CRYPTO AND PRIVACY VILLAGE  Implementing a Library for Pairingbased Transform Cryptography
Video in TIB AVPortal:
CRYPTO AND PRIVACY VILLAGE  Implementing a Library for Pairingbased Transform Cryptography
Formal Metadata
Title 
CRYPTO AND PRIVACY VILLAGE  Implementing a Library for Pairingbased Transform Cryptography

Title of Series  
Author 

License 
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. 
Identifiers 

Publisher 

Release Date 
2018

Language 
English

Content Metadata
Subject Area 
00:00
Mathematics
Cryptography
Core dump
Cryptography
Library (computing)
Library (computing)
Singuläres Integral
00:37
Email
Transformation (genetics)
Core dump
Cryptography
Automatic differentiation
Web 2.0
Facebook
Hypermedia
Core dump
Data center
Point cloud
Website
Library (computing)
Point cloud
02:03
Tablet computer
Encryption
Cuboid
Core dump
Encryption
Publickey cryptography
02:53
Mobile app
Group action
Mobile app
Encryption
Core dump
Encryption
Cartesian coordinate system
Publickey cryptography
Element (mathematics)
Local Group
03:58
Logical constant
Group action
Game controller
Computer file
Observational study
Multiplication sign
System administrator
Orthogonality
Field (computer science)
Element (mathematics)
Number
Software bug
Local Group
Independence (probability theory)
Zugriffskontrolle
Mathematics
Envelope (mathematics)
Military operation
Operator (mathematics)
Orthogonality
Encryption
Physical system
Key (cryptography)
System administrator
Electronic mailing list
Core dump
Group action
Cryptography
Publickey cryptography
Element (mathematics)
Envelope (mathematics)
Encryption
Physical system
06:27
Game controller
Server (computing)
Group action
Proxy server
Computer file
Algorithm
Transformation (genetics)
Primitive (album)
Heat transfer
Mathematics
Cryptography
Orthogonality
Operator (mathematics)
Encryption
Message passing
Proxy server
Email
Algorithm
Electric generator
Key (cryptography)
Core dump
Transformation (genetics)
Cryptography
Publickey cryptography
Elliptic curve
Category of being
Message passing
Encryption
Singuläres Integral
08:55
Trail
Message passing
Mathematics
Algorithm
Key (cryptography)
Computer file
Transformation (genetics)
Encryption
Core dump
Proxy server
Publickey cryptography
10:21
Group action
Key (cryptography)
System administrator
Orthogonality
Core dump
Publickey cryptography
Local Group
Zugriffskontrolle
Operator (mathematics)
Orthogonality
Order (biology)
Encryption
Control system
11:39
Group action
Computer file
System administrator
Core dump
Hydraulic jump
Proxy server
Publickey cryptography
Number
Local Group
12:21
Laptop
Group action
Key (cryptography)
Multiplication sign
Core dump
ACID
Web browser
Mereology
Publickey cryptography
Local Group
Category of being
Orthogonality
Order (biology)
Encryption
Energy level
Right angle
Key (cryptography)
Information security
Proxy server
Control system
14:03
Algorithm
Encryption
Core dump
Publickey cryptography
Proxy server
Binary multiplier
14:38
Group action
Addition
Proxy server
Transformation (genetics)
Decimal
Demo (music)
Core dump
Local Group
Hierarchy
Chain
Proxy server
Physical system
Physical system
15:37
Logical constant
Group action
Dynamical system
Logical constant
Service (economics)
Key (cryptography)
Information
Multiplication sign
Core dump
Bit
Heat transfer
Group action
Information privacy
Scalability
Military operation
Internet service provider
Encryption
Right angle
Software framework
Key (cryptography)
Encryption
Proxy server
17:17
Standard deviation
Service (economics)
Proxy server
Open source
Software developer
Algorithm
Ellipse
Primitive (album)
Mereology
Mathematics
Cryptography
Repository (publishing)
Proxy server
Library (computing)
Software development kit
Source code
Key (cryptography)
Core dump
Bit
Transformation (genetics)
Cryptography
Elliptic curve
Software development kit
Repository (publishing)
Function (mathematics)
Physical system
Library (computing)
18:14
Point (geometry)
Group action
Functional (mathematics)
Multiplication
Constraint (mathematics)
Texture mapping
Set (mathematics)
Parameter (computer programming)
Core dump
Cryptography
Field (computer science)
Element (mathematics)
Local Group
Elliptic curve
Sign (mathematics)
Category of being
Operator (mathematics)
Scalar field
Order (biology)
Bilinear map
Bilinear map
19:07
Point (geometry)
Group action
State of matter
Multiplication sign
Set (mathematics)
Instance (computer science)
Field (computer science)
Number
Element (mathematics)
Local Group
Mathematics
Cryptography
Einheitswurzel
Encryption
Extension (kinesiology)
Curve
Multiplication
Point (geometry)
Core dump
Bit
Group action
Cryptography
1 (number)
Elliptic curve
Degree (graph theory)
Root
Scalar field
Order (biology)
Right angle
20:36
Point (geometry)
Group action
Server (computing)
Greatest element
Key (cryptography)
Multiplication sign
Core dump
Bit
Publickey cryptography
Element (mathematics)
2 (number)
Message passing
Negative number
Linearization
Encryption
Key (cryptography)
Encryption
Message passing
Binary multiplier
Library (computing)
22:04
Point (geometry)
Group action
Curve
Ellipse
Mathematical analysis
Infinity
Mereology
Prime number
Equivalence relation
Field (computer science)
Neuroinformatik
Local Group
Sieve of Eratosthenes
Estimator
Cryptography
Extension (kinesiology)
Information security
Algebraic number field
Standard deviation
12 (number)
Key (cryptography)
Discrete group
Point (geometry)
Core dump
Field (computer science)
Bit
Cryptography
Publickey cryptography
Elliptic curve
Degree (graph theory)
Number
Personal digital assistant
Order (biology)
Key (cryptography)
Musical ensemble
Information security
Extension (kinesiology)
25:02
Slide rule
Server (computing)
Key (cryptography)
Code
Transformation (genetics)
Core dump
Group action
Disk readandwrite head
Publickey cryptography
Subgroup
Data management
Process (computing)
Addressing mode
Different (Kate Ryan album)
Selforganization
Physical system
Library (computing)
26:25
Group action
Whiteboard
