Privacy-enhancing cryptography at NIST
Lúıs Brandão and René Peralta 1
1National Institute of Standards and Technology (Gaithersburg MD, USA)
Presented at the 2nd ZKProof WorkshopApril 11, 2019 (Berkeley, USA)
Contact email: [email protected]
1/21
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
2/21
1. Crypto Standards at NIST
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
3/21
1. Crypto Standards at NIST
Some history
I 1977: FIPS 46 ”Data Encryption Standard (DES)”
I 1990s: Public–key Cryptography (FIPS 186, SP 800-56A/56B)
I 2001: FIPS 197 “Advanced Encryption Standard (AES)”
I Dual EC DRBG episode
I 2015: FIPS 202 “SHA-3” (Secure Hash Function 3)
I Ongoing standardization projectsI Post-Quantum Cryptography (PQC)I Lightweight Cryptography (LWC)I Threshold Cryptography
4/21
1. Crypto Standards at NIST
Several approaches
I Cryptographic algorithm competitions.I Advanced Encryption Standard (AES).I Secure Hash Algorithm – 3 (SHA-3).
I Adopt standards from other standardization organizations.I Develop new standards.
I In-house development based on well-accepted research results(e.g. SP 800-56C).
I Selected among submissions (e.g. modes of operations in SP800-38 series).
I Not a competition, but based on call for submissions.I PQC, LWC.
I Open to other approaches...
5/21
1. Crypto Standards at NIST
Overview of NIST Crypto Standards
6/21
1. Crypto Standards at NIST
Privacy at NIST
NIST Privacy Frameworkhttps://www.nist.gov/privacy-framework
I Envisioned to be a voluntary enterprise riskmanagement tool to help organizationsmanage individuals’s privacy risk
I Drafting the NIST Privacy Framework:Workshop #2 in Atlanta, May 13–14
Data de-identification challengese.g. https://www.herox.com/UnlinkableDataChallenge/community
Privacy-enhancing Cryptography. This presentation.
7/21
https://www.nist.gov/privacy-frameworkhttps://www.nist.gov/news-events/events/2019/05/drafting-nist-privacy-framework-workshop-2https://www.herox.com/UnlinkableDataChallenge/community
2. Privacy-Enhancing Crypto
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
8/21
2. Privacy-Enhancing Crypto
The NIST PEC project
Privacy-Enhancing Cryptography (PEC):https://csrc.nist.gov/Projects/Privacy-Enhancing-Cryptography
I It’s been dormant ... now getting revived.
I Fundamental role for SMPC and zero-knowledge proofs.
I An important goal: develop useful reference materials.
9/21
https://csrc.nist.gov/Projects/Privacy-Enhancing-Cryptography
2. Privacy-Enhancing Crypto
Reference materials
In order to
I Assess the state of things in a particular area.
I Motivate real-use applications or proofs of concept.
I Frame development of standards and future discussions.
I Enable interoperability for companies doing things now.
Context is PEC use-cases:
I Brokered identification
I “Students’ right to know”
I Privacy-preserving public auditability
10/21
2. Privacy-Enhancing Crypto
Reference materials
In order to
I Assess the state of things in a particular area.
I Motivate real-use applications or proofs of concept.
I Frame development of standards and future discussions.
I Enable interoperability for companies doing things now.
Context is PEC use-cases:
I Brokered identification
I “Students’ right to know”
I Privacy-preserving public auditability
10/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker mustexist. (We can’t always chose the optimal solution paradigm)
I Not enough privacy-preserving reference material forengineers.
11/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker mustexist. (We can’t always chose the optimal solution paradigm)
I Not enough privacy-preserving reference material forengineers.
11/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker mustexist. (We can’t always chose the optimal solution paradigm)
I Not enough privacy-preserving reference material forengineers.
11/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (1/2)
Manage protocol
Hub
IDP SP
User
I Why this example? It relates to privacy; relates to the identityframework use-case in the ZKProof docs.
I Design constraints in place: mostly-passive user; broker mustexist. (We can’t always chose the optimal solution paradigm)
I Not enough privacy-preserving reference material forengineers.
11/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (2/2)
4. Signllub(request)
Hub
6. SignID� atts)
User (assertion)
User
2. SignSP(request)
9. SignHub
�atts)
(assertion)
SP
User
5. Authenticate to Ifil 3. Select Ifil 1. Request resource-----------------------------------------------------------------------------------------------------------
vvv, (redirection I u -=I= vi (user-pseudonym, via user-agent) persistent and anonymous)
atts == {name == John Doe, address == Street X, Bday_ == ''1/2/1993'', �
The “National Strategy for Trusted Identities in Cyberspace” wantedprivacy properties for this, e.g.:
I End-to-end encrypted attributes
I Unlinkability of user-transactions by the Hub
PEC can solve it ... but even a simple (semi-honest) Diffie-HellmanKey-Exchange was beyond vendors’ capabilities.
