![Page 1: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/1.jpg)
Cryptography in GNUnetProtocols for a Future Internet for Libre Societies
Christian Grothoff
Sept 30th, 2015
![Page 2: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/2.jpg)
Sometime in 2013...
![Page 3: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/3.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 4: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/4.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 5: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/5.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 6: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/6.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 7: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/7.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 8: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/8.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 9: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/9.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 10: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/10.jpg)
The NEWGNU Network (very simplified)
Internet
DNS/X.509
TCP/UDP
IP/BGP
Ethernet
Phys. Layer
GNUnet
Applications
GNU Name System
CADET
R5N DHT
CORE
HTTPS/TCP/WLAN/...
![Page 11: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/11.jpg)
The NEWGNU Network (still simplified)
voting
consensus
identity cadet
secretsharing
set
dht
core
fs
nse
transport
gns
revocation scalarproduct
or
rps
![Page 12: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/12.jpg)
Chapter 1: Public Key Infrastructure
Remark: Public Keys 6⊆ Public Information
![Page 13: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/13.jpg)
Chapter 1: Public Key Infrastructure
Remark: Public Keys 6⊆ Public Information
![Page 14: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/14.jpg)
Censorship-Resistant Sharing
Design objectives
I Authorized users can decrypt shared data
I Intermediaries can verify reply matches request
I Intermediaries cannot decrypt shared data
I Intermediaries cannot understand query, other than viaguessing / confirmation attack
I Cost of all operations is O(1), bandwidth overheads< 100/bytes per request
Consequences
I P2P overlay can be used to efficiently replicate or cache data(impossible with end-to-end encryption)
I Peers in the overlay cannot effectively censor or efficientlyspy on participants
![Page 15: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/15.jpg)
Name resolution in the GNU Name System
Local Zone:
www A 5.6.7.8
Bob Bob's webserver
KBobpub
KBobpriv
I Bob can locally reach his webserver via www.gnu
![Page 16: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/16.jpg)
Secure introduction
Bob Builder, Ph.D.
Address: Country, Street Name 23Phone: 555-12345 Mobile: 666-54321Mail: [email protected]
I Bob gives his public key to his friends, possibly via QR code
![Page 17: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/17.jpg)
Delegation
I Alice learns Bob’s public key
I Alice creates delegation to zone KBobpub under label bob
I Alice can reach Bob’s webserver via www.bob.gnu
![Page 18: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/18.jpg)
Name Resolution
BobAlice
DHT
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 19: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/19.jpg)
Name Resolution
BobAlice
DHTPUT 8FS7-www: 5.6.7.8
0
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 20: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/20.jpg)
Name Resolution
www.bob.gnu ?1
BobAlice
DHTPUT 8FS7-www: 5.6.7.8
0
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 21: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/21.jpg)
Name Resolution
www.bob.gnu ?1
BobAlice
DHT
'bob'?2
PUT 8FS7-www: 5.6.7.8
0
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 22: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/22.jpg)
Name Resolution
www.bob.gnu ?1
BobAlice
DHT
'bob'?23 PKEY 8FS7!
PUT 8FS7-www: 5.6.7.8
0
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 23: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/23.jpg)
Name Resolution
www.bob.gnu ?1
BobAlice
DHT
'bob'?23 PKEY 8FS7!
8FS7-www?4PUT 8FS7-www: 5.6.7.8
0
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 24: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/24.jpg)
Name Resolution
www.bob.gnu ?1
BobAlice
DHT
'bob'?23 PKEY 8FS7!
8FS7-www?4
A 5.6.7.8!5
PUT 8FS7-www: 5.6.7.8
0
...
...
www A 5.6.7.8
8FS7
BobA47G
...