Multiplication sign
Selforganization
Core dump
Whiteboard
27:29
Point (geometry)
Group action
Functional (mathematics)
Server (computing)
Randomization
Random number generation
Transformation (genetics)
Code
Multiplication sign
1 (number)
Set (mathematics)
Numbering scheme
Web browser
Heat transfer
Element (mathematics)
Sign (mathematics)
Mathematics
Formal verification
Encryption
Error message
Computing platform
Social class
Physical system
Electric generator
Key (cryptography)
Sampling (statistics)
Core dump
Cryptography
Publickey cryptography
Subgroup
Type theory
Vector space
Selforganization
Right angle
Key (cryptography)
Library (computing)
32:01
Group action
Algorithm
Key (cryptography)
Information
Code
Transport Layer Security
Data storage device
Core dump
Database
Heat transfer
Avatar (2009 film)
Publickey cryptography
Flow separation
Local Group
Message passing
Sign (mathematics)
Repository (publishing)
Encryption
Library (computing)
34:07
Type theory
Group action
Functional (mathematics)
Multiplication
Transformation (genetics)
Operator (mathematics)
Core dump
Shape (magazine)
Publickey cryptography
Proxy server
35:49
Inheritance (objectoriented programming)
Core dump
Cryptography
36:24
Category of being
Key (cryptography)
Software repository
Augmented reality
Personal digital assistant
Core dump
Encryption
Energy level
Core dump
Software testing
Subgroup
37:02
Rotation
Group action
Key (cryptography)
Transformation (genetics)
Multiplication sign
Core dump
Database
Cryptography
Limit (category theory)
Subgroup
Local Group
Mathematics
Encryption
Right angle
Key (cryptography)
Freeware
Proxy server
38:33
Group action
Open source
Code
Transformation (genetics)
System administrator
Multiplication sign
Control flow
Heat transfer
Mereology
Disk readandwrite head
Element (mathematics)
Local Group
Wave
Frequency
Envelope (mathematics)
Operator (mathematics)
Computer hardware
Authorization
Encryption
Symmetrickey algorithm
Proxy server
Information security
Computing platform
Identity management
Physical system
Multiplication
Key (cryptography)
Augmented reality
Data storage device
Planning
Core dump
Group action
Benchmark
Publickey cryptography
Element (mathematics)
Secret sharing
Arithmetic mean
Software repository
Computing platform
Selforganization
Key (cryptography)
Quicksort
Identity management
Library (computing)
Singuläres Integral
00:00
please welcome our next speaker Bob wall and Colt the Federation on implementing a library for a pairing based transform cryptography thanks everyone thanks for sticking it out to the bitter end almost the bitter end I imagine so you might have been out partying last night anyone's hangover but special warning there is some math in here so you know consider yourself warned so I Colt and I both work together in a
00:40
company called iron core labs so we'll talk about this transform cryptography library that we've implemented and some of the background about it
00:48
so obviously the it we we've known the answer to this question for quite a while before Facebook got face palmed but you can maybe tell by my gray hair that I've actually got to watch the world wide web get started and it took off and then the cloud stuff started and it seemed like hey this might be really pretty cool you know it especially people that were doing IT and setting up data centers like wow this might be great and then we started getting some reach notifications we heard about Yahoo we heard about anthem we heard about the Office of Personnel Management or the OMB heard about Facebook I imagine at least a few of you out there have gotten a breach notification that from some company so starting to get a little bit if hear about the cloud and even if you disregard the breaches and think about the weird things that happen when somebody sends you an email or you send somebody an email and then you go to some social media site or Google and look at the ads that get presented to you it's like it's a little creepy I find it a little creepy anyway so maybe the cloud has some downsides after all so what can we do about that but what are some things that we can do to start fighting back against that and one of
02:05
the obvious answers is endian decryption so if I've got a device browse phone or tablet and I want to generate some data and I want to make it available to someone else and it stays encrypted and until it gets to their device and they can decrypt it so hopefully they're probably their private key that unlocks it stays on there twice and in between it doesn't matter we don't have to trust anyone we don't have to believe that somebody's going to be upstanding including if we send that
02:45
stuff through we stored on Dropbox or box say it doesn't matter if they want to look at it or not they're not gonna be able to so we've seen a kind of a
02:55
take off of and end encryption apps and there are a few of them that are popular you'll notice that most of these Indian cryptid applications now have something in common and that is that they're primarily designed for messaging and they're mostly designed for persontoperson channels so they're not really designed for something where you might want to send something to a group of people and they're especially not designed for something where that group of people might be big and or very dynamic the membership of the group changing a lot and there's a reason for that because it's just not that easy if
03:34
you think about say you're a masochist and you want to encrypt some data to a group of people and you want to use GPG to do it you get all of those peoples public keys you stuff those all into the GPT command line and say hey encrypt this document it does it and every one of those people can use their private key to decrypt it okay that's pretty good and just kind of a side note here and
04:00
