Truly Anonymous Credentials Using Modern Cryptography - Matthew Di Ferrante

cool alright thanks everyone for coming and voting through my talk I really hope you like math because happy slides are math but I mean I'll walk through the math it's not that complicated if you just abstract it anyway so scheme is the talks is about anonymous credentials through modern cryptography so the agenda for today motivation why why we want anonymous credentials and why we we want these kind of primitives a bit of a crypto crash course about because this stuff is based on what the curve so little security crash course on elliptic curves then a little bit more into depth on ring signature cryptography how that's actually instructor child I've taken like I've actually implemented

itself but either way of taken of paper and I've turned it into pseudocode I'll walk through the pseudocode you don't have to understand the math but I'll share these slides after and that my slides are usually really information dense so you can read them after it's not like a bunch of pictures you're like oh what that's a good camera where this guy said then we're going through the credential scheme I had you know using the ring stickers and stored credentials and then after that a extensions of ITP for like the real implementation you know I could be being individual their project it's like tour but darknet only cool so a little bit about me I'm lead

engineer company called Claire Maddox and I work on distributed systems and cryptography so the block chains but you know like more than just block chains mostly sr4 engineer by trade but with heavy personal interest in mathematics cryptography and security I'm heavily involved in the cryptocurrency and peer-to-peer community I'm passionate about giving non crypto devs the knowledge needed to use modern crypto use it not implement your own it's very different you continue you know you can take it libraries and use the may current schemes as long as you understand what the pyramids give you don't try to roll never turn you know don't what we're gonna team I even I wouldn't do that I take schemes from academic papers and

I implement them I only only come up with scenes that I really understand also cryptography is my life it's really great you know you can see from my t-shirt like I'm really fashionable cryptographers because it's the only field where you the defender have can out match any attack or if you use if you use this cryptosystems properly no other fields can I take a calculator and you know if I know how to do the math just you know derive a public key and sign something and it takes an attacker you know 101 hundreds of billions of dollars to even try to break my key it's the only one where the attacker defender like ratio is is just ridiculous it's

not even worth every death yes hacker to try to break your hypnotism if you actually use it properly so again so it will start with the motivation for the sock so why would we want anonymous credentials of by anonymous credentials I mean not like anonymous anonymous password username I mean like I gave you something and then you can use that like a key and you can use it that's how time to get yourself but I don't know all I know is you use the key use valid key but I don't know which key you use or which credentials you use so voting for example right so you can give each key a key stage key holder well to each voter

eligible voter so you know go to you go D D embassy like Estonia does this you can get like a little cryptographic key and then you're entitled to one and only one anonymous vote they don't use it for voting but you can you they're like the only country that has like a IDs right now payments you know this is using cryptocurrency ring signatures so you pay from a group instead of paying from an individual dress so you were like obfuscate or hide really sender recipient links you know leaking secrets whistleblowing is what is actually why ring or groove signatures were created initially I'll go that into a little bit later and also you know if you if you

construct the scheme properly if you a little bit creative on how you use this if you use you know truly anonymous but rate limited resource access that's what this talks about and I'll you know absolute like I have an implementation I'm not sure if we get to the demo because there's a lot of slides and they're all very complicated but we'll see either way I'll put the source code up on github and I'm also doing a paper autumn zigzix at the privacy enhancing technology symposium next year which like if with a foam like formal proof of all this stuff so yeah this is the topic of the talk today so let's go over this so what are ring signatures exactly so

the concept is first introduced in a paper titled how to make a secret by some of the two of the RSI authors and some other guy so it concerns using keys in a group instead of using them individually to prove you have a private key from the group as opposed to proving ownership of a specific key if I you're like normal ECDSA it lets the Qura signature RSA signature if I give you a signature you have to know which public key that signature is associated otherwise you can't you know you can't verify because this it's like one to one correlation but this allows you to have like a set of keys like ten keys and I

