A privacy-preserving oracle for TLS Fan Zhang, Deepak Maram, - PowerPoint PPT Presentation

A privacy-preserving oracle for TLS Fan Zhang, Deepak Maram, Harjasleen Malvai, Steven Goldfeder, Ari Juels

Key application of DECO Smart Contract

Tokens

Tokens

Smart contracts can’t fetch real-world data! Blockchain Smart Contract

Popular example Gimme a $100 policy ??? (Flight #1215, 17 May, Policy price: $1) Flight Insurance $100

Solution: Oracles Webpage contents Commodity Smart prices Contract Stock quotes Oracle Weather data Current Sports events results

Problem #1: Integrity Oracle Webpage contents Commodity ??? Smart prices Contract Stock quotes Oracle Weather data Current Sports events results Oracle

Problem #2: Private data I am over 18 I have Smart $5000 Contract Oracle My flight was delayed

Problem #2: Private data I am over 18 Smart Contract Oracle

Problem #2: Private data I am over 18 Smart TLS Contract Oracle Alice DOB: Dec 10, 1985

Problem #2: Private data I am over 18 TLS Oracle Alice DOB: Dec 10, 1985

Problem #2: Private data I am over 18 TLS doesn’t sign data! Oracle Alice DOB: Dec 10, 1985

Current approaches • Change TLS to sign data Ritzdorf, Hubert, et al. "TLS-N: Non-repudiation over TLS Enabling • Requires adoption… Ubiquitous Content Signing." In NDSS, 2018. • Use Trusted Execution Environment Zhang, Fan, et al. "T own Crier: An • Extra trust assumption authenticated data feed for smart • Not always available contracts." In CCS , 2016. RWC '20

Introducing the DECO protocol • Facilitates privacy-preserving proofs about TLS data to oracles • And thus to smart contracts • Requires no trusted hardware • Requires no server-side modifications • i.e., “transparent” to HTTPS-enabled servers • Works with modern TLS versions (1.2 & 1.3) 1/20/20 RWC '20 15

Goal and adversarial model • Prove the provenance of TLS ciphertexts Running • Decrypt or proving statements about the plaintext in ZK unmodified (e.g., bal > $5,000) TLS What’s my balance? This is from my bank: Oracle Your bal is $8,000. Your bal is $8,000. Not signed by S! TLS server TLS Client Verifier S aka Prover This denotes TLS ciphertext. 1/20/20 RWC '20 16

<latexit sha1_base64="rPAjFYPMAi35LzYpe+rv/ZyFkE8=">ACcHicbVHdahQxGM2Of7X+beuN4IXRQZlpm2UHtRKHojeLOCuy3srs3mW+2YfNHkikMwz6CT+OtfRBfwycwMztUqx4InJzvO0m+k8wI7nyS/OhFN27eun1n6+72vfsPHj7q7+xOnC4twzHTQtuzDBwKrnDsuRd4ZiyCzASeZqv3Tf30Aq3jWn32lcG5hKXiBWfg7Tov/r4pZ5JYOvFhM60EaWjV8qIHv/e9AfJMGlB/yVpRwakw2ix0tnuWalROWZAOemaWL8vAbrORO43p6VDg2wFSxGqgCiW5etxOt6cug5LTQNizlav+6ahBOlfJLHRK8Ofu71oj/q82LX3xdl5zZUqPim0uKkpBvaZNPDTnFpkXVSDALA9vpewcLDAfQrx2UlHEDr2LIW/yBVvFK6xcbCyXwXaBLtYGLXhtXSzCh+QC73kLFa6id617jCwrYzXTOchkjbkoxZ0Qw4POnKUXoU82Rum+8O9TweDk3d3FvkKXlBXpOUHJIT8oGMyJgw8pV8I9/JZe9n9CR6Fj3ftEa9zvOYXEP05he4cb+2</latexit> <latexit sha1_base64="WXHmGe4M1uPDwDegGRUY2IHXwew=">ACWnicbZDLahsxFIbl6S2Xuymu25ETaELYWaSQJpdSDeFbFyIk4DtmDOaM46wNBKSJmUY/CjZts9U6MNEMx5C0/YHwc9/dKRzvtRI4Xwc/+pFT54+e/5ia3tn9+Wr12/6g7cXTpeW4Rrqe1VCg6lKHDihZd4ZSyCSiVepqsvTf3yFq0Tuj3lcG5gmUhcsHBh2jRH5xdz7Dg7Oy6ning68V40R/Go7gV/dcknRmSTuPFoJfMs1LhYXnEpybJrHx8xqsF1ziemdWOjTAV7DEabAFKHTzup19T+GJKO5tuEUnrbpnx01KOcqlYabCvyN+7vWhP+rTUuf57XojClDwtuPspLSb2mDQiaCYvcyoY4FaEWSm/AQvcB1yPXspz5tA7BlDEmzFVlg5ZqxQoe0WHdMGLXhtHZMBfQZM6qXgrNANZNd2h4VtZbzmOgtIWsjHrejGHB125jh5gHyxP0oORvfDocnpx3uLfKefCfSEKOyAn5SsZkQj5Tu7ID/Kz9zuKou1od3M16nU9e+SRonf3jru25A=</latexit> <latexit sha1_base64="4dlizgJ9ycYTN8M5ELxAHwAMzvM=">ACWHicbZDLahsxFIbl6SWXuKky25ETaELYWaSQJpdSDeFbFKok4DtmDOaM46wbkiawD4SbpNH6p9mrGQ2na/iD4+Y+OdM6XWyl8SNMfg+TJ02fPt7Z3dl+8fPV6b7h/cOVN5ThOuJHG3eTgUQqNkyCxBvrEFQu8TpfWr1/fovD6a6gtzhUstSgFhxCjxXDv4naGmrOL2amgK8Xw1E6TjvRf03WmxHpdbnYH2SzwvBKoQ5cgvfTLVh3oALgktc784qjxb4CpY4jVaDQj9vusnX9H1MCloaF48OtEv/7GhAeV+rPN5UEO7837U2/F9tWoXy47wR2lYhrf5qKwkDYa2GghHPIg62iAOxFnpfwOHPAQYT16qSyZx+AZFC1HcDVbYe2ZdULFtnv0zFh0EIzTEbwBTBploIzbVrEvuOC7vaBsNEZF0kE870Y05Oe7NafYb8tXhODsaH345Hp2d97i3yVvyjnwgGTkhZ+QzuSQTwklFvpEH8n3wMyHJVrKzuZoM+p435JGSg1/tOLYh</latexit> <latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit> Main idea: Three-party handshake • Idea: Hide the MAC key from the prover until she commits. DECO logo • Assuming CBC-HMAC for now (GCM later) Prover Verifier K Enc , K MAC K MAC K Enc , K MAC P V K MAC ⊕ K MAC = K MAC 1/20/20 RWC '20 17 V P

