CRYPTO AND PRIVACY VILLAGE - Implementing a Library for Pairing-based Transform Cryptography

Video thumbnail (Frame 0) Video thumbnail (Frame 913) Video thumbnail (Frame 3079) Video thumbnail (Frame 4037) Video thumbnail (Frame 5328) Video thumbnail (Frame 8055) Video thumbnail (Frame 9680) Video thumbnail (Frame 12417) Video thumbnail (Frame 13367) Video thumbnail (Frame 14932) Video thumbnail (Frame 16877) Video thumbnail (Frame 17968) Video thumbnail (Frame 19114) Video thumbnail (Frame 21075) Video thumbnail (Frame 21939) Video thumbnail (Frame 23429) Video thumbnail (Frame 25922) Video thumbnail (Frame 27347) Video thumbnail (Frame 28676) Video thumbnail (Frame 30141) Video thumbnail (Frame 31980) Video thumbnail (Frame 33103) Video thumbnail (Frame 34321) Video thumbnail (Frame 37557) Video thumbnail (Frame 39049) Video thumbnail (Frame 40249) Video thumbnail (Frame 41219) Video thumbnail (Frame 46627) Video thumbnail (Frame 48035) Video thumbnail (Frame 50309) Video thumbnail (Frame 51181) Video thumbnail (Frame 53719) Video thumbnail (Frame 54589) Video thumbnail (Frame 55545) Video thumbnail (Frame 57817) Video thumbnail (Frame 59237)
Video in TIB AV-Portal: CRYPTO AND PRIVACY VILLAGE - Implementing a Library for Pairing-based Transform Cryptography

Formal Metadata

Title
CRYPTO AND PRIVACY VILLAGE - Implementing a Library for Pairing-based Transform Cryptography
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Mathematics Cryptography Core dump Cryptography Library (computing) Library (computing) Singuläres Integral
Email Transformation (genetics) Core dump Cryptography Automatic differentiation Web 2.0 Facebook Hypermedia Core dump Data center Point cloud Website Library (computing) Point cloud
Tablet computer Encryption Cuboid Core dump Encryption Public-key cryptography
Mobile app Group action Mobile app Encryption Core dump Encryption Cartesian coordinate system Public-key cryptography Element (mathematics) Local Group
Logical constant Group action Game controller Computer file Observational study Multiplication sign System administrator Orthogonality Field (computer science) Element (mathematics) Number Software bug Local Group Independence (probability theory) Zugriffskontrolle Mathematics Envelope (mathematics) Military operation Operator (mathematics) Orthogonality Encryption Physical system Key (cryptography) System administrator Electronic mailing list Core dump Group action Cryptography Public-key cryptography Element (mathematics) Envelope (mathematics) Encryption Physical system
Game controller Server (computing) Group action Proxy server Computer file Algorithm Transformation (genetics) Primitive (album) Heat transfer Mathematics Cryptography Orthogonality Operator (mathematics) Encryption Message passing Proxy server Email Algorithm Electric generator Key (cryptography) Core dump Transformation (genetics) Cryptography Public-key cryptography Elliptic curve Category of being Message passing Encryption Singuläres Integral
Trail Message passing Mathematics Algorithm Key (cryptography) Computer file Transformation (genetics) Encryption Core dump Proxy server Public-key cryptography
Group action Key (cryptography) System administrator Orthogonality Core dump Public-key cryptography Local Group Zugriffskontrolle Operator (mathematics) Orthogonality Order (biology) Encryption Control system
Group action Computer file System administrator Core dump Hydraulic jump Proxy server Public-key cryptography Number Local Group
Laptop Group action Key (cryptography) Multiplication sign Core dump ACID Web browser Mereology Public-key cryptography Local Group Category of being Orthogonality Order (biology) Encryption Energy level Right angle Key (cryptography) Information security Proxy server Control system
Algorithm Encryption Core dump Public-key cryptography Proxy server Binary multiplier
Group action Addition Proxy server Transformation (genetics) Decimal Demo (music) Core dump Local Group Hierarchy Chain Proxy server Physical system Physical system
Logical constant Group action Dynamical system Logical constant Service (economics) Key (cryptography) Information Multiplication sign Core dump Bit Heat transfer Group action Information privacy Scalability Military operation Internet service provider Encryption Right angle Software framework Key (cryptography) Encryption Proxy server
Standard deviation Service (economics) Proxy server Open source Software developer Algorithm Ellipse Primitive (album) Mereology Mathematics Cryptography Repository (publishing) Proxy server Library (computing) Software development kit Source code Key (cryptography) Core dump Bit Transformation (genetics) Cryptography Elliptic curve Software development kit Repository (publishing) Function (mathematics) Physical system Library (computing)
Point (geometry) Group action Functional (mathematics) Multiplication Constraint (mathematics) Texture mapping Set (mathematics) Parameter (computer programming) Core dump Cryptography Field (computer science) Element (mathematics) Local Group Elliptic curve Sign (mathematics) Category of being Operator (mathematics) Scalar field Order (biology) Bilinear map Bilinear map
Point (geometry) Group action State of matter Multiplication sign Set (mathematics) Instance (computer science) Field (computer science) Number Element (mathematics) Local Group Mathematics Cryptography Einheitswurzel Encryption Extension (kinesiology) Curve Multiplication Point (geometry) Core dump Bit Group action Cryptography 1 (number) Elliptic curve Degree (graph theory) Root Scalar field Order (biology) Right angle
Point (geometry) Group action Server (computing) Greatest element Key (cryptography) Multiplication sign Core dump Bit Public-key cryptography Element (mathematics) 2 (number) Message passing Negative number Linearization Encryption Key (cryptography) Encryption Message passing Binary multiplier Library (computing)