sign and given the ring of keys in the group of those ten keys in the signature all you know is yes you have one of the signatures about it or not which one and you're nobody like if something if you don't have a signature from this ring you can't you can't eat like you can't Forge it it's no oh I know I'll go into the math a little bit later so yeah you know you can't really so for whistleblowing which is like what was the which is how this concert of course introduced its if each public key in the group alongs to like a government official were like a journalist or somebody with privileged access information the official can leak

some classified data proving that they are indeed a government official so look I have one of the ten keys that only belonged to these ten politicians but without in/out king himself individually as a whistleblower yeah so you know sort of like or you know you work at a bank or or in the government whatever they're like doing some other crazy and si stuff and you really want to you're like really morally opposed to this and okay you you can you can like a test yes look it it's one of these people and they do it they would truly have data access to that but you have no idea which one it is the cryptographically you have no

idea it's very secure it's this is not like Meiji this is not magic experimental crypto this really only uses the same security assumptions that illicit curves use so if you trust elliptic curve signatures it's not that this is not much of a stretching you know look the curves of an RF lie 35 years now they're fine please like move my little edition of the wrong signature looks like but I'll go through the back so ring signatures are a type of deer knowledge proof so if you've never heard of your knowledge proof what it means is that basically I want to prove X and only X I don't want to reveal anything other than that one bit

of information you know so you don't leak anything about the secret all in the fact that you have the secret so people always just really crazy neurologists but I like this better so a simple analogy here would be I choose a card from a deck of cards so you know your standard of 54 card deck and I want to prove to you that it's a red card now easily obviously if I just show you the card I draw that's easy proof but it's like showing you the product key that's pretty stupid but you know it reals more than just the color like the suit and the number and whatever and the relation of the deck as

well if I do it in front of you but you know on the other hand I just take my card aside you know like take my red card put it on a pile here I look at my go through my like 53 cards now and I flip up and I reveal to you all the black cards in the deck assuming that I follow the protocol correctly like you know that the deck has 20/20 whatever how many 22 red cards and 22 black cards however many cards are in the deck you know like I proved you that the card apps that are cited right is a red card without proving anything else about the card you know without leaking anything

else about the card so the specific there's many different types of general truths but specifically the journal truth in ring signature is called the or knowledge proof of set membership meaning at the yes I am I prove to you that I am a member of this set me like strictly I am a member of the set of private key holders associated to these public keys but I don't prove you anything other than that I just it's just I'm just proving to you that I am a setting you know the signature just gives you that I'm a set member so let's go through a really quick crash course like and I point to you like the

properties of elliptic curves from a very abstract level without going too deeply into all these operations go but the elliptic curves of special property that are the crypto systems or I guess you know perimeter Jewish or signatures don't have so mainly its homomorphic and commutative operations what does that mean exactly it means we can perform additions and multiplications on public-key without destroying its relation to the private key so in mathematical terms you can perform write a morphism which much of which maintains the group structure so it's an isomorphism not that and uh not that not to say like a look I could just take the public he had a bunch of random crap to it and then you know assume

don't do anything else and give you the public key with a bunch of random crap added and magically I still have the key to that know you like you have to perform the same operations of the private key but this isn't this isn't that this doesn't work on RSA cuz RSA is like the security model is on like factoring primes and then and the modulus have to have like certain like the exponent is is related to is very specifically related to the modulus and the other parameters that you give in the signature if you mess around with a public key you have to find a totally new exponent it's not there's not a that's not an isomorphic map in there

but with elliptic curves there is Andrew so it allows all this cool stuff so security crash course like watch what you know what like what's the what security to let the cursor arrive you know it's on RSA it's pretty easy we like I guess most of you know RSA is really just based on the hardness of factoring composite like large numbers and finding of Co primes so the security and list of curves is not based on that at all it's it's based on discrete logarithm problem so like what the logarithm if I have you know a to the power of X and I have results there like the logarithm of a a 12-8 a to the power of X equal i the logarithm