this will be kind of important as we talk through this what we're talking about what GPG does and what everything that does public key crypto pretty much does is envelope encryption so they don't actually use key crypto to encrypt that whole document because it's slow and painful they generate a random team probably in a EES key the encrypted document with that and then they take that random key and they encrypt it with each of those public keys and stuff that on the start of the document or at the end of the document or somewhere in that file so so I've got this file now I've encrypted it to say three or four people everything's good but now suppose I want to add another person well that means that one of the people that can unlock the document needs to decrypt it get those lists of public keys that were already used to get the list of the extra public key that they want to add Andry encrypt the documents save it back out there so that's not tremendously convenient and it's really not convenient if if the group is changing fast you wouldn't want to have to do that 20 times a day for sure removing access is pretty much the same thing you have to go get the document you have to decrypt it we encrypt it was a list of keys that excludes the people you want to remove access from so obviously that is not scalable so we want to build a system
05:24
that has we call orthogonal access control and that just means that we would like users to decide which groups of people should be able to access their data without knowing who belongs to the group and then independently from that the administrators of those groups should be able to add or remove members without me knowing about it and so this is obviously not a new idea I mean UNIX groups are essentially this but we want something that relies on cryptographic access control instead of policy so it's harder to break it harder to mess it up if somebody makes a programming error it it will matter a lot less because unless you have the keys you can't unlock it and we want a system where each change in group membership or an access grant or revocation is basically very fast a constant time operation that's independent of a number of users that were managing or the number of documents and more files or the number of groups that we have so what's a way to do that there's a field of study in
06:30
cryptography called proxy encryption it's been around for around 20 years it hasn't really gotten too widespread of an adoption but it it provides a lot of these properties that we need to do this orthogonal access control so most of the proxy encryption algorithms are based on public key cryptography and almost all of them are actually based on pairings which we'll talk about a little more detail and that's where the math might start to sneak in proxy encryption was originally designed to allow someone who receives encrypted messages to delegate the ability to decrypt those messages to someone else without having to give them her private key so you can imagine see we've got a mail server that's running with proxy encryption and we've got a group of people that are using it so Alice has public private key pair she's gonna set up on the mail server and she's getting encrypted emails and she decrypt them and then she's gonna go on vacation she wants to pop to take over for a while she's gone but she would really rather not give Bob her public key cuz he's kind of a doofus and he will probably lose it so with proxy encryption she she says okay I'm gonna delegate to Bob she calculates this reencrypted token and sends it to the proxy server the email server and then when the email server sees emails coming in and cryptid to Alice it can apply that transform key and do a transformation that makes that data encrypted to Bob without decrypting it the mail server never saw the plaintext it only had this token that allowed it to transform from encrypted to Alice to encrypted to Bob so that's what proxy encryption was designed to do proxy encryption algorithms usually have
08:19
five primitives key generation and again almost everyone I've seen is just straightup elliptic curve key generation transform keygen which is a little more involved encryption and transformation and we encourage we've taken to calling this transfer encryption and calling this step transformation instead of rien Krypton because typically when I think of rien Krypton I think of what I talked about with GPG it's like oh I have to go take the file deep trip to get a new key and encrypt it with a new key and this is not that so we caught transformation instead and then the decryption operation so transform key generation
08:56
with proxy encryption takes the private key of the person that wants to delegate the access the public key of the person that they want to delegate the access to and compute and run some math and it comes out with this transform key so this transforming key again doesn't allow anyone to decrypt any data it can only be used to take data that's encrypted to the delegator andrey encrypted or transform it so it's encrypted to the delegatee and then you know once you get that done you can send it to a proxy that's going to keep track of it and it's going to apply it as necessary and the forchette gives because it can't decrypt anything you don't really have to trust the proxy when you send that up see to it you can't use it to do anything except what you basically told it it could do which is transform messages that are encrypted to you so they're encrypted to someone else and the nice thing is that you are the only one who can do that because it takes you a private key to do that so as long as you're not pop like leaves this private key on the desk you should be good so if you want to delegate access
10:00
it's as simple as taking a file that's encrypted to the delegate or applying the key and running the transformation algorithm and sending the read the transformed file or data to the new recipient they take their private key and they decrypt it pretty much the same way they would have decrypted something that was encrypted directly to them
10:22
