Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)

@ironcorelabs
Implementing a Library for Pairing
Based Transform Cryptography

@ironcorelabs
bobwall23
@bithead_bob
bob.wall@ironcorelabs.com
coltfred
@coltfred
colt.frederickson@ironcorelabs.com

@ironcorelabs
Bob Wall
@bithead_bob
Can You Trust the Cloud?

@ironcorelabs
Bob Wall
@bithead_bob
End to End Encryption
Alice’s Device Bob’s Device
Bob’s
Public Key
Bob’s
Private Key

@ironcorelabs
Bob Wall
@bithead_bob
End to End Encryption Apps
Telegram
WickrProtonMail
WhatsAppSignal

@ironcorelabs
Bob Wall
@bithead_bob
Encrypting to a Group

@ironcorelabs
Bob Wall
@bithead_bob
Encrypting to a Group
User’s
Public Key
User’s
Public Key
Document
Document
encrypted to the
group of usersUser’s
Public Key
User’s
Public Key

@ironcorelabs
Bob Wall
@bithead_bob
Envelope Encryption
Random
AES Key
Alice’s
Public Key
Bob’s
Public Key
Random
AES Key
Random
AES Key
Document

@ironcorelabs
Bob Wall
@bithead_bob
Adding a Recipient
Random
AES Key
Carol’s
Public Key
Random
AES Key
Alice’s
Public Key
Bob’s
Public Key
Random
AES Key
Random
AES Key
Document

@ironcorelabs
Bob Wall
@bithead_bob
Orthogonal Access Control
Build a system that:
Allows users to decide which groups are allowed to access data
 
Independently allows group administrators to control who belongs
to those groups
 
Relies on cryptographically backed access control, rather than
policy-based controls
Makes each change to group membership, access grant, or access
revocation a constant-time operation independent of number of
users, groups, documents

@ironcorelabs
Bob Wall
@bithead_bob
Proxy Re-Encryption (PRE)
Set of cryptographic algorithms based on public key
encryption - often pairing-based cryptography 
Originally designed to allow the recipient of an
encrypted message to delegate access to another
party without sharing her private key

@ironcorelabs
Bob Wall
@bithead_bob
PRE Primitives
PRE algorithms typically include five cryptographic
primitives:
1.Key Generation
2.Transform Key Generation
3.Encryption
4.Transformation (ReEncryption)
5.Decryption

@ironcorelabs
Bob Wall
@bithead_bob
Transform Key Generation
ProxyDelegator Delegatee
Delegator
Private Key
Delegatee
Public Key
Transform
Key

@ironcorelabs
Bob Wall
@bithead_bob
Delegation of Access
File Encrypted
to Delegator
Transform
Key
Proxy
File Encrypted
to Delegatee
Delegatee
Private Key

@ironcorelabs
Bob Wall
@bithead_bob
PRE for Orthogonal Access Control
Introduce the concept of a group
Create a group
Encrypt document to the group
Add a member to the group
Allows immediate access to document without 
requiring any modification
Remove a member from the group
Immediate revokes access, also without requiring 
modification

@ironcorelabs
Bob Wall
@bithead_bob
Creating a Group
Encrypted
Group Key
Admin Key
User
User
Public Key
Group
Private Key
Group

@ironcorelabs
Bob Wall
@bithead_bob
Adding a Member to a Group
Group
Private Key
Group
Group to
User
Transform KeyUser
User
Public Key

@ironcorelabs
Bob Wall
@bithead_bob
Granting Access to a Group
Group
Public Key
Group
Encrypted
to Group
Access-Controlled
Document
Document

@ironcorelabs
Bob Wall
@bithead_bob
Group Member Accessing Document
File Encrypted
to Group
Transform
Key
Proxy
File Encrypted
to User
User
Private Key

@ironcorelabs
Bob Wall
@bithead_bob
Removing Member from a Group
Transform
Key

@ironcorelabs
Bob Wall
@bithead_bob
Improving Security
User will use one or more devices to generate or
access data
Instead of sharing user’s private key across devices,
add another layer of delegation, from user to device
Device private keys always stay on device
Device access can be revoked if device is lost or
compromised

@ironcorelabs
Bob Wall
@bithead_bob
Multi-Hop PRE
Encrypted to A A to B
Document
Transform
Key
Transformed
Encrypted
Document User B
Private Key
Document
Decrypted

@ironcorelabs
Bob Wall
@bithead_bob
Multi-Hop PRE
Transformed
Encrypted
Document
B to C
Transform
Key
Doubly
Transformed
Document
User C
Private Key
Document
Decrypted

@ironcorelabs
Bob Wall
@bithead_bob
System with
Addition of
Devices
Groups
Users
Devices
Transform
Keys
Transform
Keys