of Y given base a would be X right so it's reversing exponentiation so yeah so yeah given y equals G X like Y is the result of this operation that's hard to recover Y sorry it's our to recover X which is private key so remember both RSA and and let the curves we do it with integers on modular groups meaning the operations wraparound like you know with like lockers netiquette so 24 hours high as I'm at two o'clock and I add 12 hours to that I'm dead to am are not at 2,600 so like because it's a modular group you don't have the visibility so that's really if you really want to have like a

very very abstract view of of these levels of these kind of security is that because the because the operations would wrap around if I do an expedition if I do an exponentiation which are you know this number is very big it's 256 bit integers and the the group generator here is like a an electric current boo anyway becomes a really big number so it's going to the extra initiation as you're adding it's going to wrap around a lot of times so you so you can't divide because because it once it wraps around once you have no idea like how which how to undo the wrap so that's so this is you know that's a discrete

logarithm problem and you know like a lot of crypto is not really proven but after like 30 years liquid wrench differential cryptanalysis or pretty sure that it's fine if this Street logarithm problem is brought in a lot of the stuff is broken so some of the properties a group like put them concretely like the G here the so you take a group you take on elliptic curve points like this you know like X 64 or Y is 243 and you multiply that by a scalar um and that's like then you that's how you get the data public key you know probably keys are scalars introduced of the underlying field so the field the field is again like a

modulo group so from one fun property about RSA sorry elliptic curves is that a 256 bit key it was a curve he gives the Crillon security to the same of the same well I give the same security as as 3072 two bit RSA key so their keys are much much smaller which is important as well for these kind of signatures because ring sectors are big they have a lot of like you know side information that you have to generate another also kind of like how why you know if you if you're in the cryptocurrency space at all how by like Bitcoin and whatever have taken off it's basically when only was made possible to so because I let the

curves if you have to use our safer this stuff again like there's like orders of magnitude more information crap store because the signature dish is so much bigger it's so much slower to generate RSA signatures and so on and so forth anyway so you're the really cool property it's a homomorphism and between the private key and the public key so the private key is X and the public key is due to the X then the private key of public key of the cut publicly x k like i'm random number k 3d x is x times K so so this is actually used for self addresses in Bitcoin um you can know what that isn't worry about it but

basically what does what this means is that if I give you my a couple of key and you can you can generate and random number you know like you can in that room number can can sort of be seen as like a side private key generate a public key from that side private key take the public key my public key and you the public you've just generated like add them together create a new public key and send me send me the or the world it doesn't mean to be secret sending me K the side private key and I have the and this gives me the private key to the are combined key so it's it's

an interesting way to even do like anonymous well like on coral rule signatures because you can encourage the message with the scheme you can encrypt the message to me and in a way that only I know that you encrypted it to me and nobody else knows because they do not they cannot reverse desecrate discrete log on this so yeah obviously you know just these if you abstract it and that's why just basically just see all operations you could do on integers you know discrete integers like no no floats or anything all the operations you can do on it search you can do elliptic curves but division you can't divide that's the that's what like you

know that's what makes it discrete logarithm problem hard you have the brute force and you know probably for the view who else who sometimes or you know like the currents maybe not safe there's like all that stuff about the NSA blah blah blah and not really because you know the 204 256 which field counting from one to two to the 256 just counting not even generating signatures or trying to generate keys takes more than a lot of time in the universe even if you have a like a Sun sized computer that's like theoretical max efficiency oh and even with quantum readers if you use this right it still doesn't really break it computer runs like some magic pill you

need to have a contig reader that's at least 256 qubits to break 256 easy keys but that doesn't immediately break it it doesn't give you some magical oracle that just like you know immediately takes out gives you a private key from a public key it just its square it's it takes the square root of the difficulty so 256 bits cheese give you 128-bit security if you have a contributor to 6 256 256 qubits you have 64-bit security information theoretical security but that's so not easy like to break a 64-bit key which is still takes many many many years of computational time so even if the government has like we're very powerful card readers they would