so how can we use this to build this orthogonal access control system we just use groups we create a group and we encrypt documents to the group and then independently of that operation the person who's kind of an administrator or order of the group can create transform keys from the group to each of the users that's going to be a member once they add a member to the group immediately that member can decrypt anything that's been encrypted to the group in the past anything that will be encrypted to the group in the future and that's simply from the group that also immediately revokes access and the nice thing is that both of those operations don't require you to go and find all of the documents that are encrypted of the group and mess with them you don't ever have to touch any of the documents you just do these transform keys so it's
11:17
just you create a public/private key pair for the group what we do usually use takes a groups private key and we encrypt it to the users that created it and that makes that person that's essentially an administrator for the group so an administrator is just someone who acts and can access the private key of the group which means they can add new people to the group when they want to member to the group is
11:43
as simple as competing that transform key and that's why the administrator needs access to the private key granting access if you've got a file and you want to anyone to let a group access that file you just encrypt it to that groups public keep very simple number one
12:01
access they request the file that's been encrypted to the group they give that to this proxy server that's got the transform key it applies the transform to make the file so that it's encrypted to them since that we that's transform file back and then I've got a private key on my device that unlocks the data and recovers the plaintext
12:23
is as simple as just forgetting the transform key you just throw it away as soon as it's gone that user can no longer decrypt anything that's encrypted to the group so you know now we've got all of the pieces and parts that we need to put together an orthogonal access control system and we're using a proxy encryption algorithm we we noticed that
12:47
really users don't use one device right I don't always use the same browser on my laptop to access things I don't always use my cell phone to access things so you can make this better if instead of if we wanted to do that we would basically have to do this thing that you do a lot of times now it's like okay I've got my private key and I want to use three or four different devices I have to figure out a way to get my private key onto all of those devices which is you know you can do that but that's not the greatest experience so basically add another level here of delegation we can treat a user as a group of devices and just to another transform from a user to device that means every device gets their own private key you don't have to share them you don't have to copy them around if somebody drops their phone in the toilet they can just basically revoke access to that phone and they don't have to worry about if somebody had somehow hacked their phone and gotten their the private key for the phone as soon as that transform Keys gone that phone can access their data you know maybe you left it on the conveyor in the airport so the private keys for the devices are always on the device and it gives you this nice revocation property but in order to do this the proxy encryption algorithm used to have a special property that's typically referred to as
14:04
a multiuse or multihop you know we already talked about if you had a dated let's encrypt it to a user and there's a transform key to another user you can transform the document then the other user can unlock it but once I
14:19
have proxy encryption you can take that transform this document and you can apply a second transplant to it maybe to another user Carol and produce this doubly transformed document send that to Carol and she takes your private key and the decrypt algorithm and gets the plaintext back so this multiply hop proxy encryption allows you to build
14:39
this hierarchical system and in fact you could build a hierarchy deeper if you wanted you can have groups of groups so
14:47
adding a device to user is the same as adding a user to a group you just create a transform key so if you're if I'm
14:54
logged in to one of my devices and I want to access a document I the proxy is I say yeah I've got this document and I want to I want to unlock it and the proxy figures out the best way to get the transformation from something that's that documents encrypted to to the device that I'm using to request it so that might be because document was actually shared with me my user directly and then there's one transform between me and my device and that will work maybe was shared with the groups that I belong to so if there's a path from a group to me to my device the proxy can take those two transforms and apply them in a chain trip twice and return it to me so I can decrypt it so we now have
15:39
scalable into end encryption it can handle arbitrarily large groups of users and the canal dynamic groups of users we can grant and revoke access to two documents and two groups in constant time it doesn't matter how many documents doesn't it matter how many groups it doesn't matter how many users and we got rid of the need like to copy private keys around if we're trying to manage multiple devices just one place that this could be useful
16:07