...
bob PKEY 8FS7
Alice
![Page 25: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/25.jpg)
Query Privacy: Terminology
G generator in ECC curve, a point
n size of ECC group, n := |G |, n prime
x private ECC key of zone (x ∈ Zn)
P public key of zone, a point P := xG
l label for record in a zone (l ∈ Zn)
RP,l set of records for label l in zone P
qP,l query hash (hash code for DHT lookup)
BP,l block with encrypted information for label lin zone P published in the DHT under qP,l
![Page 26: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/26.jpg)
Query Privacy: Cryptography
Publishing records RP,l as BP,l under key qP,l
h : = H(l ,P) (1)
d : = h · x mod n (2)
BP,l : = Sd(EHKDF (l ,P)(RP,l)), dG (3)
qP,l : = H(dG ) (4)
Searching for records under label l in zone P
h : = H(l ,P) (5)
qP,l : = H(hP) = H(hxG ) = H(dG )⇒ obtain BP,l (6)
RP,l = DHKDF (l ,P)(BP,l) (7)
![Page 27: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/27.jpg)
Query Privacy: Cryptography
Publishing records RP,l as BP,l under key qP,l
h : = H(l ,P) (1)
d : = h · x mod n (2)
BP,l : = Sd(EHKDF (l ,P)(RP,l)), dG (3)
qP,l : = H(dG ) (4)
Searching for records under label l in zone P
h : = H(l ,P) (5)
qP,l : = H(hP) = H(hxG ) = H(dG )⇒ obtain BP,l (6)
RP,l = DHKDF (l ,P)(BP,l) (7)
![Page 28: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/28.jpg)
Zooko’s Triangle
Secure
Global Memorable
A name system can only fulfill two!
![Page 29: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/29.jpg)
Zooko’s Triangle
Secure
Global MemorableHierarchical Registration
Cry
ptog
raph
ic Id
entifi
ers
Petname System
s
DNS, “.onion” IDs and /etc/hosts/ are representative designs.
![Page 30: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/30.jpg)
Zooko’s Triangle
Secure
Global MemorableHierarchical Registration
Cry
ptog
raph
ic Id
entifi
ers
Petname System
s mnemonic
URLs
cert
ifica
tes
SDSI
DNSSEC security is broken by design (adversary model!)
![Page 31: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/31.jpg)
Summary: The GNU Name System1
Properties of GNS
I Decentralized name system with secure memorable names
I Delegation used to achieve transitivity
I Supports globally unique, secure identifiers
I Achieves query and response privacy
I Provides alternative public key infrastructure
I Interoperable with DNS
New applications enabled by GNS
I Name services hosted in P2P networks
I Name users in decentralized social networking applications
1Joint work with Martin Schanzenbach and Matthias Wachs
![Page 32: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/32.jpg)
Chapter 2: Privacy-preserving Computation
![Page 33: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/33.jpg)
Scalarproduct for GNUnet2
Motivation
I Scalarproduct trivially provides cosine similarity
I Useful for information retrieval and data mining
I Our envisioned application:
privacy-preserving collaborative ranking in news distribution
Properties
I Scalarproduct over map on intersecting sets, not just vectors
I Privacy-preserving (but need to limit number of interactions)
I Relatively efficient in bandwidth and CPU usage
2Joint work with Tanja Lange and Christian Fuchs
![Page 34: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/34.jpg)
Background: Paillier
We use the Paillier cryptosystem:
EK (m) : = gm · rn mod n2, (8)
DK (c) : =(cλ mod n2)− 1
n· µ mod n (9)
where the public key K = (n, g), m is the plaintext, c theciphertext, n the product of p, q ∈ P of equal length, and g ∈ Z∗n2 .The private key is (λ, µ), which is computed from p and q asfollows:
λ : = lcm(p − 1, q − 1), (10)
µ : =
((gλ mod n2)− 1
n
)−1
mod n. (11)
![Page 35: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/35.jpg)
Paillier offers additive homomorphism
Paillier offers additive homomorphic public-key encryption, that is:
EK (a)⊗ EK (b) ≡ EK (a + b) (12)
for some public key K .
![Page 36: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/36.jpg)
Background: Secure Multiparty Computation
I Alice and Bob have private inputs ai and bi .
I Alice and Bob run a protocol to jointly calculate f (ai , bi ).
I One of them learns the result.
I Adversary model: honest but curious
![Page 37: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/37.jpg)
Secure Scalar Product
I Original idea by Ioannids et al. in 2002 (use:(a− b)2 = a2 − 2ab + b2)
I Refined by Amirbekyan et al. in 2007 (corrected math)
I Implemented with practical extensions in GNUnet (negativenumbers, small numbers, concrete protocol, set intersection,implementation).