only be able to use them on select keys they can't just like you know swipe or sweep over the entire set of all keys that are used and like pretend that they're going to get anything so quantum computing isn't the magic pill every talks about anyway so let's take a concrete example and choose it when we start going into some math but I'll explain this thoroughly so as a concrete example let's take snort signatures so this is not actually what's commonly used and commonly you maybe hear the term ECDSA that's the signature so Schnoor was patented so people haven't used it until recently because the patent is expired nor is amazing it's like the most

intuitive way and the simplest answer on planet way to adduce signatures unlike the curves because there was patented somebody cream that somebody had to come up with ECAC CDSA which is like trying not to do what Shanor does and it's really up because of that it's the horrible algorithm but snores we should all have been using if pens we're like up the world every day so you know they provides your knowledge proof of knowledge the exponent right so I'm proving to you that I have that I know X in G to D X without giving you anything else about it there's a special property here that you if you pay attention you can clock on too which is very interesting right

so this means the signature reveals nothing at all about the private key it does not provide an attack or any information for brute force so even if I had unbounded computation if I was like a if I wasn't a polynomial time bounded attacker brute forcing the entire state still does not tell me which Q you use like there's no way to be hard represent sure it's like they're indistinguishable so here's a mass so this is like simulation game in cryptography normally you replace it with hashes and that's how you do signatures but you know like walking through this is real quick so generator so general by the way generator is like always public just like the generator in diffie-hellman or

RSA the generator is like the generator is like to hear the generators or some big number but it's a public number already knows that so we take um we take the generator and raise it to W which is like a random number so and then we get like a Big W which is kind of like a pseudo public key so Alice I'm Bob and I have my private key and I just generated my EE this this both these numbers action W are like secret I I never really wheel them to anybody so Alice has my public key which is you know just due to the X so then you know like which is the public key of my to my private

key so she already has this before we start the simulation game and at when we started before says the shield meditation game I already have X and I just pick a random Y out of the blue so I sign it Doug I sent Alice this pseudo public key so Mar now that this is called a commitment phase and now that Alice has sent me now that Alice has the W she says she should she's going to like try to generate a challenge that must verify given W right so I've committed to W I can't take it back and so she she picks a random random number again just C and and send it to Bob me now I take I do this little

operation here which I take W my absolute o-cedar private a number my Luna private key number and I subtract times X to it and so and that's our and then I send our the response Alice and then Alice checks Oh does G to the R times Bob's public key times the challenge will give them equal W and so that's like the simulation game and if you if you like spend a little bit of time looking at the thinking about the math you can see how this figures your works it's actually quite simple if you just you just pretend these are like don't even pretend that we're doing anything all right look at the curves these are just like normal numbers you

have G G to dr times public key Bob's public key times Alice's challenge is W right like the big commitment that I've sent that I sent Alice and if you if you expand it publicly remember that the public key is just G to the X RAM yeah the public is just e to the X right so we let's swap G public key with G to the X and then you know this just becomes e to the X C and then R is the the things that we're raising the thing that alice is raising to check for the equivalence is again just W minus CX and I've just rearranged it here to make it more simple so W minus XC w minus CX and W

minus XC is are the same thing as CX and Exia so if we like reduce it reduces algebraically these two things cancel out you know just just because a lot of exponents so G to the W minus XE times G to the X C cancels out so we just have G to the deadly which is again W right so only if I have a X can I cancel that out after already committed to W right if only if I have the private key to my public key because otherwise I wouldn't be able I just don't have the number available to cancel that out and again we came to division so we can't we can't have them get this number of nowhere so

now there's an important property here that like there's a reason we had to do this simulation game in order if you if you if you just forget everything I just told you and you just like look at this equation here if I just take G if I just take this here and I just pick a random R and I ran them see you know that number that Alice never gets a little W or little X if I just pick around them are now random see literally out of the blue I can create I can create a valid W right so this is I can create a valid signature if Alice doesn't see me commit to W first because