is say you want to be able to protect someone's PII personally identifiable information and I imagine there are more than a few of you out here who've been thinking about this a little bit in the last six months or so in the gdpr framework right so if you could take a user's private data and just encrypt it to that user and then see that user is gonna decide he I'm gonna provide consent for this company to use my private data it's as simple as creating a transfer if the company's got a public key maybe the company is considered to be one of these groups I created a transform key between me and that group that will allow that group to read my data and then maybe a couple months down the road or a year down the road I decided I don't want that company to continue to have access to my data I want to invoke my right to be forgotten so I just tell the proxy service that's holding these transform keys hey throw that one away and that means that that company or people that belong to that company no longer can access that if you know if they haven't already accessed it so that's an example of what we can do with this so we have implemented the
17:19
primitives in Scala library loose ecology is to generate a clientside JavaScript library it's open source we
17:27
actually built a JavaScript SDK around it that talks to a service that is the public key repository and the transform proxy we've got it out there that part is an open source but we let people do free signups if you wanted to play around with that the library is open source but it doesn't have some of the things around it to make it easy to manage the keys and stuff so now I
17:50
wanted to talk a little bit about like under the hood some of the math stuff that makes this work I said is Perry based cryptography and earrings are built on top of elliptic curves so you know let the crypto is pretty standard but pairings are less standard although I did I think I heard two or three different talks in here this weekend that we're talking about pairings a little bit so the basic
18:15
operation that pairing based crypto is based on is called the bilinear pairing or sometimes called the bilinear mapping and that mapping that pairing is simply a function that takes an element from some group and an element from some other group and combines them together and produces an element in yet another group so you know the first group spoiler alert might be the set of points on an elliptic curve over a prime field so in order for this thing to be a
18:47
bilinear pairing it needs to satisfy some constraints it needs to provide some properties I won't read these to you but that one that last one in particular is important because it allows you to basically swap scalar multiples of points and we'll see why that's useful in a second so how we use
19:09
pairings that first group that we talked about is B is exactly the set of points on an elliptic curve over a prime field the second group is related to that it's the same elliptic curve change a little bit as called the twisted curve and it's defined over a set of points in the seconddegree extension of that field and so the math for that gets a little deeper and I won't go into that but when you do the pairing you produce values that are in another group this G sub T group and that group is not a set of points it's actually a set of values that are the Arth roots of unity and those values are Elkin state in the degree 12 extension of that prime field so these things are you know basically numbers that are consists of of different values that are between 0 & 2 prime minus 1 so it's a big number that the per that the pairing produces all of these groups have the same number of elements in the group they all have the same order so the reason pairings
20:08
work for crypto and there there might be other ways to use them but the way that we use them and the way most the practice agree encryption stuff does is it allows you like I said it allows you to swap scalar multiples so if you think of a public key it's just some generator point in your in your group your your elliptic curve group times some randomly chosen private key or secret key right so it's that's just a scalar multiple of some point that you know
20:37
so if Alex and Bob have key pairs that are that are computed that way they both picked a random secret key they compete a public key they send that out there to a key server Alex can you encrypt a message to Bob by using a pairing where she takes Bob's public key and prepares it with her secret key times this generator point that's predefined in that second group of elements for the pairing and then she takes that value and multiplies it by the message and that gets an encrypted message so Bob can recover that by basically taking Alice's public key pairing it with the negation of his secret key times at the second point G  I won't go into this
21:21
but basically you can prove that this works by just doing simple mathematic just simple arithmetic rewrites it's like well okay if I rewrite the public key as the secret key times the generator point and then I remember that because of by linearity I can swap these two things and then if I get down to the bottom I know the fact that if I pair something times a zero it basically returns one that shows you that I do in fact get out my original message when I decrypt it so so this is how pairings are used to make encryption work so I'm gonna like make one more side note and I'll turn it over to Colt to talk about the library and some cooler like a little bit less theoretical ways to use it note on the
22:06
security of this stuff the security of pairing based cryptography relies on two different hard problems the first is the standard elliptic curve diffiehellman problem that protects all elliptic curve cryptography able to recover a secret key even though you know the public key and you know the generator point so that's the that's a hard problem that protects the part of this the other hard problem is the straightened distributive discrete log problem and that's what protects the pairing product because remember the pairing produces a value that's not an elliptic curve group it's just in a field a big field so so the it's just straight discrete log problem that protects that part of the of the work
22:54
