-
Privacy-enhancing cryptography at NIST
Lúıs Brandão and René Peralta 1
1National Institute of Standards and Technology (Gaithersburg
MD, USA)
Presented at the 2nd ZKProof WorkshopApril 11, 2019 (Berkeley,
USA)
Contact email: [email protected]
1/21
-
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
2/21
-
1. Crypto Standards at NIST
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
3/21
-
1. Crypto Standards at NIST
Some history
I 1977: FIPS 46 ”Data Encryption Standard (DES)”
I 1990s: Public–key Cryptography (FIPS 186, SP 800-56A/56B)
I 2001: FIPS 197 “Advanced Encryption Standard (AES)”
I Dual EC DRBG episode
I 2015: FIPS 202 “SHA-3” (Secure Hash Function 3)
I Ongoing standardization projectsI Post-Quantum Cryptography
(PQC)I Lightweight Cryptography (LWC)I Threshold Cryptography
4/21
-
1. Crypto Standards at NIST
Several approaches
I Cryptographic algorithm competitions.I Advanced Encryption
Standard (AES).I Secure Hash Algorithm – 3 (SHA-3).
I Adopt standards from other standardization organizations.I
Develop new standards.
I In-house development based on well-accepted research
results(e.g. SP 800-56C).
I Selected among submissions (e.g. modes of operations in
SP800-38 series).
I Not a competition, but based on call for submissions.I PQC,
LWC.
I Open to other approaches...
5/21
-
1. Crypto Standards at NIST
Overview of NIST Crypto Standards
6/21
-
1. Crypto Standards at NIST
Privacy at NIST
NIST Privacy Frameworkhttps://www.nist.gov/privacy-framework
I Envisioned to be a voluntary enterprise riskmanagement tool to
help organizationsmanage individuals’s privacy risk
I Drafting the NIST Privacy Framework:Workshop #2 in Atlanta,
May 13–14
Data de-identification challengese.g.
https://www.herox.com/UnlinkableDataChallenge/community
Privacy-enhancing Cryptography. This presentation.
7/21
https://www.nist.gov/privacy-frameworkhttps://www.nist.gov/news-events/events/2019/05/drafting-nist-privacy-framework-workshop-2https://www.herox.com/UnlinkableDataChallenge/community
-
2. Privacy-Enhancing Crypto
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
8/21
-
2. Privacy-Enhancing Crypto
The NIST PEC project
Privacy-Enhancing Cryptography
(PEC):https://csrc.nist.gov/Projects/Privacy-Enhancing-Cryptography
I It’s been dormant ... now getting revived.
I Fundamental role for SMPC and zero-knowledge proofs.
I An important goal: develop useful reference materials.
9/21
https://csrc.nist.gov/Projects/Privacy-Enhancing-Cryptography
-
2. Privacy-Enhancing Crypto
Reference materials
In order to
I Assess the state of things in a particular area.
I Motivate real-use applications or proofs of concept.
I Frame development of standards and future discussions.
I Enable interoperability for companies doing things now.
Context is PEC use-cases:
I Brokered identification
I “Students’ right to know”
I Privacy-preserving public auditability
10/21
-
2. Privacy-Enhancing Crypto
Reference materials
In order to
I Assess the state of things in a particular area.
I Motivate real-use applications or proofs of concept.
I Frame development of standards and future discussions.
I Enable interoperability for companies doing things now.
Context is PEC use-cases:
I Brokered identification
I “Students’ right to know”
I Privacy-preserving public auditability
10/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the
identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker
mustexist. (We can’t always chose the optimal solution
paradigm)
I Not enough privacy-preserving reference material
forengineers.
11/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the
identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker
mustexist. (We can’t always chose the optimal solution
paradigm)
I Not enough privacy-preserving reference material
forengineers.
11/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the
identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker
mustexist. (We can’t always chose the optimal solution
paradigm)
I Not enough privacy-preserving reference material
forengineers.
11/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the
identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker
mustexist. (We can’t always chose the optimal solution
paradigm)
I Not enough privacy-preserving reference material
forengineers.
11/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (2/2)
4. Signllub(request)
Hub
6. SignID� atts)
User (assertion)
User
2. SignSP(request)
9. SignHub
�atts)
(assertion)
SP
User
5. Authenticate to Ifil 3. Select Ifil 1. Request
resource-----------------------------------------------------------------------------------------------------------
vvv, (redirection I u -=I= vi (user-pseudonym, via user-agent)
persistent and anonymous)
atts == {name == John Doe, address == Street X, Bday_ ==
''1/2/1993'', �
The “National Strategy for Trusted Identities in Cyberspace”
wantedprivacy properties for this, e.g.:
I End-to-end encrypted attributes
I Unlinkability of user-transactions by the Hub
PEC can solve it ... but even a simple (semi-honest)
Diffie-HellmanKey-Exchange was beyond vendors’ capabilities.