Point (geometry) Group action Curve Ellipse Mathematical analysis Infinity Mereology Prime number Equivalence relation Field (computer science) Neuroinformatik Local Group Sieve of Eratosthenes Estimator Cryptography Extension (kinesiology) Information security Algebraic number field Standard deviation 12 (number) Key (cryptography) Discrete group Point (geometry) Core dump Field (computer science) Bit Cryptography Public-key cryptography Elliptic curve Degree (graph theory) Number Personal digital assistant Order (biology) Key (cryptography) Musical ensemble Information security Extension (kinesiology)
Slide rule Server (computing) Key (cryptography) Code Transformation (genetics) Core dump Group action Disk read-and-write head Public-key cryptography Subgroup Data management Process (computing) Addressing mode Different (Kate Ryan album) Self-organization Physical system Library (computing)
Group action Whiteboard Multiplication sign Self-organization Core dump Whiteboard
Point (geometry) Group action Functional (mathematics) Server (computing) Randomization Random number generation Transformation (genetics) Code Multiplication sign 1 (number) Set (mathematics) Numbering scheme Web browser Heat transfer Element (mathematics) Sign (mathematics) Mathematics Formal verification Encryption Error message Computing platform Social class Physical system Electric generator Key (cryptography) Sampling (statistics) Core dump Cryptography Public-key cryptography Subgroup Type theory Vector space Self-organization Right angle Key (cryptography) Library (computing)
Group action Algorithm Key (cryptography) Information Code Transport Layer Security Data storage device Core dump Database Heat transfer Avatar (2009 film) Public-key cryptography Flow separation Local Group Message passing Sign (mathematics) Repository (publishing) Encryption Library (computing)
Type theory Group action Functional (mathematics) Multiplication Transformation (genetics) Operator (mathematics) Core dump Shape (magazine) Public-key cryptography Proxy server
Inheritance (object-oriented programming) Core dump Cryptography
Category of being Key (cryptography) Software repository Augmented reality Personal digital assistant Core dump Encryption Energy level Core dump Software testing Subgroup
Rotation Group action Key (cryptography) Transformation (genetics) Multiplication sign Core dump Database Cryptography Limit (category theory) Subgroup Local Group Mathematics Encryption Right angle Key (cryptography) Freeware Proxy server
Group action Open source Code Transformation (genetics) System administrator Multiplication sign Control flow Heat transfer Mereology Disk read-and-write head Element (mathematics) Local Group Wave Frequency Envelope (mathematics) Operator (mathematics) Computer hardware Authorization Encryption Symmetric-key algorithm Proxy server Information security Computing platform Identity management Physical system Multiplication Key (cryptography) Augmented reality Data storage device Planning Core dump Group action Benchmark Public-key cryptography Element (mathematics) Secret sharing Arithmetic mean Software repository Computing platform Self-organization Key (cryptography) Quicksort Identity management Library (computing) Singuläres Integral
please welcome our next speaker Bob wall and Colt the Federation on implementing a library for a pairing based transform cryptography thanks everyone thanks for sticking it out to the bitter end almost the bitter end I imagine so you might have been out partying last night anyone's hangover but special warning there is some math in here so you know consider yourself warned so I Colt and I both work together in a
company called iron core labs so we'll talk about this transform cryptography library that we've implemented and some of the background about it
so obviously the it we we've known the answer to this question for quite a while before Facebook got face palmed but you can maybe tell by my gray hair that I've actually got to watch the world wide web get started and it took off and then the cloud stuff started and it seemed like hey this might be really pretty cool you know it especially people that were doing IT and setting up data centers like wow this might be great and then we started getting some reach notifications we heard about Yahoo we heard about anthem we heard about the Office of Personnel Management or the OMB heard about Facebook I imagine at least a few of you out there have gotten a breach notification that from some company so starting to get a little bit if hear about the cloud and even if you disregard the breaches and think about the weird things that happen when somebody sends you an email or you send somebody an email and then you go to some social media site or Google and look at the ads that get presented to you it's like it's a little creepy I find it a little creepy anyway so maybe the cloud has some downsides after all so what can we do about that but what are some things that we can do to start fighting back against that and one of
the obvious answers is endian decryption so if I've got a device browse phone or tablet and I want to generate some data and I want to make it available to someone else and it stays encrypted and until it gets to their device and they can decrypt it so hopefully they're probably their private key that unlocks it stays on there twice and in between it doesn't matter we don't have to trust anyone we don't have to believe that somebody's going to be upstanding including if we send that
stuff through we stored on Dropbox or box say it doesn't matter if they want to look at it or not they're not gonna be able to so we've seen a kind of a
take off of and end encryption apps and there are a few of them that are popular you'll notice that most of these Indian cryptid applications now have something in common and that is that they're primarily designed for messaging and they're mostly designed for person-to-person channels so they're not really designed for something where you might want to send something to a group of people and they're especially not designed for something where that group of people might be big and or very dynamic the membership of the group changing a lot and there's a reason for that because it's just not that easy if