recent advances in the use of number field sieve have improved the ability to solve the discrete log problem it's still hard but it's not as hard as we thought it was a while ago so in the past we thought this kind of conventional wisdom was that if you used a 256 bit private key the elliptic curve discrete log problem would provide you at roughly 128 bits of security and if you're doing this discrete log problem in the 12th degree extension of that field that would also provide you roughly 128 bits of security against the just a straight discrete log problem they've been working on this number field sieve and that improves the ability to solve this discrete log problem and some researchers have been grinding away on this and concluded that in like the start of this year in the end of last year that if you have a degree 12 extension of a 256bit crime that really only provides you with them right around bits of security instead of 128 so if you want to go and tell everybody hey Mike crypto is 128bit secure you know some people kind of expect that you actually need more bits in your prime your your prime number in your field and so getting back up to 128bit equivalent security you actually need a prime that's 400 they these are all estimates and then the computations are really complicated and involved and you kind of have to do it for each different case but the estimates are that you would have to have at least 461 bits in your prime in order to get back to 128 bit security for the discrete log problem so we've been playing around with this a little bit and and you know it's probably something that we that everyone should be aware of in the future that you're probably gonna have to start bumping up the size of the prime pretty soon because of these advances so now and it turned over to Colts and you'll kind of talk about the library sure [Music]
25:04
firstly like all this code I'm new to the show this week code snippets from the reek ripped library Bop lining up we crypt I mean the library itself doesn't do all like the story of transform Peas and all that stuff so everything on the slide is like well I'm just doing this in like sequencing code but you know some of it would be done by servers be done by devices so I'll just kind of talk to that as I go so obviously there's gonna be private keys everywhere and just pretend that they're on different oysters for now so who here has used GPG to keep secrets encrypted to keep different people almost everybody like this is a very common thing we do IT organizations use you know complicated expensive key management systems to like have groups and try to like to make this slightly less painful but it's really dance so we
26:05
have Bob he's in charge and I'm not just saying that because he's sitting behind me and hit me on the head but Bob's in charge and he's the IT managers so he's his job is to keep all these secrets and cryptid is an IT organization some keys you wants encrypted the whole organization's some keys he wants subgroups whatever he wants so so these
26:27
are is one of his groups that he's working with and sadly for him that the channel were an IT organization is high and he's every day he's reinterpreting things or removing people he's doing all this all this work to try to just just keep the same secrets encrypted to his organization say give a severe amount of his time so he's using GPG to do that
26:50
right now and so every time he had somebody like Charlie here he has to go through and do what Bob talked about when you decrypt it you regripped it to everybody and you send it back out there so Alice brings out on board same thing so hiring is is painful unfortunately alice is also a quitter so she quit and he now he hasn't problem again he has to go through and do it again so both hiring and people quitting it's a major ordeal so we can solve that
27:29
so let's talk about I'm just gonna show some of the code from V crypt here this is Scala code so if you've never seen skull before you haven't read it types on the right side of Colin's and values are on the left side so we've got a ran a typing class API that takes the random byte vector in this data's signing so it's a little weird we had to do this because we wanted to cross compile the JavaScript has anybody tried to do cryptography in JavaScript it's not great yeah the problem with cryptography is your JavaScript is how do you get random numbers cryptographically secure random numbers well that depends in the platform you're on are you in the browser are you on node like so we wanted to allow this to be more flexible so this this thing that pass in this IO you just think of it as a function that every time you invoke it it basically could return you a different value so basically anything anywhere you see IO you could just replace it with a function in your brain we all get in today cuz that's not the kind of talk were in so every time you call that you're gonna get a different set of random cryptographically secure random values and the signing is just a pair of functions sign and verify and we did that with 82 five five one nine because it's fast it's known to be secure and we didn't want to use the same set of keys for both encryption and and signing because that's generally considered not the best practice so we take these things because of platform nonsense so generate keep there it's a pretty simple thing we basically just take the random bytes and we map them over multiply it times generator point to create a public key so that's pretty simple in that parentheses syntax is just a 2tuple so generate plaintext so when you were doing pairings like bob was talking about you have to have these elements that are in different groups and they have to be members of the group so they have to be are through say unity and all kinds of other math jargon otherwise it doesn't work so we instead of having to push that jargon on to the user of the library we just said we'll just write a function that generates you a plain text returns us this type that is it says it's a plain text so it is and just trust me that way you don't have to worry about how to generate it so it's using that random byte vector under the hood as well so generate transfer okie basically your this is the thing that delegates so this is the function that delegates from one private key to a public key transform that's the thing that actually it takes a transform key and does that transformation for you so this is the thing that like a server would do or somebody whoever is the proxy in in all Rob's terminology the person has access to these transform keys and the public keys and all that stuff that would be for this where this runs encrypt pretty straightforward encrypting a plain text to a public key decrypt so it returns an error message or the plain text so let's go through here so