I can create a valid signature by just picking random values out of the air if I don't have this commitment phase first this signature provides no knowledge about the exponent other than sorry yes it divides no longer about the exponent at all if I don't have the commit phase giving the admit phase Alice can force me to play the simulation game properly such that you know yeah like you know I'm not sure I'm not cheating and I haven't picked out random numbers that like cortland you know coalesce so you know a normal enormous enormous functions normal yeah normal signatures because this is called an interactive general truth so if snore is non interactive dinner all approve so the

commitment is normally replaced by hash function for W see causality so because I have to because I hash the hash function is you know I can't just pick a random C out of the air and then be like oh what input of the hash function gives me C right that's that's whole point of hash function you can't just pick a can just have like an output hash and then like magically take the input that gives you out to give that out so you have to take W to compute G W before having C so that's like that's sort of like a simulates the Alice's commitment but yeah just just you know really focus on this fact that if we don't follow this

protocol in ordering it if Alice didn't see me commit to Big W first I can generate infinite signatures right so after if we use the interactive version of the protocol or even the non interactive one these signatures are for jabo if you don't follow the protocol but they are not forged they're not but they're still sound as in like you still have proof if you follow the protocol correct you have the proper proof if you follow the protocol correctly and yeah like it but you know like so they have that they have that security guarantee but their reads their knowledge yeah whoa so okay so that's that's a that's like you know it's really the simplest

type of your knowledge general large group of exponent so you know if we you'll see some of the similarities I mean I'm sure the slides later on or you know share them I'll share them on Twitter you can follow my Twitter or look at my Twitter but this is this is just remember this this equivalence relation here so here's like the mass for the ring signatures you know I don't expect you to understand this but a you know I've turned it into a pseudo code later on so like if you can kind of tell the ring signature is really just an extension of the original your knowledge true so this this whole part here can be

done by anybody right so we have the simulation game that can be done by any VA anybody the only part that requires you to have the real signature is this because that's the only part that you know like really relies on CX I mean other than this this is just the tag we'll talk about that later but you can see here right there's a general knowledge proof where we multiply all of these like Pluto pseudo public keys super pseudo commitments together and make it so that when hashing them the sum of all the the sum of all the of all commitments must equal the hash of all the commitments um so I mean yeah it's a

little bit a little a little bit hard to follow I'm getting you can like a read this later on but this is the important part you see look R minus C X and this is the same as here which is you know W minus X here it's called the witness there it's called the like the modern all like the random commitment but that the journal truth that's in there anything sure is exactly the same as the resume large proof that's in this normal signature except except for you you have you added to all the other pseudo commitments in the keys so yeah I mean I guess it's hard I guess it does refer to follow this up on a presentation but

this is like if you don't if you can't understand like cryptographic cryptography maths this is a little bit easier to follow through in your own time so if you send it over time you're like doing you know joining us by hand oh and just for some notation if I do a to the end I just mean concatenate all these so take a1 a2 a2 and you know when I do H hash this me just means you know concatenate all these variables and return me the hash so you know you can see that that similarity there between generating a general proof and because I don't know as a third party after you've done this protocol I don't know which one of the

keys you use again because because the signature generated here by not having the key and just the signature generate here by having the key are indistinguishable from each other I only use like a little bit of a hash freak amendment here to make sure that I do have to have one of the keys but after after I provide you the commitment hash while the commitment scheme with the hash protocol I just have no idea which one of the keys you used to generate the real signature they all look in the single to me and again remember the simulation game if I just take a random C and around them are I get it I do get a valid signature W if

I nobody if nobody forced me to commit to W first and it's the same here so you know in the where I don't have the keys I just create bogus signatures this is this is just a little bit of an extended way to generate those bogus signatures but you can see that these are original rounds and Roberts modulo Q and their commitments just a random number number modulo Q so we'll like stop with that for now and we you know so it's not that hard to understand but I can review later so if you extend our the ring signatures so we digit up some math we can make our signature ring signature scheme allows the check if somebody has