you think about say you're a masochist and you want to encrypt some data to a group of people and you want to use GPG to do it you get all of those peoples public keys you stuff those all into the GPT command line and say hey encrypt this document it does it and every one of those people can use their private key to decrypt it okay that's pretty good and just kind of a side note here and
this will be kind of important as we talk through this what we're talking about what GPG does and what everything that does public key crypto pretty much does is envelope encryption so they don't actually use key crypto to encrypt that whole document because it's slow and painful they generate a random team probably in a EES key the encrypted document with that and then they take that random key and they encrypt it with each of those public keys and stuff that on the start of the document or at the end of the document or somewhere in that file so so I've got this file now I've encrypted it to say three or four people everything's good but now suppose I want to add another person well that means that one of the people that can unlock the document needs to decrypt it get those lists of public keys that were already used to get the list of the extra public key that they want to add Andry encrypt the documents save it back out there so that's not tremendously convenient and it's really not convenient if if the group is changing fast you wouldn't want to have to do that 20 times a day for sure removing access is pretty much the same thing you have to go get the document you have to decrypt it we encrypt it was a list of keys that excludes the people you want to remove access from so obviously that is not scalable so we want to build a system
that has we call orthogonal access control and that just means that we would like users to decide which groups of people should be able to access their data without knowing who belongs to the group and then independently from that the administrators of those groups should be able to add or remove members without me knowing about it and so this is obviously not a new idea I mean UNIX groups are essentially this but we want something that relies on cryptographic access control instead of policy so it's harder to break it harder to mess it up if somebody makes a programming error it it will matter a lot less because unless you have the keys you can't unlock it and we want a system where each change in group membership or an access grant or revocation is basically very fast a constant time operation that's independent of a number of users that were managing or the number of documents and more files or the number of groups that we have so what's a way to do that there's a field of study in
cryptography called proxy encryption it's been around for around 20 years it hasn't really gotten too widespread of an adoption but it it provides a lot of these properties that we need to do this orthogonal access control so most of the proxy encryption algorithms are based on public key cryptography and almost all of them are actually based on pairings which we'll talk about a little more detail and that's where the math might start to sneak in proxy encryption was originally designed to allow someone who receives encrypted messages to delegate the ability to decrypt those messages to someone else without having to give them her private key so you can imagine see we've got a mail server that's running with proxy encryption and we've got a group of people that are using it so Alice has public private key pair she's gonna set up on the mail server and she's getting encrypted emails and she decrypt them and then she's gonna go on vacation she wants to pop to take over for a while she's gone but she would really rather not give Bob her public key cuz he's kind of a doofus and he will probably lose it so with proxy encryption she she says okay I'm gonna delegate to Bob she calculates this re-encrypted token and sends it to the proxy server the email server and then when the email server sees emails coming in and cryptid to Alice it can apply that transform key and do a transformation that makes that data encrypted to Bob without decrypting it the mail server never saw the plaintext it only had this token that allowed it to transform from encrypted to Alice to encrypted to Bob so that's what proxy encryption was designed to do proxy encryption algorithms usually have
five primitives key generation and again almost everyone I've seen is just straight-up elliptic curve key generation transform keygen which is a little more involved encryption and transformation and we encourage we've taken to calling this transfer encryption and calling this step transformation instead of rien Krypton because typically when I think of rien Krypton I think of what I talked about with GPG it's like oh I have to go take the file deep trip to get a new key and encrypt it with a new key and this is not that so we caught transformation instead and then the decryption operation so transform key generation
with proxy encryption takes the private key of the person that wants to delegate the access the public key of the person that they want to delegate the access to and compute and run some math and it comes out with this transform key so this transforming key again doesn't allow anyone to decrypt any data it can only be used to take data that's encrypted to the delegator andrey encrypted or transform it so it's encrypted to the delegatee and then you know once you get that done you can send it to a proxy that's going to keep track of it and it's going to apply it as necessary and the forchette gives because it can't decrypt anything you don't really have to trust the proxy when you send that up see to it you can't use it to do anything except what you basically told it it could do which is transform messages that are encrypted to you so they're encrypted to someone else and the nice thing is that you are the only one who can do that because it takes you a private key to do that so as long as you're not pop like leaves this private key on the desk you should be good so if you want to delegate access