![Page 38: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/38.jpg)
Preliminaries
I Alice has public key A and input map mA : MA → Z.
I Bob has public key B and input map mB : MB → Z.
I We want to calculate∑i∈MA∩MB
mA(i)mB(i) (13)
I We first calculate M = MA ∩MB .
I Define ai := mA(i) and bi := mB(i) for i ∈ M.
I Let s denote a shared static offset.
![Page 39: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/39.jpg)
Network Protocol
I Alice transmits EA(s + ai ) for i ∈ M to Bob.
I Bob creates two random permutations π and π′ over theelements in M, and a random vector ri for i ∈ M and sends
R : = EA(s + aπ(i))⊗ EA(s − rπ(i) − bπ(i)) (14)
= EA(2 · s + aπ(i) − rπ(i) − bπ(i)), (15)
R ′ : = EA(s + aπ′(i))⊗ EA(s − rπ′(i)) (16)
= EA(2 · s + aπ′(i) − rπ′(i)), (17)
S : =∑
(ri + bi )2, (18)
S ′ : =∑
r 2i (19)
![Page 40: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/40.jpg)
Decryption (1/3)
Alice decrypts R and R ′ and computes for i ∈ M:
aπ(i) − bπ(i) − rπ(i) = DA (R)− 2 · s, (20)
aπ′(i) − rπ′(i) = DA
(R ′)− 2 · s, (21)
which is used to calculate
T : =∑i∈M
a2i (22)
U : = −∑i∈M
(aπ(i) − bπ(i) − rπ(i))2 (23)
U ′ : = −∑i∈M
(aπ′(i) − rπ′(i))2 (24)
![Page 41: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/41.jpg)
Decryption (2/3)
She then computes
P : = S + T + U
=∑i∈M
(bi + ri )2 +
∑i∈M
a2i +
(−∑i∈M
(ai − bi − ri )2
)=∑i∈M
((bi + ri )
2 + a2i − (ai − bi − ri )
2)
= 2 ·∑i∈M
ai (bi + ri ).
P ′ : = S ′ + T + U ′
=∑i∈M
r 2i +
∑i∈M
a2i +
(−∑i∈M
(ai − ri )2
)=∑i∈M
(r 2i + a2
i − (ai − ri )2)
= 2 ·∑i∈M
ai ri .
![Page 42: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/42.jpg)
Decryption (3/3)
Finally, Alice computes the scalar product using:
P − P ′
2=∑i∈M
ai (bi + ri )−∑i∈M
ai ri =∑i∈M
aibi . (25)
![Page 43: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/43.jpg)
Performance Evaluation3
Length RSA-2048 RSA-1024
25 14 s 3 s
50 21 s 5 s
100 39 s 7 s
200 77 s 13 s
400 149 s 23 s
800 304 s 32 s
3Wall-clock, loopback, single-core i7 920 at 2.67 GHz
![Page 44: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/44.jpg)
Secure Scalar Product: ElGamal/ECC-Variant
Alice’s public key is A = ga, her private key is a. Alices sends toBob (gi , hi ) = (g ri , g ria+ai ) using random values ri for i ∈ M.Bob responds with(∏
i∈Mgbii ,∏i∈M
hbii
)=
(∏i∈M
gbii , (
∏i∈M
gbii )ag
∑i∈M aibi
)
Alice can then compute(∏i∈M
gbii
)−a·
(∏i∈M
gbii
)a
· g∑
i∈M aibi = g∑
i∈M aibi .
Assuming∑
i∈M aibi is sufficiently small, Alice can then obtain thescalar product by solving the DLP.
![Page 45: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/45.jpg)
Performance Evaluation
Length RSA-2048 ECC-220 ECC-228
25 14 s 2 s 29 s
50 21 s 2 s 29 s
100 39 s 2 s 29 s
200 77 s 3 s 30 s
400 149 s OOR 31 s
800 304 s OOR 33 s
800 3846 kb OOR 70 kb
The pre-calculation of ECC-228 is ×16 more expensive than forECC-220 as the table is set to have size
√n.