signed twice but we still don't never know who exactly sign and how we do this we're here this is how the tag I take the hash of the ring of the message and this this is a special hash function that doesn't happen to a number hashes show and elliptic curve point I'm sorry no actually this yeah yeah this yeah this actually shown a look at the curve point I take the curve point and I power it by my private key and that tag is always going to be same for the same message drink right but again it's a reversal itical because we have the same issue I can I can traverse the streak log so that's like that's what that tag

is what that's what the map so so if we follow this protocol and I and I contract the hash this way for the Kommandant yes I can tell yes you signed twice I don't know exactly who signed twice so no matter how many times you sign I'll just take one of your signatures but your security is still safety to accidentally sign twice so so now this becomes more useful than leaking a secret for a specific message you know like one two three we can ascertain that one and only one member in the group signed that message for specific signature or you know if you wanted to have like a voting protocol you can say look I have a DES

message of ten keys and if I if I have a signature from one got from one signature here another signature sheer I can compute them I can compute the tag and if they're different it's two different people who signed I just still don't know who signed though I just know two different people from the set have signed and nobody nobody double signed so yeah this allows us to use a scheme for anonymous voting private transactions and the topic of is talk which is the enormous credentials and rate-limiting okay so here's the simplest construction that where you use the scheme say we have a ring of public keys are stored on a server that's behind an anonymized like fort liked or

i could be if you have ever ran hidden services you know that like what especially like you're running a forum one of the paintings in one of the huge pain in the ass is getting media like flooded because again like every single IP every single user looks like they're coming from local hosts right so you have no idea i mean unless you like start doing we're lee tricky things that like our shoe shouldn't really be doing and people shouldn't be leaking if they're using an on site works like golem you look at the user agent and the agency in blah blah blah but assuming that lee assuming is the network is properly you want to like go through all

this crap you know you just have these massive flood problems we're like when when user can totally like make your forum or or your i don't know your website unusable because they're just floating it around the clinton's a few ban them you might ban everybody because they're indistinguishable from everybody else so for each epoch so epoch is like a segment of time so every so every 10 minutes or at anytime minutes fresh our server provides a random message em so for you know from one to one 10 p.m. the message m is like ABC from 110 to 120 p.m. the message is XYZ right whatever and so the bride's a message that participants must sign in order so it's

a similar portion of server so they take the message they put they sign it and then they like you know they attach their post like you know like alongside it so he's like look this post has is allowed to disposers allowed to submit because they can generate sure for this epoch so this in essence limits each participant in an anonymous manner to posting a message every 10 minutes while each participant is completely anonymous on a network on the network encryption and so while each participant is completely anonymous on a cryptography and networking level for any one message em they can only find once is double signs are detected so you know the important limitation here is

following the signatures is specific for the message our ring company computation like as we saw as we saw earlier li ER like this is this is this is how the tag is generated so if either the message or the ring changes then like if I add a participant into the ring like you can out now you can double spend again and now you've been double sight again because yeah the like it's in the Sangha not becomes indistinguishable from from the other ring so there's there's an issue here which has some privacy implications right but let's what let's just walk through like it really quick so the server has like a pre-populated list of public keys you know people we

like this is this could be like a guy that has invited someone you hope you have like a round where people can do it across a key and then after the day is done why don't you how do you have this key then you can use the keys relate the day after whatever whatever so anyway and whatever way we do this we have the the set of public keys and that the server house are so that's fixed it's not going to change and the user has one key from here so the intercept generates a signature you know Sigma Sigma 1 or and by the way these like random components in these signatures so every time I generate a

signature is going to be different except for one particular piece of the tag for an attacker always gonna be the same if our NM are the same so you know sense the server with an action like a look I want to post this post like hello world to the server the server is like right I see I see that given Sigma you do have a key on this ring I just don't know which one the server replies with success computes unique tag from signature and stores that tag into the database so like you know this tags never be used again so the years if this unit or now generates another signature every single every single parameter this signature is