it's as simple as taking a file that's encrypted to the delegate or applying the key and running the transformation algorithm and sending the read the transformed file or data to the new recipient they take their private key and they decrypt it pretty much the same way they would have decrypted something that was encrypted directly to them
so how can we use this to build this orthogonal access control system we just use groups we create a group and we encrypt documents to the group and then independently of that operation the person who's kind of an administrator or order of the group can create transform keys from the group to each of the users that's going to be a member once they add a member to the group immediately that member can decrypt anything that's been encrypted to the group in the past anything that will be encrypted to the group in the future and that's simply from the group that also immediately revokes access and the nice thing is that both of those operations don't require you to go and find all of the documents that are encrypted of the group and mess with them you don't ever have to touch any of the documents you just do these transform keys so it's
just you create a public/private key pair for the group what we do usually use takes a groups private key and we encrypt it to the users that created it and that makes that person that's essentially an administrator for the group so an administrator is just someone who acts and can access the private key of the group which means they can add new people to the group when they want to member to the group is
as simple as competing that transform key and that's why the administrator needs access to the private key granting access if you've got a file and you want to anyone to let a group access that file you just encrypt it to that groups public keep very simple number one
access they request the file that's been encrypted to the group they give that to this proxy server that's got the transform key it applies the transform to make the file so that it's encrypted to them since that we that's transform file back and then I've got a private key on my device that unlocks the data and recovers the plaintext
is as simple as just forgetting the transform key you just throw it away as soon as it's gone that user can no longer decrypt anything that's encrypted to the group so you know now we've got all of the pieces and parts that we need to put together an orthogonal access control system and we're using a proxy encryption algorithm we we noticed that
really users don't use one device right I don't always use the same browser on my laptop to access things I don't always use my cell phone to access things so you can make this better if instead of if we wanted to do that we would basically have to do this thing that you do a lot of times now it's like okay I've got my private key and I want to use three or four different devices I have to figure out a way to get my private key onto all of those devices which is you know you can do that but that's not the greatest experience so basically add another level here of delegation we can treat a user as a group of devices and just to another transform from a user to device that means every device gets their own private key you don't have to share them you don't have to copy them around if somebody drops their phone in the toilet they can just basically revoke access to that phone and they don't have to worry about if somebody had somehow hacked their phone and gotten their the private key for the phone as soon as that transform Keys gone that phone can access their data you know maybe you left it on the conveyor in the airport so the private keys for the devices are always on the device and it gives you this nice revocation property but in order to do this the proxy encryption algorithm used to have a special property that's typically referred to as
a multi-use or multi-hop you know we already talked about if you had a dated let's encrypt it to a user and there's a transform key to another user you can transform the document then the other user can unlock it but once I
have proxy encryption you can take that transform this document and you can apply a second transplant to it maybe to another user Carol and produce this doubly transformed document send that to Carol and she takes your private key and the decrypt algorithm and gets the plaintext back so this multiply hop proxy encryption allows you to build
this hierarchical system and in fact you could build a hierarchy deeper if you wanted you can have groups of groups so
adding a device to user is the same as adding a user to a group you just create a transform key so if you're if I'm
logged in to one of my devices and I want to access a document I the proxy is I say yeah I've got this document and I want to I want to unlock it and the proxy figures out the best way to get the transformation from something that's that documents encrypted to to the device that I'm using to request it so that might be because document was actually shared with me my user directly and then there's one transform between me and my device and that will work maybe was shared with the groups that I belong to so if there's a path from a group to me to my device the proxy can take those two transforms and apply them in a chain trip twice and return it to me so I can decrypt it so we now have
scalable into end encryption it can handle arbitrarily large groups of users and the canal dynamic groups of users we can grant and revoke access to two documents and two groups in constant time it doesn't matter how many documents doesn't it matter how many groups it doesn't matter how many users and we got rid of the need like to copy private keys around if we're trying to manage multiple devices just one place that this could be useful