12/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (2/2)
4. Signllub(request)
Hub
6. SignID� atts)
User (assertion)
User
2. SignSP(request)
9. SignHub
�atts)
(assertion)
SP
User
5. Authenticate to Ifil 3. Select Ifil 1. Request resource-----------------------------------------------------------------------------------------------------------
vvv, (redirection I u -=I= vi (user-pseudonym, via user-agent) persistent and anonymous)
atts == {name == John Doe, address == Street X, Bday_ == ''1/2/1993'', �
The “National Strategy for Trusted Identities in Cyberspace” wantedprivacy properties for this, e.g.:
I End-to-end encrypted attributes
I Unlinkability of user-transactions by the Hub
PEC can solve it ... but even a simple (semi-honest) Diffie-HellmanKey-Exchange was beyond vendors’ capabilities.
12/21
2. Privacy-Enhancing Crypto
Use-case: Brokered identification in FCCX (2/2)
4. Signllub(request)
Hub
6. SignID� atts)
User (assertion)
User
2. SignSP(request)
9. SignHub
�atts)
(assertion)
SP
User
5. Authenticate to Ifil 3. Select Ifil 1. Request resource-----------------------------------------------------------------------------------------------------------
vvv, (redirection I u -=I= vi (user-pseudonym, via user-agent) persistent and anonymous)
atts == {name == John Doe, address == Street X, Bday_ == ''1/2/1993'', �
The “National Strategy for Trusted Identities in Cyberspace” wantedprivacy properties for this, e.g.:
I End-to-end encrypted attributes
I Unlinkability of user-transactions by the Hub
PEC can solve it ... but even a simple (semi-honest) Diffie-HellmanKey-Exchange was beyond vendors’ capabilities.
12/21
2. Privacy-Enhancing Crypto
Use-case: Student’s right to know
I Proposal to mandate the use of SMPC to calculate themonetary return on student’s investment on education.
I Data is distributed among several entities. Because of privacyconcerns, these entities cannot share the data.
I https://www.govtrack.us/congress/bills/116/s681/text
13/21
https://www.govtrack.us/congress/bills/116/s681/text
2. Privacy-Enhancing Crypto
Use-case: public-auditability with randomness
The NIST Randomness Beacon
I Broadcasts a randomness pulse every 60 seconds
I Each pulse commits to a fresh 512-bit random string
I Each pulse is time-stamped and signed by NIST
I Hash-chained pulses for an immutable public record
I Cryptographic fields support strong trust assurance
1 1 0
1 1
1 0
1 0 1
1 0
0 0
1 0
0 0 1
1 1
1 1
0 0
1 1
0
1 1 1
0 0
1 0
0 0
1
1 01
1 0
1 0
0 0
0 1
1 0 0
1
1 1 0
0 1
0 0
0 0
1 0
0 1
0 0
0 1
0 1
0 1
1 1
1 1
0 1
1 0
1 1
0 1
1 1 1
0 0 1
1 0
1 0
1 0
1 0
0 1
1 1
HSM
Clock
RNG
RNG#3
Beacon Engine
Time server
Pulse
RNG Sign
externalentropy
BeaconApp
Firew
all
Public randomness facilitates public auditability of randomized processes.
Enhancing them with privacy-preserving properties is a matter of PEC.
14/21
https://beacon.nist.gov/home
2. Privacy-Enhancing Crypto
Research in multiplicative complexity (MC)
I Reference circuits for AES
I MC is relevant for ZK, SMPC, ..., since usually XOR gates arefree and ANDs are expensive
I Intention to develop a circuit file format
15/21
3. Our perspective on ZKProof
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
16/21
3. Our perspective on ZKProof
ZKProof assessment
Our perspective of the ZKProof initiative:
I ZKProof is well within the reference materials approach
I Documentation can evolve to a useful reference
I Recent engagement: LaTeX porting, propose developing areference, sent comments
17/21
3. Our perspective on ZKProof
ZKProof assessment
Do conceivable use-cases fit within the process being developed?
I Good scenario: spend time building things, and they turn outto be useful in achieving myriad functionalities.
I Bad scenario: spend 10 years on something and not enablesomething we now know is important.
18/21
4. Conclusions
Outline
1. Crypto Standards at NIST
2. Privacy-Enhancing Crypto
3. Our perspective on ZKProof
4. Conclusions
19/21
4. Conclusions
Final Remarks
I NIST is interested in crypto development and interoperability
I That is achieved via standards and reference material
I NIST PEC wants to keep up to date with, and support,external initiatives
I NIST PEC is interested in supporting ZKProof
20/21
4. Conclusions
Thank you for your attention
The PEC team is
I Lúıs Brandão
I René Peralta
I Angela Robinson
email : [email protected]
21/21
Privacy-enhancing cryptography at NISTCoverOutline
1 Crypto Standards at NISTOutlineSome historySeveral approachesOverview of NIST Crypto StandardsPrivacy at NIST
2 Privacy-Enhancing CryptoOutlineThe NIST PEC projectReference materialsUse-case: Brokered identification in FCCX (1/2)Use-case: Brokered identification in FCCX (2/2)Use-case: Student's right to knowUse-case: public-auditability with randomnessResearch in multiplicative complexity (MC)
3 Our perspective on ZKProofOutlineZKProof assessmentZKProof assessment
4 ConclusionsOutlineFinal RemarksThank you for your attention