31:07
I'm basically gonna go through the sample that we were talking about earlier we're talking about Charlie and Bob and Alice and this IT type organization so this is basically just generating two different key pairs over here so Bob's key pair and Patty groups keeping here the reason I voted because key pair generation is boring is because it's it's really important in the scheme to remember that groups and users are really the same so users can be treated as groups groups can be treated as subgroups like so public private keys and especially with our system you can use these things for many purposes and you can delegate to people you can delegate to groups you can there's all kinds of fancy stuff you can do so don't get stuck in your brain about like oh well this is a user key because you could treat it as a group okay so
32:03
encrypting a value to fatty group I mean we a goal with this library is to make the public API as as simple as possible anybody who's used open SSL or any any other cryptographic collaborate is is gone off to try to figure out what's going on you're passing in immutable immutable values that they're gonna fill out and pass back to like it's just it's just bad we wanted to read exactly like the pseudocode algorithm should read so here we just generate a plaintext we crypt that plaintext and yield the encrypted value so it reads like pseudo code and we're encrypting to the public key and so little note about signing keys I kind of pointed out earlier but because did the signing Keys separate from keys we use cd25 509 that means we pass in these police signing keys to detect if somebody's screwed with the interrupted values so it makes sleep yeah a little Messier but I think it's still pretty straightforward so another thing to note here is that this encrypted value never has to change ever you can put it on the blockchain you can put it in a database and Kafka a mutable key value stores whatever you want to do you can do that and you never ever ever have to change this encrypted value so no matter who you who you want to share with the group with you never have to change that okay so we heard
33:35
charlie so we generate Charlie's keeper so that would happen on her device that piece would happen on her device and then Bob takes her public key and he just generates a transform key from the IT group private key which in Charlie's public key and that's it so he generates that transfer key and he sends it off to the public key repository that's holding onto all this information so now we have basically this is how Charlie gets added to the group she's now on the group so
34:09
hiring again just to show that like it's the same no matter what like Alice the same thing she's here as key pairs you generate a transform key and you send it off so this is what you would call adding that heard of the group it also doesn't matter how many documents are shared with the group this operation is constant I'm just just the one thing doesn't matter how many millions of AWS Secrets you have encrypted but what if what if Alice
34:39
quits sorry what if I also wants to decrypt this sorry so it Alice comes in and basically needs the transformed value so this transform function that's happening at the top that would happen on the proxy server so this will just pretend that that has happened there and then this the transformed data would be sent back to her request so the important thing here is that the transformed data and the original encrypted data have the same shape that's what Bob was talking about when he was talking about multi hop so if if you wanted to transform that data again you could take that transform data and transform it again to give it access to a device or give access to a sub group or whatever so it's it's important when you look at the like I put all the types on the left side there that encrypted value is the same thing we got out of the encrypted function so it could be encrypted or it could be already one step transformed and you could do it over and over again so if Alice quits we
35:52
don't need to do anything special all we need to do is just forget your transform
35:55
key and we just walk away
35:57
now that's what a lot of people are
36:01
starting to cut this like crypto
36:04
shredding or cryptographically erasing
36:07
things like all these terminology that
36:10
just means well they can't decrypt it
36:12
anymore so I don't know why it's like a
36:15
new thing that we're we're doing as an industry but I guess we are so as you
36:21
can see like this API is like super approachable there's nothing crazy here
36:25
so if you're at all interested in this we have a ton of property based tests in our core API tests on the github repo
36:35
and it goes through like two and three and four level B encryption steps with
36:41
different like devices and subgroups and all kinds of augmentations of keys and
36:45
there's there's some really neat stuff that you can do there if you have any
36:49
questions at all like feel free to open
36:50
an issue like it's not clear what's happening in this test case or what
36:54
about this other thing that I'd like to do I'm wide open to like answering any
36:59
questions on that but I think the property based tests give a pretty good
37:03
overview of that so what else like Bob
37:08