is say you want to be able to protect someone's PII personally identifiable information and I imagine there are more than a few of you out here who've been thinking about this a little bit in the last six months or so in the gdpr framework right so if you could take a user's private data and just encrypt it to that user and then see that user is gonna decide he I'm gonna provide consent for this company to use my private data it's as simple as creating a transfer if the company's got a public key maybe the company is considered to be one of these groups I created a transform key between me and that group that will allow that group to read my data and then maybe a couple months down the road or a year down the road I decided I don't want that company to continue to have access to my data I want to invoke my right to be forgotten so I just tell the proxy service that's holding these transform keys hey throw that one away and that means that that company or people that belong to that company no longer can access that if you know if they haven't already accessed it so that's an example of what we can do with this so we have implemented the
primitives in Scala library loose ecology is to generate a client-side JavaScript library it's open source we
actually built a JavaScript SDK around it that talks to a service that is the public key repository and the transform proxy we've got it out there that part is an open source but we let people do free signups if you wanted to play around with that the library is open source but it doesn't have some of the things around it to make it easy to manage the keys and stuff so now I
wanted to talk a little bit about like under the hood some of the math stuff that makes this work I said is Perry based cryptography and earrings are built on top of elliptic curves so you know let the crypto is pretty standard but pairings are less standard although I did I think I heard two or three different talks in here this weekend that we're talking about pairings a little bit so the basic
operation that pairing based crypto is based on is called the bilinear pairing or sometimes called the bilinear mapping and that mapping that pairing is simply a function that takes an element from some group and an element from some other group and combines them together and produces an element in yet another group so you know the first group spoiler alert might be the set of points on an elliptic curve over a prime field so in order for this thing to be a
bilinear pairing it needs to satisfy some constraints it needs to provide some properties I won't read these to you but that one that last one in particular is important because it allows you to basically swap scalar multiples of points and we'll see why that's useful in a second so how we use
pairings that first group that we talked about is B is exactly the set of points on an elliptic curve over a prime field the second group is related to that it's the same elliptic curve change a little bit as called the twisted curve and it's defined over a set of points in the second-degree extension of that field and so the math for that gets a little deeper and I won't go into that but when you do the pairing you produce values that are in another group this G sub T group and that group is not a set of points it's actually a set of values that are the Arth roots of unity and those values are Elkin state in the degree 12 extension of that prime field so these things are you know basically numbers that are consists of of different values that are between 0 & 2 prime minus 1 so it's a big number that the per that the pairing produces all of these groups have the same number of elements in the group they all have the same order so the reason pairings
work for crypto and there there might be other ways to use them but the way that we use them and the way most the practice agree encryption stuff does is it allows you like I said it allows you to swap scalar multiples so if you think of a public key it's just some generator point in your in your group your your elliptic curve group times some randomly chosen private key or secret key right so it's that's just a scalar multiple of some point that you know
so if Alex and Bob have key pairs that are that are computed that way they both picked a random secret key they compete a public key they send that out there to a key server Alex can you encrypt a message to Bob by using a pairing where she takes Bob's public key and prepares it with her secret key times this generator point that's predefined in that second group of elements for the pairing and then she takes that value and multiplies it by the message and that gets an encrypted message so Bob can recover that by basically taking Alice's public key pairing it with the negation of his secret key times at the second point G - I won't go into this
but basically you can prove that this works by just doing simple mathematic just simple arithmetic rewrites it's like well okay if I rewrite the public key as the secret key times the generator point and then I remember that because of by linearity I can swap these two things and then if I get down to the bottom I know the fact that if I pair something times a zero it basically returns one that shows you that I do in fact get out my original message when I decrypt it so so this is how pairings are used to make encryption work so I'm gonna like make one more side note and I'll turn it over to Colt to talk about the library and some cooler like a little bit less theoretical ways to use it note on the
security of this stuff the security of pairing based cryptography relies on two different hard problems the first is the standard elliptic curve diffie-hellman problem that protects all elliptic curve cryptography able to recover a secret key even though you know the public key and you know the generator point so that's the that's a hard problem that protects the part of this the other hard problem is the straightened distributive discrete log problem and that's what protects the pairing product because remember the pairing produces a value that's not an elliptic curve group it's just in a field a big field so so the it's just straight discrete log problem that protects that part of the of the work