completely different except for one parameter which is a tag which can be like which you can compute to be the same because they remember they've just signed over our M 1 or M 1 it's the same the server detects is angry the signal assignment rejects so this the the user is still completely anonymous they're just prevented from from signing more than once per epoch right so so it's in essence or Virender from submitting more than once every 10 minutes so to get around to limit the limitation that we described here where what we can never train the ring with and once we set this up the simplest scheme would be to only allow distance of the ring once per day

right so this is like the nay way of constructing this so to programmers from accruing lots of keys to span with or maybe I maybe I'll just like you know I'll request like 10,000 keys and then I'll just then I have 10,000 I can do it in 10 times both every 10 minutes right that doesn't we haven't solved anything there so additions the ring can be burned by the same protocols so each participant that currently holds the key is allowed to anonymously invite one partition around for a day I said mating their sign public key to the server so I I take my private key and I sign a signature and I sign like the message

and then I append that message to a public key that I won't add it to the ring and then you know every day the ring is rotated so but I don't like this though because there's like some there's some privacy problems that remain here so of course if today so this is like when we get into like why anonymity is really hard it's really good like this stuff if the day I have ring R and it has n keys like hundred keys and tomorrow I have the same ring and one extra creates our 101 cheese the new key or the new user can only have made posts from that day onwards right there's no way that that guy that key that was just

added like made a key made a post yesterday cuz I he wasn't in there yesterday so we leak some information about participation so a new user you know like this key was added today so any pulse from today are only it's only only post from today onwards can be attributed this key probabilistically both from yesterday cannot be attributed to this key right so you have some leak inside the channel leaks there and if we never remove keys the older keys the lowest key elements that are in the ring over the most represented in the posting history was a having had more chances and more time and more chances to post opening up some statistic analysis

attacks like you know the people who have been in there longest are likely with the ones with the most post everything else equal and you know furthermore the invite systems for skis isn't really a perfect fit for honest networks we can do better it definitely make sense like you know imagine if tour or iqp were invite only like you can spin up a note if you weren't invited like it doesn't probably can do like conducive to these kinds of communities so what can we do so turns out we can actually reduce the privacy issues to the best case the best unanimity with an underlying p2p network provides so I'll truly like to be here because of its active routing model

unlike a tour each had to be route or must also relay traffic since IPP is dark net only you're only a really relaying encrypted traffic to another HIV node so it's not like tor where if I force you to be an exit node then you get like the government knocking on your door two days later because somebody's like you know again Act the DNC or whatever through your tor node and so like sleeping is darker and only it's like if you ever you didn't services on tour like those are completely unturned encrypted and they use a really network internally and so like whenever I whenever I if I'm a five mile relay so there's three different types of relays

and towards like I mean like metal middle notes guard nodes and exit nodes if I'm like a middle node on tour like all the traffic that I ever relay is encrypted so I could read it like tour but only darknet Road you can only you can only ever like look at the internal hidden service sites but also it's there's like a special property that allows us to use the scheme in the multiple approach which is you cannot you just cannot participate in the tool and the iqp network unless you're also relaying all the people's traffic that's how they keep that they're in distinction ability so a kewpie nodes have already already have public snowed cheese associated that they advertise

are inactive of the network so you know like okay you know I and I keep you know it's called and I could be router because route other people's packets and yeah like when I when I join the network Podcast Network look hey I am node X with public key whatever please you know send use me as a relay if you want and so you can like you have to have bandwidth symmetry 9 IQ P so if I want to send you if I want to send a request a request to a server to get their packets I have to wait I kind of have to wait like for a similar request to come in so I can bundle it obviously not like

not a hundred percent like that because otherwise nobody would ever build and send anything at all but like you have to you have to keep this kind of like a like eco symmetry you can only like shoot out what you which you take in so because you because of this protocol rule any packet you send out is in a signal from a package that you're also relaying right so the node use these key to four mutant directional multi hop tunnels just like in towards like multiple hops but unlike tour they're not bi-directional so my request outwards can take a different completely different tone than my reply right so which is also give you like better

