modern key distribution with claimchains · federated “merkle prefix tree” chains...
TRANSCRIPT
![Page 1: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/1.jpg)
A decentralized Public Key Infrastructure that supports privacy-friendly social verification
Bogdan Kulynych Marios Isaakidis
Modern key distribution with ClaimChains
NEXTLEAP Carmela Troncoso George Danezisphoto by lisa cee
![Page 2: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/2.jpg)
![Page 3: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/3.jpg)
HIGH-INTEGRITY
Tamper proof
Authenticity
![Page 4: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/4.jpg)
HIGH-INTEGRITY
Tamper proof
Authenticity
DECENTRALIZATION
Availability
Censorship-resistant
Global consensus
![Page 5: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/5.jpg)
Cryptocurrency chains
Powerful abstraction for identitiesGlobal namespace
No mechanism for social validationAll transactions are publicUsers need to buy coins and pay for transaction feesResource expensive
HEAD
BLOCK HEADER
● pointer to previous block● hash of block transactions
● timestamp. . .
TRANSACTIONS
● transaction x0
● transaction x1
. . .
● transaction xn
![Page 6: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/6.jpg)
Federated “Merkle prefix tree” chains
AccountabilityEasy discoveryEfficient
Do not prevent equivocationCentralization– Single point of failure– Surveillance
keybase.io CONIKS CONIKS
![Page 7: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/7.jpg)
Merkle binary prefix trees
ROOT
i = 001…v = value
X
H(child0, child
1)
0 1
0
00 0 0
0 1
111
1
1
Leaf nodes are ordered using a Verifiable Random Function
i = 000…v = value
Y
![Page 8: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/8.jpg)
ClaimChainsclaimchain.github.io
photo by Wendi Halet
![Page 9: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/9.jpg)
ClaimChains
● A ClaimChain for each user/device/identity● Blocks appended as needed
● Compromises appear as ClaimChain forks● Owner selects who can read a specific
claim – all readers get the same content
![Page 10: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/10.jpg)
ClaimChains
● A ClaimChain for each user/device/identity● Blocks appended as needed
● Compromises appear as ClaimChain forks● Owner selects who can read a specific
claim – all readers get the same content
cross-hash
![Page 11: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/11.jpg)
ClaimChains
● A ClaimChain for each user/device/identity● Blocks appended as needed● Compromises appear as ClaimChain forks● Owner selects who can read a specific claim – all
readers get the same content
● Propagation of key updates in “cliques” of user● Vouch for the latest state of a friend’s ClaimChain● Friend introductions - Social validation – Web of Trust
… while preserving privacy
cross-hash
![Page 12: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/12.jpg)
Overview
● ClaimChains are high-integrity, authenticated data stores that can support generic claims
● Privacy: a capabilities mechanism for fine-grained claim-specific access control● Non-equivocation: all readers of a private claim get the same view● Cross-hashing enables the propagation and vouching of the latest state of
linked ClaimChains● Equivocation attempts a compromises produce non-repudiable cryptographic
evidence (“ClaimChain forks”)● Flexible in terms of deployment● Efficient “selective sharing” of claims
![Page 13: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/13.jpg)
ClaimChains block structure
Block index
Timestamp
Nonce
ClaimChain version
BLOCK MAPMerkle prefix tree with all claims and capabilities
CLAIMCHAIN METADATA● Connected identities
● ClaimChain Public keys (pkSIG
, pkVRF
, pkDH
)
Pointers to previous blocks
Signatureunder pk
SIG
![Page 15: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/15.jpg)
Block claim map:Adding a claim
ROOT
label = [email protected] = 0515b693e5
1) Compute claim key k = VRF ( || nonce)
![Page 16: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/16.jpg)
Block claim map:Adding a claim
ROOT
label = [email protected] = 0515b693e5
1) Compute claim key k = VRF ( || nonce)
2) Calculate the index of the leaf node:i = SHA256( k || “lookup” )
![Page 17: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/17.jpg)
Block claim map:Adding a claim
ROOT
label = [email protected] = 0515b693e5
1) Compute claim key k = VRF ( || nonce)
2) Calculate the index of the leaf node:i = SHA256( k || “lookup” )
3) Generate a symm. enc. keyK = SHA256( k || “enc” )
![Page 18: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/18.jpg)
Block claim map:Adding a claim
ROOT
label = [email protected] = 0515b693e5
1) Compute claim key k = VRF ( || nonce)
2) Calculate the index of the leaf node:i = SHA256( k || “lookup” )
3) Generate a symm. enc. keyK = SHA256( k || “enc” )
4) Encrypt claim contentC = Enc
K( VRFproof + “0515b693e5” )
![Page 19: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/19.jpg)
Block claim map:Adding a claim
ROOT
label = [email protected] = 0515b693e5
1) Compute claim key k = VRF ( || nonce)
2) Calculate the index of the leaf node:i = SHA256( k || “lookup” )
3) Generate a symm. enc. keyK = SHA256( k || “enc” )
4) Encrypt claim contentC = Enc
K( VRFproof + “0515b693e5” )
i = 0110...v = C
![Page 20: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/20.jpg)
ROOT
Block claim map:Adding a capability for to read
i = 0110...v = C
![Page 21: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/21.jpg)
ROOT
Block claim map:Adding a capability for to read
i = 0110...v = C
1) Establish DH shared secret s between and