recent advances in the use of number field sieve have improved the ability to solve the discrete log problem it's still hard but it's not as hard as we thought it was a while ago so in the past we thought this kind of conventional wisdom was that if you used a 256 bit private key the elliptic curve discrete log problem would provide you at roughly 128 bits of security and if you're doing this discrete log problem in the 12th degree extension of that field that would also provide you roughly 128 bits of security against the just a straight discrete log problem they've been working on this number field sieve and that improves the ability to solve this discrete log problem and some researchers have been grinding away on this and concluded that in like the start of this year in the end of last year that if you have a degree 12 extension of a 256-bit crime that really only provides you with them right around bits of security instead of 128 so if you want to go and tell everybody hey Mike crypto is 128-bit secure you know some people kind of expect that you actually need more bits in your prime your your prime number in your field and so getting back up to 128-bit equivalent security you actually need a prime that's 400 they these are all estimates and then the computations are really complicated and involved and you kind of have to do it for each different case but the estimates are that you would have to have at least 461 bits in your prime in order to get back to 128 bit security for the discrete log problem so we've been playing around with this a little bit and and you know it's probably something that we that everyone should be aware of in the future that you're probably gonna have to start bumping up the size of the prime pretty soon because of these advances so now and it turned over to Colts and you'll kind of talk about the library sure [Music]
firstly like all this code I'm new to the show this week code snippets from the reek ripped library Bop lining up we crypt I mean the library itself doesn't do all like the story of transform Peas and all that stuff so everything on the slide is like well I'm just doing this in like sequencing code but you know some of it would be done by servers be done by devices so I'll just kind of talk to that as I go so obviously there's gonna be private keys everywhere and just pretend that they're on different oysters for now so who here has used GPG to keep secrets encrypted to keep different people almost everybody like this is a very common thing we do IT organizations use you know complicated expensive key management systems to like have groups and try to like to make this slightly less painful but it's really dance so we
have Bob he's in charge and I'm not just saying that because he's sitting behind me and hit me on the head but Bob's in charge and he's the IT managers so he's his job is to keep all these secrets and cryptid is an IT organization some keys you wants encrypted the whole organization's some keys he wants subgroups whatever he wants so so these
are is one of his groups that he's working with and sadly for him that the channel were an IT organization is high and he's every day he's reinterpreting things or removing people he's doing all this all this work to try to just just keep the same secrets encrypted to his organization say give a severe amount of his time so he's using GPG to do that
right now and so every time he had somebody like Charlie here he has to go through and do what Bob talked about when you decrypt it you regripped it to everybody and you send it back out there so Alice brings out on board same thing so hiring is is painful unfortunately alice is also a quitter so she quit and he now he hasn't problem again he has to go through and do it again so both hiring and people quitting it's a major ordeal so we can solve that
so let's talk about I'm just gonna show some of the code from V crypt here this is Scala code so if you've never seen skull before you haven't read it types on the right side of Colin's and values are on the left side so we've got a ran a typing class API that takes the random byte vector in this data's signing so it's a little weird we had to do this because we wanted to cross compile the JavaScript has anybody tried to do cryptography in JavaScript it's not great yeah the problem with cryptography is your JavaScript is how do you get random numbers cryptographically secure random numbers well that depends in the platform you're on are you in the browser are you on node like so we wanted to allow this to be more flexible so this this thing that pass in this IO you just think of it as a function that every time you invoke it it basically could return you a different value so basically anything anywhere you see IO you could just replace it with a function in your brain we all get in today cuz that's not the kind of talk were in so every time you call that you're gonna get a different set of random cryptographically secure random values and the signing is just a pair of functions sign and verify and we did that with 82 five five one nine because it's fast it's known to be secure and we didn't want to use the same set of keys for both encryption and and signing because that's generally considered not the best practice so we take these things because of platform nonsense so generate keep there it's a pretty simple thing we basically just take the random bytes and we map them over multiply it times generator point to create a public key so that's pretty simple in that parentheses syntax is just a 2-tuple so generate plaintext so when you were doing pairings like bob was talking about you have to have these elements that are in different groups and they have to be members of the group so they have to be are through say unity and all kinds of other math jargon otherwise it doesn't work so we instead of having to push that jargon on to the user