![Page 46: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/46.jpg)
Scalarproduct: Summary
I Homomorphic encryption probably fast enough for realapplications
I ECC/DLP-variant significantly better for small products orwith cost amortization over multiple runs
I Future privacy-enhancing applications should consider securecommunication and secure computation
![Page 47: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/47.jpg)
Chapter 3: Electronic Cash
![Page 48: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/48.jpg)
GNU Taler
Modern economies need a currency.
![Page 49: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/49.jpg)
Motivation
Modern economies need a currency online.
![Page 50: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/50.jpg)
SWIFT?
SWIFT/Mastercard/Visa are too transparent.
![Page 51: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/51.jpg)
Let’s make cash digital and sociallyresponsible.
Taxable, Anonymous, Libre, Practical, Resource Friendly
![Page 52: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/52.jpg)
Let’s make cash digital and sociallyresponsible.
Taxable, Anonymous, Libre, Practical, Resource Friendly
![Page 53: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/53.jpg)
Architecture of GNU Taler
Mint
Customer Merchant
Auditor
with
draw
coin
s depositcoins
spend coins
verify
![Page 54: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/54.jpg)
Taler /keys
Wallet Mint
Tim
e
GET /keys
200 OK: ST (DK ,ADK ,M), SM(SK )
T Financial regulator key
DK RSA public key(“denomination key”)
ADK Value of coins signed by DK
M Offline master key of mint
SK Online signing key of mint
![Page 55: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/55.jpg)
Taler /withdraw/sign
Wallet Mint
Tim
e
SEPA(RK,A)
POST /withdraw (SRK (DK ,Bb(C ))
200 OK: SDK (Bb(C )))
402 PAYMENT REQUIRED
RK Reserve key
A Some amount, A ≥ ADK
b Blinding factor
Bb() RSA blinding
C Coin key
SDK () (Blind) signature
![Page 56: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/56.jpg)
Taler /deposit
Merchant Mint
Tim
e
POST /deposit SDK (C ), SC (D)
200 OK: SSK(SC(D))
409 CONFLICT: SC(X )
DK Denomination key
SDK () RSA signature using DK
C Coin key
SC () EdDSA signature using C
D Deposit details
SK Signing key
SSK () EdDSA signature using SK
X Conficting deposit details
![Page 57: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/57.jpg)
Taler /refresh/melt
Customer Mint
Tim
e
POST /refresh/melt SDK (C ),SC (L, T , C)
200 OK: SSK(H(T , C,L), γ)
409 CONFLICT: SC(X )
κ System-wide securityparameter
K := ECDHE(T , C)
EK () Symmetric encryption usingkey K
DK (i) List of denomination keys
C (i) List of coin keys
b(i) List of blinding factors
Bb(i) () Blinding with respective b(i)
T [Tpub ]κ
L [EK (b(i), C(i)priv )]κ
C [Bb(i) (C
(i)pub
),DK (i)]κ
γ Random value in [0, κ)
![Page 58: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/58.jpg)
Taler /refresh/reveal
Customer Mint
Tim
e
POST /refresh/reveal H(T , C,L), T̃
200 OK: SDK
(Bb(i)(C
(i)
pub)
)
400 BAD REQUEST: ZT̃ [Tpriv ]κ\γ
Bb(i) (C (i)) Blinded coins from C at γ
Z Cut-and-choose missmatchinformation
![Page 59: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/59.jpg)
Taler /refresh/link
Customer Mint
Tim
e
POST /refresh/link Cpub
200 OK: EK(b(i) ,C(i)
priv),SDK
(Bb(i)(C
(i)
pub)
)
404 NOT FOUND
EK (b(i), C(i)priv ) Linkage data L at γ
![Page 60: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/60.jpg)
GNU Taler: Summary
Taler compared to Chaum’s DigiCash
– Only online transactions (Chaum supported off-line)
◦ All income based on Taler transactions visible to the state
◦ Supports anonymous payments
+ Supports spending fractions of a coin (giving change)
+ Change can be made unlinkable to original transaction
+ Can support refunds to anonymous customers
+ Supports microdonations (borrowing ideas from Peppercoin)
+ Modern, RESTful API (with modernizations in primitives)
+ Free software, open protocol, no patents
![Page 61: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/61.jpg)
Chapter 4: Key Exchange
![Page 62: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/62.jpg)
3DH (trevp?)