@ironcorelabs
Bob Wall
@bithead_bob
Add Device to User
User
Private Key
User
Device
Public Key
User to
Device
Device
Transform Key

@ironcorelabs
Bob Wall
@bithead_bob
Device Requests Access to Document
Proxy searches for shortest path of transforms from
doc to device
Doc shared with user, user approved device
Doc shared with group, user belongs to group, user
approved device
Proxy applies transforms in succession to generate
doc encrypted to device
Device decrypts using private key

@ironcorelabs
Bob Wall
@bithead_bob
Tada! Scalable End-to-End Encryption
Can handle arbitrarily large groups of users
Granting or revoking access is constant-time
operation
No need to copy private keys all over the place

@ironcorelabs
Bob Wall
@bithead_bob
PRE to Protect User PII
User’s
Private Data
User
Public Key
Encrypted
Data
User
Private Key
Company
Public Key
Transform
Key
User to
Company

@ironcorelabs
Bob Wall
@bithead_bob
PRE Library
We have implemented the PRE primitives in a
Scala library
We use ScalaJS to generate a client-side
Javascript library from the same source
Library is open source, available on GitHub
- IronCoreLabs/recrypt

@ironcorelabs
Bob Wall
@bithead_bob
Working System
We built a Javascript SDK around the library
SDK talks to a service that functions as the
public key repository and transformation proxy
Developers are free to try the system -
https://docs.ironcorelabs.com has a Getting
Started example

@ironcorelabs
Bob Wall
@bithead_bob
Pairing-Based Cryptography
The PRE algorithms we selected are built using
pairing-based cryptography, which is in turn built
using elliptic curve cryptography.
Elliptic curve crypto is pretty standard today, but
pairing-based crypto is less frequently
encountered.

@ironcorelabs
Bob Wall
@bithead_bob
Bilinear Pairings
The basic operation in pairing-based crypto is the
bilinear pairing (also called a bilinear mapping).
This is a function defined as follows:
e : G1 x G2 -> GT
That is, e takes one argument from a group G1 and
one argument from a group G2 and produces a value
that is in another group GT

@ironcorelabs
Bob Wall
@bithead_bob
Properties of Bilinear Pairings
For e to be bilinear, it needs to satisfy these
properties:
e(R + S, T) = e(R,T)e(S,T)
e(R, S + T) = e(R,S)e(R,T)
e(aS,bT) = e(S,T)ab = e(S,T)ba = e(bS, aT) 
for all positive ints a,b

@ironcorelabs
Bob Wall
@bithead_bob
How We Use Pairings
e : G1 x G2 -> GT
G1 is the group of points E[Fp]
G2 is the group of points E’[Fp2]
GT is the group containing the rth roots of unity
in Fp12. Note that these values are not points.
All three groups have order r.

@ironcorelabs
Bob Wall
@bithead_bob
Using Pairings for Crypto
The bilinearity properties allow you to swap the
scalar multiples of two points. For instance, an
elliptic curve key pair is
pk = g1 * sk
That is, the public key is just the secret key
times a fixed generator point g1 in G1.

@ironcorelabs
Bob Wall
@bithead_bob
Pairing-Based Encryption
Suppose Alice generates a keypair (skA, pkA), Bob
generates (skB, pkB), and both public keys are made
available to anyone.
Alice can encrypt a message m to Bob by computing
em = m * e(pkB, skA * g2)
where g2 is a generator point in G2.
Bob can recover m by computing
m = em * e(pkA, -skB * g2)

@ironcorelabs
Bob Wall
@bithead_bob
The Magic of Bilinearity
This works because
m * e(pkB, skA * g2) =
m * e(skB * g1, skA * g2) =
m * e(skA * g1, skB * g2) =
m * e(pkA, skB * g2)
And
m * e(pkA, skB * g2) * e(pkA, -skB * g2) =
m * e(pkA, (skB - skB) * g2) = m

@ironcorelabs
Bob Wall
@bithead_bob
A Note on Security
The security of pairing-based crypto relies on two
hard problems: the Elliptic Curve Discrete Log
Problem (protects secret keys when you know public
keys) and the Discrete Log Problem, which protects
the pairing itself.
The latter is because the group GT is not a set of
elliptic curve points, but a group over a finite
field.

@ironcorelabs
Bob Wall
@bithead_bob
Security (cont.)
Recent advances in the use of Number Field Sieves
to attack the Discrete Log Problem, and some
improved analysis of those attacks, have led
researchers to conclude that the equivalent
security of the degree 12 extension of a 256 bit
prime field is under 100 bits.
Estimated that getting back to 128 bit equivalent
security takes a prime of at least 461 bits.

@ironcorelabs
Colt Frederickson
@coltfred
Let's see it in action!

@ironcorelabs
Colt Frederickson
@coltfred
Bob the IT manager.