energy so um so they have an also got bundle encryption similar similar to tour like you know maybe I send I send to like this node here and then that node the crisps and then that name knows where to stand and so on it might actually it might like as you see here it might actually loop it back to me you know from from you know pk-12 PK for to PK 3 and actually loose text to me and now PK 2 so I have no idea so a passive observer you have no idea whether you just relate a packet or use your own pocket or you know like it should your crackle packet so it's

something to retrieve traffic at all you must be publicly reachable on the network through one of these keys so doctor for your active keys unfortunately to use algum all keys at the moment it's not not the same properties that live the curves secondly possible to do this without them all there's only one paper on it it's behind a paywall there's no security analysis on it I'm sorry I'm not going to use it but you know we'll just assume this and you know nothing like there's not going to be a demo for our night repeat seal scheme unless I like roll on my uni TP or I convince the edge of three devs to include a c-note cheese yeah we'll see

because there's like two guys that work in ITP and they don't have a lot of resources but now so doc keep your outer database it's so much tour ah QP has a list of nodes but unlike tor it's a distributed hash table so there's a fun fact tor is actually centralized there's a centralized point in core it has 8 to 12 central directory servers that keep the list of guard nodes rellenos and relay an exit point if those servers go down stopstop store stops working unless you know how to hard-code really addresses manually when you boot wrapping it is you know a little fun fact that people will know about so when holding a hidden

service on any or any PCP side on ITP you can know where the node key of any router is interacting with your service yeah you can know the node G of any routers interacting with your service your your you know hidden website because there is encrypted packets your EPC address which is just the node G right so maybe you can notice here how big that scroll bar is I could be a groupie addresses are not hash to like liked or dresses they're just this is just the entire public key and this house notes find each other by public key a fingerprinting you know that's a very big key this could be because they use it all Kemal write it if it was like

ECL it's the curves would be a lot smaller whatever anyway so like how can we extend our ring signature to to the additional security that like the underlying network provides so our rank R can simply be the set of nodes we currently see live on the network so it's the whole and now it's the whole active network second that can reach the wrinkled application server it leaks no additional information because obviously node keys aren't live on the network can't communicate with the EP side anyway if you were scanning the network and keeping track of it you would get no no you would get no less than no more information you get exactly this we leaked exactly the same information as

the underlying peer-to-peer network plus by real-time like with you know with real-time I mean we for epoch regulators like you know play during every 30 minutes if we remove the keys as the ice cover as it as the IGP rosters the sphere and our normal reachable we solve the long-term correlation attack so for today the ring is completely different from tomorrow because the nose today are completely different from the notes tomorrow oh yeah also because iqp routers like rock cycle their keys after a while so finally because now acquiring a key necessitates building deep circuits into the network it also solves civil attacks because each key requires a certain amount of bandwidth to maintain so like if you don't another

way or the civil problem it's like for the terms from a movie but basically it means I can look let me let me up to be the majority of the network by just spinning up a lot of nodes generating a lot of keys and making a lever account if there's zero cost to creating a new identity then there's zero cost to do seeing the network right because you know but actually we solve the simple attack because maintaining a well connected that UV router is not your call that requires like a certain amount of bandwidth like 200 kill but kill but up and down it requires long term Commandments and nightwear a lot of relays and like all the notes kind of

like have reputation with each others like in tour so if you're not like you know it's a real dick and like drops packets all the time you're going to get black question from that from the network so you know making a hundred identities basically it's basically equivalent to owning a hundred connection lines so we solved the simple problem so with the construction integration the network's peer identity we've been able to devise a scheme where we don't suffer any of also privacy whatsoever your your users can be rate limited if you wish but beyond that nothing else happens to privacy we have the same privacy like a totally anonymous ntp air tour we gain anti-spam capabilities authentication is not only

anonymous but permission list you don't need to be invited into this ring the ring is just constructed on the based on the node keys and we gave the key agencies a cost which is the cost of being an active relay so yeah cryptography is great and magical like it you know it can do so many amazing things if you even just just if you know if you really understand a few properties about the the underlying cryptographic primitives cool so that's that's about 45 minute mark any questions