|
@durumcrustulum | |||||
|
DECO facilitates privacy-preserving proofs about TLS data to oracles and can be used for these smart contracts
#realworldcrypto
|
||||||
|
||||||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Multiple sessions over multiple servers, looks similar to solving the hidden number problem, which can be attacked via the closest vector problem in a lattice
#realworldcrypto pic.twitter.com/3OvrK3aqIl
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Found these vulns in 7 out of 9 impls 🍵
#realworldcrypto pic.twitter.com/ziKVlxX2F6
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Paper includes layers of recommended mitigations , but if you really have to use RSA, separate your certificates.
But maybe just… please don't use RSA.
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Bleichenbacher attacks in 2020
#realworldcrypto pic.twitter.com/87FmlVQxtY
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Next up! Deco: Liberating Web Data Using Decentralized Oracles for TLS
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Applying DECO to smart contracts, like on blockchain thingies
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Smart contracts need to be online to respond in a timely manner to things happening in the world.
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
✨decentralization ✨
for your decentralized smart contracts thing on a blockchain
#realworldcrypto pic.twitter.com/W8GvvB9CTX
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Possible solutions:
- change TLS to sign data
- trusted hardware (SGX*)
* welp
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
The primary goal is to prove provenance of TLS ciphertext.
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
(in zero knowledge)
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
The three-party handshake logo is cut off, my apologies
#realworldcrypto pic.twitter.com/0GjRpeSjBh
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
(That ⭐operation is an elliptic curve group operation)
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Results in a handshake circuit with AND complexity of ~770k, runs in ~1.40seconds on wired network. Plenty fast for DECO.
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Why forego privacy?
#realworldcrypto pic.twitter.com/5ccbhx1dlE
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
So, if this is a proof based on the TLS connection of the data provider, what happens when the data provider gets social engineered or forgets to patch their database backend?
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Got more of the logo
#realworldcrypto pic.twitter.com/Ka2XtQURbI
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Q: In the MPC it's broken into two parts, what prevents a malicious input in the second part?
A: This will be caught later on in the protocol in the proof stage this will be caught, the two parties commit to their shares beforehand
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Short break ☕
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Next up is the first symmetric crypto session, starting with Attacks only get better: The case of OCB2 by Tetsu Iwata
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
"Say you want to encrypt a penguin"
#realworldcrypto pic.twitter.com/yzT36Fuedg
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
No authenticity, allowing the ciphertext to be manipulated.
#REALWORLDCRYPTO pic.twitter.com/XwbeF4CX1L
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Nonce changes for every* encryption operation
*except when it doesn't , like when you ask the user to provide a nonce
#REALWORLDCRYPTO pic.twitter.com/twmxJ4qxUj
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
GCM, CCM are NIST-certified
IETF ones include GCM, ChaCha20-Poly1305
CAESAR includes 6 more
Some more in the ongoing NIST lightweight crypto competition
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
OCB includes 3 versions, nonce-based AE with AD with strong features, including proof of security
#realworldcrypto pic.twitter.com/hZ9D7HyKXF
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
No known vulnerabilities. 'Yet'.
#realworldcrypto pic.twitter.com/GhmBtWLc29
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Result: authenticity attack on OCB2, not related to the underlying block cipher.
#realworldcrypto pic.twitter.com/nRbwCXsRyi
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
> SJCL affected
Free corgi pix to someone who collects metrics on real world usage of the SJCL in the wild. 🐕
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
If we encrypt the same message twice, the nonce will* be different and the ciphertext will be different.
* CAVEAT EMPTOR
#realworldcrypto
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Decryption:
#realworldcrypto pic.twitter.com/hsYHoQmcaR
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
Simplest attack is a minimal forgery (existential forgery), adversary must know content of the message, it might not be that important but it's still not generated by the original sender.
#realworldcrypto pic.twitter.com/X1ibibpXF3
|
||
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
|
||
|
Deirdre Connolly¹
@durumcrustulum
|
8. sij |
|
On its own may not mean much, but can be leveraged into more powerful attacks.
#realworldcrypto
|
||
|
|
||