Alice Bob
Tim
e
TA,PA
TB ,PB
EK (...)
EK(...)
PA Public EdDSA key of Alice
PB Public EdDSA key of Bob
TA Ephemeral key from Alice
TB Ephemeral key from Bob
K Key derived fromDH(TA,TB )|DH(TA, PB )|DH(PA,TB )
![Page 63: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/63.jpg)
Fixing the Wildcard (Tarr)4
Alice Bob
Tim
e
TA
TB
EK1 (PA|SA(PB |H(DH(TA,TB ))))
EK2(SB(PA|SA(PB |H(DH(TA,TB)))))
PA Public EdDSA key of Alice
PB Public EdDSA key of Bob
TA Ephemeral key from Alice
TB Ephemeral key from Bob
K1 Key derived fromDH(TA,TB )|DH(TA, PB )
K2 Key derived fromDH(TA,TB )|DH(TA, PB )|DH(PA,TB )
4http://dominictarr.github.io/secret-handshake-paper/shs.pdf
![Page 64: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/64.jpg)
Deniable signatures (Burdges, Grothoff)
Assume Qa = dAG and z = H(m). As in ECDSA, pick randomk ∈ [1, n − 1]. Let C := CA + CB be the random offset.
(x1, y1) : = kG +C (26)
r : = x1 mod n (27)
s : = k−1(z + rdA) mod n (28)
Repeat until r , s 6= 0. To verify:
w : = s−1 mod n (29)
u1 : = zw mod n (30)
u2 : = rw mod n (31)
(x1, y1) : = u1G + u2QA +C (32)
r ≡ x1 mod n? (33)
![Page 65: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/65.jpg)
Falsification of a deniable signature
Assume Qa = dAG and z = H(m). As in ECDSA, pick randomr , s, k ∈ [1, n − 1]. Bob does not know dA. So he calculates:
w : = s−1 mod n (34)
u1 : = zw mod n (35)
u2 : = rw mod n (36)
(x1, y1) : = u1G + u2QA (37)
C ≡ x1 − r mod n (38)
Bob now picks a random CA and sets
CB = C − CA. (39)
For this CA,CB the “random” values (r , s) are a valid signature(per construction).
![Page 66: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/66.jpg)
Deniable signatures illustrated
Alice Bob
Tim
e
H(CA)
CB
S CA+CBA (...)
CA Randomly chosen offset fromAlice
CB Randomly chosen offset from Bob
SCA Deniable signature using offset C
and private key A
![Page 67: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/67.jpg)
Burdges, Grothoff + Tarr
Alice Bob
Tim
e
TA, H(CA)
TB , CB , H(DB)
EK1 (CA|DA|PA|S CA+CBA (PB ,H(DH(TA,TB ))))
EK2(DB |S
DA+DB
B(PB ,H(DH(TA,TB))))
PA Public EdDSA key of Alice
PB Public EdDSA key of Bob
CA Randomly chosen offset fromAlice
CB Randomly chosen offset from Bob
DA Randomly chosen offset fromAlice
DB Randomly chosen offset from Bob
TA Ephemeral key from Alice
TB Ephemeral key from Bob
K1 Key derived fromDH(TA,TB )|DH(TA, PB )
K2 Key derived fromDH(TA,TB )|DH(TA, PB )|DH(PA,TB )
![Page 68: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/68.jpg)
KX Evolution
1. DH, STS, TLS, SSH (does sign, not deniable, no wildcard)
2. CurveCP, OTR, TextSecure, Axolotl (do not sign, deniable,wildcard)
3. Tarr (does sign, not deniable, no wildcard, expensive)
4. BG+T (fully deniable, no wildcard, still expensive)
![Page 69: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/69.jpg)
More Information
I Florian Dold on the Cramer-style electronic voting protocolimplemented in GNUnet: https://gnunet.org/31c3videos
I Nicolas Benes on hardware-based intrusion detection for yourhome router: https://gnunet.org/31c3videos
I Julian Kirsch on defeating port scanners:https://gnunet.org/ghm2014knock
I Markus Teich on data minimization for bug reporting:https://gnunet.org/markus2013bsdefense
I Christian Grothoff and Florian Dold on GNS and revocation inGNUnet: https:
//gnunet.org/video-30c3-talk-gnu-name-system
![Page 70: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/70.jpg)
Conclusion
I Decentralization is necessaryI Decentralization creates challenges for research:
I Privacy-enhancing network protocol designI Secure software implementationsI Software engineering and system architecture
![Page 71: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/71.jpg)
Questions?