@ironcorelabs
Colt Frederickson
@coltfred
Charlie is our newest hire!

@ironcorelabs
Colt Frederickson
@coltfred
Excited to bring Alice on board!

@ironcorelabs
Colt Frederickson
@coltfred
Alice is a quitter!

@ironcorelabs
Colt Frederickson
@coltfred
Overview
class Api(randomByteVector: IO[ByteVector], signing: Ed25519Signing) {
def generateKeyPair: IO[(PrivateKey, PublicKey)]
def generatePlaintext: IO[Plaintext]
def generateTransformKey(
fromPrivateKey: PrivateKey,
toPublicKey: PublicKey,
fromPublicSigningKey: PublicSigningKey,
fromPrivateSigningKey: PrivateSigningKey
): IO[TransformKey]
def transform(

@ironcorelabs
Colt Frederickson
@coltfred
Overview
): IO[TransformKey]
def transform(
encryptedValue: EncryptedValue,
transformKey: TransformKey,
publicSigningKey: PublicSigningKey,
privateSigningKey: PrivateSigningKey
): IO[EncryptedValue]
def encrypt(
plaintext: Plaintext,

@ironcorelabs
Colt Frederickson
@coltfred
Overview
def encrypt(
def decrypt(
privateKey: PrivateKey
): Either[String, Plaintext]

@ironcorelabs
Colt Frederickson
@coltfred
Overview
def decrypt(

@ironcorelabs
Colt Frederickson
@coltfred
Api.scala Example.scala
Generate Keys
for {
(bobPriv, bobPub) <- api.generateKeyPair
(itGroupPriv, itGroupPub) <- api.generateKeyPair
} yield (bobPriv, bobPub) -> (itGroupPriv, itGroupPub)
signing: Ed25519Signing)
def generateKeyPair: IO[(
PrivateKey,
PublicKey
)]

@ironcorelabs
Colt Frederickson
@coltfred
for {
plaintext <- api.generatePlainText
encrypted <- api.encrypt(plaintext,
itGroupPub,
bobPublicSigningKey,
bobPrivateSigningKey)
} yield encrypted
. . .
def encrypt(
def decrypt(
Encrypt value to IT group

@ironcorelabs
Colt Frederickson
@coltfred
IT hires Charlie!
for {
//Hire Charlie, so she generates her keys.
//This happens on her own device, but for demo
//we’ll generate them here.
(charliePrivateKey,
charliePubKey) <- api.generateKeyPair
//"add" her to the group
itGroupToCharlieTransform <- api.generateTransformKey(
itGroupPriv,
charliePubKey,
} yield itGroupToCharlieTransform
): IO[TransformKey]
def transform(

@ironcorelabs
Colt Frederickson
@coltfred
Hiring again, rinse and repeat.
for {
//Hire Alice, so she generates her keys.
(alicePriv, alicePub) <- api.generateKeyPair
//"add" her to the group
itGroupToAliceTransform <- api.generateTransformKey(
itGroupPriv,
alicePub,
bobPrivateSigningKey)
} yield itGroupToAliceTransform
): IO[TransformKey]
def transform(

@ironcorelabs
Colt Frederickson
@coltfred
Alice decrypts
for {
transformedData <- api.transform(
encryptedValue,
itGroupToAliceTransform,
transformingServicePubSigning,
transformingServicePrivSigning)
//For this demo, convert the error into an
//exception if it fails
decryptedData <- api.decrypt(
transformedData,
alicePriv).toIO
} yield decryptedData
def transform(
. . .
def decrypt(

@ironcorelabs
Colt Frederickson
@coltfred
Oh No, Alice quit! Now what?
Forget her transform key.

@ironcorelabs
Colt Frederickson
@coltfred
Oh No, Alice quit! Now what?

@ironcorelabs
Colt Frederickson
@coltfred
What Else?
- Multi-hop means you can do really neat things!
- Each user can have a master key and many devices
which makes the loss of a "device key" a non issue.
You just forget the device transform key to revoke
access.
- Each group can have sub groups, which allows for
solving problems with GDPR, such as right to forget.
- Key rotation could be encoded by generating
transform keys between your old key and the new one.

@ironcorelabs
Colt Frederickson
@coltfred
Isn't this too good to be true?
- It's all out on GitHub: https://github.com/
IronCoreLabs/recrypt

bobwall23
@bithead_bob
coltfred
@coltfred
@ironcorelabs ironcorelabs.com
bob.wall@ironcorelabs.com colt.frederickson@ironcorelabs.com

Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)

Recommandé

Recommandé

Contenu connexe

Similaire à Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)

Similaire à Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE) (20)

Plus de IronCore Labs

Plus de IronCore Labs (7)

Dernier

Dernier (20)

Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)