12/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (2/2)
4. Signllub(request)
Hub
6. SignID� atts)
User (assertion)
User
2. SignSP(request)
9. SignHub
�atts)
(assertion)
SP
User
5. Authenticate to Ifil 3. Select Ifil 1. Request
resource-----------------------------------------------------------------------------------------------------------
vvv, (redirection I u -=I= vi (user-pseudonym, via user-agent)
persistent and anonymous)
atts == {name == John Doe, address == Street X, Bday_ ==
''1/2/1993'', �
The “National Strategy for Trusted Identities in Cyberspace”
wantedprivacy properties for this, e.g.:
I End-to-end encrypted attributes
I Unlinkability of user-transactions by the Hub
PEC can solve it ... but even a simple (semi-honest)
Diffie-HellmanKey-Exchange was beyond vendors’ capabilities.
12/21
-
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (2/2)
4. Signllub(request)
Hub
6. SignID� atts)
User (assertion)
User
2. SignSP(request)
9. SignHub
�atts)
(assertion)
SP
User
5. Authenticate to Ifil 3. Select Ifil 1. Request
resource-----------------------------------------------------------------------------------------------------------
vvv, (redirection I u -=I= vi (user-pseudonym, via user-agent)
persistent and anonymous)
atts == {name == John Doe, address == Street X, Bday_ ==
''1/2/1993'', �
The “National Strategy for Trusted Identities in Cyberspace”
wantedprivacy properties for this, e.g.:
I End-to-end encrypted attributes
I Unlinkability of user-transactions by the Hub
PEC can solve it ... but even a simple (semi-honest)
Diffie-HellmanKey-Exchange was beyond vendors’ capabilities.
12/21
-
2. Privacy-Enhancing Crypto
Use-case: Student’s right to know
I Proposal to mandate the use of SMPC to calculate themonetary
return on student’s investment on education.
I Data is distributed among several entities. Because of
privacyconcerns, these entities cannot share the data.
I https://www.govtrack.us/congress/bills/116/s681/text
13/21
https://www.govtrack.us/congress/bills/116/s681/text
-
2. Privacy-Enhancing Crypto
Use-case: public-auditability with randomness
The NIST Randomness Beacon
I Broadcasts a randomness pulse every 60 seconds
I Each pulse commits to a fresh 512-bit random string
I Each pulse is time-stamped and signed by NIST
I Hash-chained pulses for an immutable public record
I Cryptographic fields support strong trust assurance
1 1 0
1 1
1 0
1 0 1
1 0
0 0
1 0
0 0 1
1 1
1 1
0 0
1 1
0
1 1 1
0 0
1 0
0 0
1
1 01
1 0
1 0
0 0
0 1
1 0 0
1
1 1 0
0 1
0 0
0 0
1 0
0 1
0 0
0 1
0 1
0 1
1 1
1 1
0 1
1 0
1 1
0 1
1 1 1
0 0 1
1 0
1 0
1 0
1 0
0 1
1 1
HSM
Clock
RNG
RNG#3
Beacon Engine
Time server
Pulse
RNG Sign
externalentropy
BeaconApp
Firew
all
Public randomness facilitates public auditability of randomized
processes.
Enhancing them with privacy-preserving properties is a matter of
PEC.
14/21
https://beacon.nist.gov/home
-
2. Privacy-Enhancing Crypto
Research in multiplicative complexity (MC)
I Reference circuits for AES
I MC is relevant for ZK, SMPC, ..., since usually XOR gates
arefree and ANDs are expensive
I Intention to develop a circuit file format
15/21
-
3. Our perspective on ZKProof
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
16/21
-
3. Our perspective on ZKProof
ZKProof assessment
Our perspective of the ZKProof initiative:
I ZKProof is well within the reference materials approach
I Documentation can evolve to a useful reference
I Recent engagement: LaTeX porting, propose developing
areference, sent comments
17/21
-
3. Our perspective on ZKProof
ZKProof assessment
Do conceivable use-cases fit within the process being
developed?
I Good scenario: spend time building things, and they turn outto
be useful in achieving myriad functionalities.
I Bad scenario: spend 10 years on something and not
enablesomething we now know is important.
18/21
-
4. Conclusions
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
19/21
-
4. Conclusions
Final Remarks
I NIST is interested in crypto development and
interoperability
I That is achieved via standards and reference material
I NIST PEC wants to keep up to date with, and support,external
initiatives
I NIST PEC is interested in supporting ZKProof
20/21
-
4. Conclusions
Thank you for your attention
The PEC team is
I Lúıs Brandão
I René Peralta
I Angela Robinson
email : [email protected]
21/21
Privacy-enhancing cryptography at NISTCoverOutline
1 Crypto Standards at NISTOutlineSome historySeveral
approachesOverview of NIST Crypto StandardsPrivacy at NIST
2 Privacy-Enhancing CryptoOutlineThe NIST PEC projectReference
materialsUse-case: Brokered identification in FCCX (1/2)Use-case:
Brokered identification in FCCX (2/2)Use-case: Student's right to
knowUse-case: public-auditability with randomnessResearch in
multiplicative complexity (MC)
3 Our perspective on ZKProofOutlineZKProof assessmentZKProof
assessment
4 ConclusionsOutlineFinal RemarksThank you for your
attention