current Transparency Solutions
Alice
Respect my Authoritah!
Bob
Witnesses
public logsmonitorsauditors
● Perspectives● Certificate Transparency● AKI, ARPKI● CONIKS
!!!!
!!
!!
![Page 42: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/42.jpg)
Freetopia
An Important Assumption
Alice
Respect my Authoritah!
Bob
Witnesses
public logsmonitorsauditors
Takes time,may compromisealice's privacy
Assumes Alice can,and is willing to,gossip with witnesses
![Page 43: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/43.jpg)
Tyrannia Freetopia
A Different Scenario
Alice
Respect my Authoritah!
Bob
Witnesses
public logsmonitorsauditors
Gen. RexFake CA
Fake Log
![Page 44: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/44.jpg)
Gossip versus Collective Signing
Gossip can't protect Alice if she...
● Can't (because she's in Tyrannia)
● Doesn't want to (for privacy), or
● Doesn't have time to
cross-check each authoritative statements.
Collective signing proactively protects herfrom secret attacks even via her access network.
● Attacker can't secretly produce valid signature
![Page 45: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/45.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 46: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/46.jpg)
Software Update Scenario
Alice, traveling in Tyrannia, is offered asoftware update for her favorite app
● Claims to be “latest version” - but is it?
● Rex's firewall might inject authenticbut outdated, now exploitable version
● If Alice accepts, she is instantly Pwned;retroactive transparency won't help!
Alice
![Page 47: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/47.jpg)
Timestamping Cothority
Like classic digital timestamp services,only decentralized.
● Each round (e.g., 10 secs):1) Each server collects hashes, nonces to timestamp
2) Each server aggregates hashes into Merkle tree
3) Servers aggregate local trees into one global tree
4) Servers collectively sign root of global tree
5) Server give signed root + inclusion proof to clients
● Clients verify signature + Merkle inclusion proof
![Page 48: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/48.jpg)
Verifiably Fresh Software UpdatesAlice accepts only updates with fresh timestamp:
● Knows update can't be an outdated version:tree contains inclusion proof of her nonce
● Knows update can't have targeted backdoor:witness cothority ensures many parties saw it
Fresh UpdateAuthority
Witnesses
Alice
Software Update
MerkleTree
Alice'snonce
![Page 49: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/49.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Unbiased Public Randomness
• Conclusions and Future Work
![Page 50: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/50.jpg)
Unbiased Public RandomnessNeed authority that can “flip coins” in public,convince everyone result is fair and unbiased.
● Choose lottery winner
● Sampling ballots in election auditing
● Pick BFT clusters from large pool of servers
● Divide large user network intosmaller random anonymity sets– e.g., Herbivore [Goel/Sirir '04]
![Page 51: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/51.jpg)
Related: Existing Approaches
Algorithmic work on quorum-building
● e.g., King et al, ICDCN 2011
● Unclear how to implement, apply
Randomness via “slow hashes”
● e.g., Lenstra/Wesolowski, 2015
● New, nonstandard crypto assumptions
![Page 52: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/52.jpg)
r3 = v3 - k3c,r3 = r3
CoSi Protocol Responses?
Appealing near-solution:● Contributions from
all participants● Committed in advance,
unpredictable until last phase
But can still be biasedby leader with k colluders● Use exceptions to
pick “best of”2k outcomes r4 = v4 - k4c,
r4 = r4
r2 = v2 - k2c,r2 = r2+r3+r4
r1 = v1 - k1c,r1 = r1+r2+...+rN
![Page 53: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/53.jpg)
Availability via “life insurance”• Node "insures" its private key by depositing the key
shares with threshold group of “trustee” servers– Shamir verifiable secret sharing (VSS)
• Trustees can sign on behalf of failed node
s1
s2
s3
![Page 54: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/54.jpg)
The Challenge
How to pick set of trustees for given witness?
● All nodes trustees (JVSS): doesn't scale, O(N2)
● Witness-chosen: can pick bad group → DoS
● Leader-chosen: pick cronies, get secret early
We need unbiased public randomnessto pick these random trustee subgroups,to get unbiased public randomness!
![Page 55: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/55.jpg)
RandHound: Protocol Sketch
Intuition: bootstrap frompairwise unbiased randomness
1)Leader commits to random value RL,each follower i commits to random Ri
2)Reveal; follower i picks trustees via H(RL,Ri),deals secret Si to picked trustees
3)Leader commits to threshold set of secretss.t. must include at least one honest follower
4)Followers reveal dealt secret shares
![Page 56: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/56.jpg)
RandHound: Security Properties
Assuming a fraction of participants are honest:
Unpredictability: no one can recover the (one) honest follower's secret before final reveal phase
Unbiasability: only one possible outcome afterleader's threshold-set commit in phase 3
Availability: protocol runs to completion w.h.p.unless leader dishonestly colludes to DoS itself
Scalability: O(NT), where# trustees T depends only on security parameter
![Page 57: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/57.jpg)
Status
Still preliminary:
● Initial implementation working(code available on DeDiS github)
● Experimentation in-progress
● Cothority integration in-progress
![Page 58: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/58.jpg)
Talk Outline
• The Need to Decentralize Internet Authorities
• Witness Cothorities: Transparency via Collective Signing
• Timestamp Cothorities: Collectively Attesting Freshness
• Randomness Cothorities: Scalable Unbiased Randomness
• Conclusions and Future Work
![Page 59: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/59.jpg)
Ongoing/Future Work
Backward-compatible integration into authorities
● Web PKI: Certificate Authorities, CT, AKI
● Personal PKI: PGP keyservers, CONIKS
● Practical software release, update services
Build more general collective authorities...
![Page 60: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/60.jpg)
Towards Better Blockchains?Decentralized consensus, secure ledgers
● Without proof-of-work and massive power waste
● Without risk of temporary forks
● Without 51% attack vulnerability
● Stronger protection for clients, “light” nodes– Just check one log-head signature for correctness
● Efficient: with FawkesCoin hash-based ledger,just one public-key crypto operation per round
● Scalable: every server need not store, verifyevery record throughout blockchain history
![Page 61: Decentralizing Authorities into Scalable Strongest-Link ...Decentralizing Authorities into Scalable Strongest-Link Cothorities Ewa Syta, Iulia Tamas, Dylan Visher, ... e.g., hundreds](https://reader036.vdocuments.site/reader036/viewer/2022062311/5f08d9617e708231d4240515/html5/thumbnails/61.jpg)
Conclusion
Cothorities build on old ideas● Distributed/Byzantine consensus protocols● Threshold cryptography, multisignatures
But demonstrate how to scale trust-splitting● Strongest-link security among many witnesses● Practical: demonstrated for 8000+ participants● Efficient: 1.5-second signing latency at scale
More details: http://arxiv.org/abs/1503.08768