mentioned quite a few of these things but just to bring it back around again multihop proxy encryption is super super super cool because you can treat users as groups and groups and subgroups and there's there's just really no limit to the two the things you could do with that kind of stuff every hop makes things slower so that's that is one thing that happens when when you do eat the all these transformations obviously you have to unroll them like math isn't free so that's that's a struggle there but it's really simple there's some pretty cool stuff you could do and he mentioned the gdpr which is a big deal so the right to forget and being able to just say like oh we caught a crypto shredded this data and we can't unlock it anymore so we forgot who you are like being able to do that in a constant time instead of you know sending your IT guy off to just like search through databases for three days like that's that's a that's a gamechanger in my opinion key rotation could also be encoded with an extra hop so if you wanted to say like oh I want to like get a new key you could make your old key just delegate to your new key and you could not have to reencrypt all your old data there's some caveats there but so it is
38:34
all out there on github so we just open source it pretty recently it's only on the JVM and in JavaScript so it's pretty limiting as far as platforms are concerned but we have some other stuff coming that's pretty exciting but we're not quite ready to talk about it yet it's also not that fast yet we have a benchmarks thing in your in the repo so feel free to clone it and like see the benchmarks but it certainly could use some work there were are working on it and are open to any suggestions or anything like that and really managing the groups managing the public keys managing the transfer own keys and identities like that's where the struggle comes in here that I showed the code and the code is super simple they're like all about all the Identity Management is really the harder part of this in terms of of getting it right so questions
39:40
I actually have two questions the first one is about the transform key storage as far as I can tell mathematically speaking possession of the transform key and the destination private key is equivalent to holding the original private key because once you have them both you can just transform and decrypt so you clearly need to store these transform keys in some way that's secure you know you don't want somebody who you know has a trench for the key issued breaks into the proxy server takes trim from key and then you can never revoke them so I mean is there any plan to implement this on secure Hardware secure elements things like that so that a proxy can securely store these transform keys so yeah if you have the private key of the person that has been transformed to and you have the transform key here right like that's that's equivalent to having like access all the data the transform key is only it's only sort of the proxy but you're right you could break in there we don't have plans to do anything special there at least not in the very near future it is basically the compromise a compromise of multiple systems including you know their device and that could actually be revoked we can use some key augmentation tricks to make sure that that values that are encrypted to a certain user can't be unlocked by their private key and can only vote by devices and that's somebody to get into here but I think I guess the short answer your question No and yeah that's that's a problem but not as big a problem as the other question I had was so the issuance of transform Keys requires the private key is it possible to use the same trick to delegate that authority so I could use my private key to generate a transform key that I then transform into another transform key I'm sorry I have to think about that a little more let's yeah let's talk to thinking a group of people that are the admins you know that might be possible but I think a lot easier approach than that and one that we have an implement that we're going to is basically doing a key splitting idea so if I've got a group of admins that have a you know they have access to the private key for a for a group and it's an important group like the IT group for my organization I take that private key and I basically split it M ways I've got M employees and then I require that it you know some sub group of them that's more than one have to work together to put the key back together before they can use it I think that's a accomplishes maybe not exactly the same things we're close to the same things and it's a it's a significantly easier thing to think about in your heads thank you I have some questions about the performance of this proxy server as it is applying these transform keys because it can't give out the transform key so been doing this transform that would basically that's a computationally expensive operation correct would there potentially be any downsides to ticking digging a play out of GnuPG this book and doing the initial encryption with a symmetric key that is very fast and then only doing a transform on the encryption of that symmetric key yeah I mean this is envelope encryption so like we're the only thing one encrypting is the AES key okay so the transform is expensive so I mean the performance of the libraries is it's not where we want it to be but you know I'm making it faster and like and working on that and there's there's another thing that the proxy server can actually catch those transforms values if it wants to because I mean every time it asks for one I mean it's gonna get well not quite the same answer but almost the same answer every time so you could actually cache those if you were worried about performance you could catch the transform value for some period of time if somebody was just asking over and over and over again for that same value that was my next question thank you any other questions all right thank you