of the library we just said we'll just write a function that generates you a plain text returns us this type that is it says it's a plain text so it is and just trust me that way you don't have to worry about how to generate it so it's using that random byte vector under the hood as well so generate transfer okie basically your this is the thing that delegates so this is the function that delegates from one private key to a public key transform that's the thing that actually it takes a transform key and does that transformation for you so this is the thing that like a server would do or somebody whoever is the proxy in in all Rob's terminology the person has access to these transform keys and the public keys and all that stuff that would be for this where this runs encrypt pretty straightforward encrypting a plain text to a public key decrypt so it returns an error message or the plain text so let's go through here so
I'm basically gonna go through the sample that we were talking about earlier we're talking about Charlie and Bob and Alice and this IT type organization so this is basically just generating two different key pairs over here so Bob's key pair and Patty groups keeping here the reason I voted because key pair generation is boring is because it's it's really important in the scheme to remember that groups and users are really the same so users can be treated as groups groups can be treated as subgroups like so public private keys and especially with our system you can use these things for many purposes and you can delegate to people you can delegate to groups you can there's all kinds of fancy stuff you can do so don't get stuck in your brain about like oh well this is a user key because you could treat it as a group okay so
encrypting a value to fatty group I mean we a goal with this library is to make the public API as as simple as possible anybody who's used open SSL or any any other cryptographic collaborate is is gone off to try to figure out what's going on you're passing in immutable immutable values that they're gonna fill out and pass back to like it's just it's just bad we wanted to read exactly like the pseudocode algorithm should read so here we just generate a plaintext we crypt that plaintext and yield the encrypted value so it reads like pseudo code and we're encrypting to the public key and so little note about signing keys I kind of pointed out earlier but because did the signing Keys separate from keys we use cd25 509 that means we pass in these police signing keys to detect if somebody's screwed with the interrupted values so it makes sleep yeah a little Messier but I think it's still pretty straightforward so another thing to note here is that this encrypted value never has to change ever you can put it on the blockchain you can put it in a database and Kafka a mutable key value stores whatever you want to do you can do that and you never ever ever have to change this encrypted value so no matter who you who you want to share with the group with you never have to change that okay so we heard
charlie so we generate Charlie's keeper so that would happen on her device that piece would happen on her device and then Bob takes her public key and he just generates a transform key from the IT group private key which in Charlie's public key and that's it so he generates that transfer key and he sends it off to the public key repository that's holding onto all this information so now we have basically this is how Charlie gets added to the group she's now on the group so
hiring again just to show that like it's the same no matter what like Alice the same thing she's here as key pairs you generate a transform key and you send it off so this is what you would call adding that heard of the group it also doesn't matter how many documents are shared with the group this operation is constant I'm just just the one thing doesn't matter how many millions of AWS Secrets you have encrypted but what if what if Alice
quits sorry what if I also wants to decrypt this sorry so it Alice comes in and basically needs the transformed value so this transform function that's happening at the top that would happen on the proxy server so this will just pretend that that has happened there and then this the transformed data would be sent back to her request so the important thing here is that the transformed data and the original encrypted data have the same shape that's what Bob was talking about when he was talking about multi hop so if if you wanted to transform that data again you could take that transform data and transform it again to give it access to a device or give access to a sub group or whatever so it's it's important when you look at the like I put all the types on the left side there that encrypted value is the same thing we got out of the encrypted function so it could be encrypted or it could be already one step transformed and you could do it over and over again so if Alice quits we
don't need to do anything special all we need to do is just forget your transform
key and we just walk away
now that's what a lot of people are
starting to cut this like crypto
shredding or cryptographically erasing
things like all these terminology that
just means well they can't decrypt it
anymore so I don't know why it's like a
new thing that we're we're doing as an industry but I guess we are so as you
can see like this API is like super approachable there's nothing crazy here
so if you're at all interested in this we have a ton of property based tests in our core API tests on the github repo
and it goes through like two and three and four level B encryption steps with
different like devices and subgroups and all kinds of augmentations of keys and
there's there's some really neat stuff that you can do there if you have any
questions at all like feel free to open
an issue like it's not clear what's happening in this test case or what
about this other thing that I'd like to do I'm wide open to like answering any
questions on that but I think the property based tests give a pretty good