![Page 22: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/22.jpg)
ROOT
Block claim map:Adding a capability for to read
i = 0110...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
![Page 23: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/23.jpg)
ROOT
Block claim map:Adding a capability for to read
i = 0110...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
![Page 24: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/24.jpg)
ROOT
Block claim map:Adding a capability for to read
i = 0110...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
4) Encrypt claim key VRF ( || nonce)C = Enc
K( k )
![Page 25: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/25.jpg)
ROOT
Block claim map:Adding a capability for to read
i = 0110...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
4) Encrypt claim key VRF ( || nonce)C = Enc
K( k )
i = 1010...v = C
![Page 26: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/26.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
![Page 27: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/27.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
1) Establish DH shared secret s between and
![Page 28: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/28.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
![Page 29: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/29.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
![Page 30: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/30.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
4) Retrieve capability block and decrypt it with KResult: key for ‘s claim
i = 1010...v = C
![Page 31: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/31.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
4) Retrieve capability block and decrypt it with KResult: key for ‘s claim
5) Retrieve ‘s claim and decrypt it
i = 1010...v = C
i = 0110...v = C
![Page 32: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/32.jpg)
Block claim map:retrieving the latest update for
ROOT
i = 0110...v = C
i = 1010...v = C
1) Establish DH shared secret s between and
2) Derive the capability lookup keyi = SHA256 ( nonce || s || “lookup” )
3) Derive the symm. enc. keyK = SHA256( nonce || s || “enc” )
4) Retrieve capability block and decrypt it with KResult: key for ‘s claim
5) Retrieve ‘s claim and decrypt it
6) Verify VRFproof
i = 1010...v = C
i = 0110...v = C
![Page 33: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/33.jpg)
Resilience
● Field research to understand user needs● Collaboration with related communities● Applied research:
– Cryptographic games to define security and privacy properties– Formally verified implementation
● Simulations using real world data● Interoperability and plans for gradual deployment● User-centric design● Multidisciplinarity● Open Innovation (open access and extendability)
![Page 35: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/35.jpg)
Evaluation of scalability
Claim map construction time Cumulative block storage size
![Page 36: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/36.jpg)
Key propagation in a fully decentralized setting
Outgoing bandwidth cost
Email encryption status (%)
![Page 37: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/37.jpg)
Merkle binary prefix trees:Proof of inclusion
ROOT
01
0
00 0 0
0 1
111
1
1
![Page 38: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/38.jpg)
Merkle binary prefix trees:Proof of inclusion
ROOT
01
0
00 0 0
0 1
111
1
1
([email protected], 0x1A2B3C)VRF
pkVRF([email protected]) = 01011...
![Page 39: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/39.jpg)
Merkle binary prefix trees:Proof of inclusion
ROOT
01
0
00 0 0
0 1
111
1
1
([email protected], 0x1A2B3C)VRF
pkVRF([email protected]) = 01011...
![Page 40: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/40.jpg)
Merkle binary prefix trees:Proof of inclusion
ROOT
01
0
00 0 0
0 1
111
1
1
([email protected], 0x1A2B3C)VRF
pkVRF([email protected]) = 01011... ROOT
i = 01011…v =0x1A2B
![Page 41: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/41.jpg)
Merkle binary prefix trees:Proof of inclusion
ROOT
01
0
00 0 0
0 1
111
1
1
([email protected], 0x1A2B3C)VRF
pkVRF([email protected]) = 01011... ROOT
i = 01011…v =0x1A2Bi = 01011…v =0x1A2B
![Page 42: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/42.jpg)
Merkle binary prefix trees:Proof of absence
ROOT
01
0
00 0 0
0 1
111
1
1
![Page 43: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/43.jpg)
Merkle binary prefix trees:Proof of absence
ROOT
01
0
00 0 0
0 1
111
1
1
VRFpkVRF
([email protected]) = 11001...
![Page 44: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/44.jpg)
Merkle binary prefix trees:Proof of absence
ROOT
01
0
00 0 0
0 1
111
1
1
VRFpkVRF
([email protected]) = 11001...
![Page 45: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/45.jpg)
Merkle binary prefix trees:Proof of absence
ROOT
01
0
00 0 0
0 1
111
1
1
VRFpkVRF
([email protected]) = 11001...ROOT
i = 11011…v =0xFFFF
![Page 46: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/46.jpg)
Merkle binary prefix trees:Proof of absence
ROOT
01
0
00 0 0
0 1
111
1
1
VRFpkVRF
([email protected]) = 11001...ROOT
i = 11011…v =0xFFFF
![Page 47: Modern key distribution with ClaimChains · Federated “Merkle prefix tree” chains Accountability Easy discovery Efficient Do not prevent equivocation Centralization – Single](https://reader036.vdocuments.us/reader036/viewer/2022091205/605e891869caf243e426f0ac/html5/thumbnails/47.jpg)
Merkle binary prefix trees:Proof of absence
ROOT
01
0
00 0 0
0 1
111
1
1
VRFpkVRF
([email protected]) = 11001...ROOT
i = 11011…v =0xFFFFi = 11011…v =0xFFFF