<latexit sha1_base64="4dlizgJ9ycYTN8M5ELxAHwAMzvM=">ACWHicbZDLahsxFIbl6SWXuKky25ETaELYWaSQJpdSDeFbFKok4DtmDOaM46wbkiawD4SbpNH6p9mrGQ2na/iD4+Y+OdM6XWyl8SNMfg+TJ02fPt7Z3dl+8fPV6b7h/cOVN5ThOuJHG3eTgUQqNkyCxBvrEFQu8TpfWr1/fovD6a6gtzhUstSgFhxCjxXDv4naGmrOL2amgK8Xw1E6TjvRf03WmxHpdbnYH2SzwvBKoQ5cgvfTLVh3oALgktc784qjxb4CpY4jVaDQj9vusnX9H1MCloaF48OtEv/7GhAeV+rPN5UEO7837U2/F9tWoXy47wR2lYhrf5qKwkDYa2GghHPIg62iAOxFnpfwOHPAQYT16qSyZx+AZFC1HcDVbYe2ZdULFtnv0zFh0EIzTEbwBTBploIzbVrEvuOC7vaBsNEZF0kE870Y05Oe7NafYb8tXhODsaH345Hp2d97i3yVvyjnwgGTkhZ+QzuSQTwklFvpEH8n3wMyHJVrKzuZoM+p435JGSg1/tOLYh</latexit> <latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit> <latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit> <latexit sha1_base64="WXHmGe4M1uPDwDegGRUY2IHXwew=">ACWnicbZDLahsxFIbl6S2Xuymu25ETaELYWaSQJpdSDeFbFyIk4DtmDOaM46wNBKSJmUY/CjZts9U6MNEMx5C0/YHwc9/dKRzvtRI4Xwc/+pFT54+e/5ia3tn9+Wr12/6g7cXTpeW4Rrqe1VCg6lKHDihZd4ZSyCSiVepqsvTf3yFq0Tuj3lcG5gmUhcsHBh2jRH5xdz7Dg7Oy6ning68V40R/Go7gV/dcknRmSTuPFoJfMs1LhYXnEpybJrHx8xqsF1ziemdWOjTAV7DEabAFKHTzup19T+GJKO5tuEUnrbpnx01KOcqlYabCvyN+7vWhP+rTUuf57XojClDwtuPspLSb2mDQiaCYvcyoY4FaEWSm/AQvcB1yPXspz5tA7BlDEmzFVlg5ZqxQoe0WHdMGLXhtHZMBfQZM6qXgrNANZNd2h4VtZbzmOgtIWsjHrejGHB125jh5gHyxP0oORvfDocnpx3uLfKefCfSEKOyAn5SsZkQj5Tu7ID/Kz9zuKou1od3M16nU9e+SRonf3jru25A=</latexit> This denotes a TLS ciphertext. DECO Overview TLS Server Prover Verifier Phase 1: Three-party K MAC K Enc , K MAC K Enc , K MAC Handshake V P Query Phase 2: TLS session as usual Response Response K MAC Phase 3: proof V generation Verify MAC; Decrypt or prove in ZK 1/20/20 RWC '20 18

Standard TLS handshake TLS Server TLS Client Verifier • Leverage the homomorphic • Key exchange (e.g. ECDHE) • Key derivation properties of ECDHE. • Perform secure Two-party computation (2PC). 1/20/20 RWC '20 19