overview of that so what else like Bob
mentioned quite a few of these things but just to bring it back around again multi-hop proxy encryption is super super super cool because you can treat users as groups and groups and subgroups and there's there's just really no limit to the two the things you could do with that kind of stuff every hop makes things slower so that's that is one thing that happens when when you do eat the all these transformations obviously you have to unroll them like math isn't free so that's that's a struggle there but it's really simple there's some pretty cool stuff you could do and he mentioned the gdpr which is a big deal so the right to forget and being able to just say like oh we caught a crypto shredded this data and we can't unlock it anymore so we forgot who you are like being able to do that in a constant time instead of you know sending your IT guy off to just like search through databases for three days like that's that's a that's a game-changer in my opinion key rotation could also be encoded with an extra hop so if you wanted to say like oh I want to like get a new key you could make your old key just delegate to your new key and you could not have to re-encrypt all your old data there's some caveats there but so it is
all out there on github so we just open source it pretty recently it's only on the JVM and in JavaScript so it's pretty limiting as far as platforms are concerned but we have some other stuff coming that's pretty exciting but we're not quite ready to talk about it yet it's also not that fast yet we have a benchmarks thing in your in the repo so feel free to clone it and like see the benchmarks but it certainly could use some work there were are working on it and are open to any suggestions or anything like that and really managing the groups managing the public keys managing the transfer own keys and identities like that's where the struggle comes in here that I showed the code and the code is super simple they're like all about all the Identity Management is really the harder part of this in terms of of getting it right so questions
I actually have two questions the first one is about the transform key storage as far as I can tell mathematically speaking possession of the transform key and the destination private key is equivalent to holding the original private key because once you have them both you can just transform and decrypt so you clearly need to store these transform keys in some way that's secure you know you don't want somebody who you know has a trench for the key issued breaks into the proxy server takes trim from key and then you can never revoke them so I mean is there any plan to implement this on secure Hardware secure elements things like that so that a proxy can securely store these transform keys so yeah if you have the private key of the person that has been transformed to and you have the transform key here right like that's that's equivalent to having like access all the data the transform key is only it's only sort of the proxy but you're right you could break in there we don't have plans to do anything special there at least not in the very near future it is basically the compromise a compromise of multiple systems including you know their device and that could actually be revoked we can use some key augmentation tricks to make sure that that values that are encrypted to a certain user can't be unlocked by their private key and can only vote by devices and that's somebody to get into here but I think I guess the short answer your question No and yeah that's that's a problem but not as big a problem as the other question I had was so the issuance of transform Keys requires the private key is it possible to use the same trick to delegate that authority so I could use my private key to generate a transform key that I then transform into another transform key I'm sorry I have to think about that a little more let's yeah let's talk to thinking a group of people that are the admins you know that might be possible but I think a lot easier approach than that and one that we have an implement that we're going to is basically doing a key splitting idea so if I've got a group of admins that have a you know they have access to the private key for a for a group and it's an important group like the IT group for my organization I take that private key and I basically split it M ways I've got M employees and then I require that it you know some sub group of them that's more than one have to work together to put the key back together before they can use it I think that's a accomplishes maybe not exactly the same things we're close to the same things and it's a it's a significantly easier thing to think about in your heads thank you I have some questions about the performance of this proxy server as it is applying these transform keys because it can't give out the transform key so been doing this transform that would basically that's a computationally expensive operation correct would there potentially be any downsides to ticking digging a play out of GnuPG this book and doing the initial encryption with a symmetric key that is very fast and then only doing a transform on the encryption of that symmetric key yeah I mean this is envelope encryption so like we're the only thing one encrypting is the AES key okay so the transform is expensive so I mean the performance of the libraries is it's not where we want it to be but you know I'm making it faster and like and working on that and there's there's another thing that the proxy server can actually catch those transforms values if it wants to because I mean every time it asks for one I mean it's gonna get well not quite the same answer but almost the same answer every time so you could actually cache those if you were worried about performance you could catch the transform value for some period of time if somebody was just asking over and over and over again for that same value that was my next question thank you any other questions all right thank you
Feedback