Find more information at:
I https://gnunet.org/
I https://gnunet.org/videos
I http://www.taler.net/
Slides will be at http://grothoff.org/christian/.
![Page 72: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/72.jpg)
Chapter 5: Fun with Hash Functions
![Page 73: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/73.jpg)
Motivation
Purpose of Network Size Estimation
I Human curiosity
I Detection of unusual events
I Value of a botnet
I Tuning parameter
![Page 74: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/74.jpg)
Functional Goals
I All peers obtain the network size estimate
I Supports churn
I Fully decentralized
I Efficient, secure with good load-balancing
I Operates in unstructured topologies
I Works well with modest clock skew between peers
I Ability to trade-off precision vs. efficiency
![Page 75: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/75.jpg)
Intuitive Idea
I Set of elements distributed in a space
I Pick a random spot
I Measure distance to nearest element
I More elements ⇒ smaller distance, more overlapping
![Page 76: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/76.jpg)
Intuitive Idea
![Page 77: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/77.jpg)
Intuitive Idea
![Page 78: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/78.jpg)
Intuitive Idea
![Page 79: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/79.jpg)
Intuitive Idea
![Page 80: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/80.jpg)
Intuitive Idea - Applied to networks
I Space: all possible IDs
I Population: randomly distributed peer IDs
I Overlap: number of leading bits in common with a random ID
![Page 81: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/81.jpg)
TheoremLet p be the expected maximum number of leading overlappingbits between all n random node identifiers in the network and arandom key. Then the network size n is approximately
2p
I 1 ⇒ 2
I 6 ⇒ 64
I 22 ⇒ 4 M
![Page 82: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/82.jpg)
TheoremLet p be the expected maximum number of leading overlappingbits between all n random node identifiers in the network and arandom key. Then the network size n is
2p−0.332747
I 1 ⇒ 1-2
I 6 ⇒ 50
I 22 ⇒ 3.3 M
![Page 83: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/83.jpg)
Our Approach: Key Points
I Use the current time to generate a random number
I More overlapping bits ⇒ gossip earlier
I Also delay gossip randomly to avoid traffic spikes
I Proof-of-Work to make Sybil attacks harder
I Implemented! (≈ 1500 lines C code in GNUnet)
![Page 84: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/84.jpg)
Security
Attacker Model
I Freely participate
I Multiple identities
I May alter, drop, send/receive data
I Same resources as “normal” peers
Security Properties
I Resistant to malicious participants (DoS, Manipulation)
I No trusted third parties
I Reliable
![Page 85: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/85.jpg)
Processing results
I Final agreed value fluctuates around the actual sizeI Last i protocol rounds are analyzed
I Weighted averageI Standard Deviation
I Precision - Cost tradeoff
![Page 86: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/86.jpg)
Precision vs. Rounds of Measurement
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
1 2 4 8 16 32 64 128 256 512
bit
s of
stand
ard
devia
tion
# protocol rounds
unweighted averageweighted average
![Page 87: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/87.jpg)
Agreement between peers
10
100
1000
10000
0 500 1000 1500 2000 2500
Netw
ork
Siz
e E
stim
ate
Seconds Running
Actual Network SizePeer Measurements
![Page 88: Cryptography in GNUnet - Protocols for a Future Internet ...aenge/ecc2015/... · Sept 30th, 2015. Sometime in 2013... The NEWGNU Network (very simpli ed) Internet Google DNS/X.509](https://reader034.vdocuments.us/reader034/viewer/2022050220/5f65ae64cc52327a7c6c38b0/html5/thumbnails/88.jpg)
Conclusion
I Mathematical foundation applicable broadly for group sizeestimates
I Secure & Efficient Network Size Estimation Protocol
I Arbitrary Topologies, Clock Skew harmless, DoS resistant