A privacy-preserving oracle for TLS Fan Zhang, Deepak Maram, - - PowerPoint PPT Presentation

a privacy preserving oracle for tls
SMART_READER_LITE
LIVE PREVIEW

A privacy-preserving oracle for TLS Fan Zhang, Deepak Maram, - - PowerPoint PPT Presentation

Feb 03, 2023 400 likes •699 views

A privacy-preserving oracle for TLS Fan Zhang, Deepak Maram, Harjasleen Malvai, Steven Goldfeder, Ari Juels Key application of DECO Smart Contract Tokens Tokens Smart contracts cant fetch real-world data! Blockchain Smart Contract

slide-1
SLIDE 1

A privacy-preserving oracle for TLS

Fan Zhang, Deepak Maram, Harjasleen Malvai, Steven Goldfeder, Ari Juels

slide-2
SLIDE 2

Key application of DECO

Smart Contract

slide-3
SLIDE 3

Tokens

slide-4
SLIDE 4

Tokens

slide-5
SLIDE 5

Smart contracts can’t fetch real-world data!

Smart Contract

Blockchain

slide-6
SLIDE 6

Popular example

Flight Insurance

Gimme a $100 policy (Flight #1215, 17 May, Policy price: $1)

$100

???

slide-7
SLIDE 7

Stock quotes Commodity prices Weather data Current events Sports results Webpage contents

Oracle

Smart Contract

Solution: Oracles

slide-8
SLIDE 8

Problem #1: Integrity

Stock quotes Commodity prices Weather data Current events Sports results Webpage contents

Oracle Oracle Oracle

Smart Contract

???

slide-9
SLIDE 9

Problem #2: Private data

Oracle

Smart Contract I am over 18 I have $5000 My flight was delayed

slide-10
SLIDE 10

Oracle

Smart Contract I am over 18

Problem #2: Private data

slide-11
SLIDE 11

Oracle

Smart Contract I am over 18

Alice DOB: Dec 10, 1985

TLS

Problem #2: Private data

slide-12
SLIDE 12

Oracle

I am over 18

TLS

Alice DOB: Dec 10, 1985

Problem #2: Private data

slide-13
SLIDE 13

Oracle

I am over 18

TLS

Alice DOB: Dec 10, 1985

doesn’t sign data!

Problem #2: Private data

slide-14
SLIDE 14

Current approaches

  • Change TLS to sign data
  • Requires adoption…
  • Use Trusted Execution

Environment

  • Extra trust assumption
  • Not always available

RWC '20

Ritzdorf, Hubert, et al. "TLS-N: Non-repudiation over TLS Enabling Ubiquitous Content Signing." In NDSS, 2018. Zhang, Fan, et al. "T

  • wn Crier: An

authenticated data feed for smart contracts." In CCS, 2016.

slide-15
SLIDE 15

Introducing the DECO protocol

  • Facilitates privacy-preserving proofs about TLS

data to oracles

  • And thus to smart contracts
  • Requires no trusted hardware
  • Requires no server-side modifications
  • i.e., “transparent” to HTTPS-enabled servers
  • Works with modernTLS versions (1.2 & 1.3)

1/20/20 RWC '20 15

slide-16
SLIDE 16

Goal and adversarial model

  • Prove the provenance of TLS ciphertexts
  • Decrypt or proving statements about the plaintext in ZK

(e.g., bal > $5,000)

1/20/20 RWC '20 16

TLS server S

Oracle

TLS Client aka Prover Verifier

Running unmodified TLS

What’s my balance? Your bal is $8,000.

This denotes TLS ciphertext.

Your bal is $8,000. This is from my bank: Not signed by S!

slide-17
SLIDE 17

Main idea: Three-party handshake

  • Idea: Hide the MAC key from the prover until she commits.
  • Assuming CBC-HMAC for now (GCM later)

1/20/20 RWC '20 17

KMAC

V

⊕ KMAC

P

= KMAC

<latexit sha1_base64="rPAjFYPMAi35LzYpe+rv/ZyFkE8=">ACcHicbVHdahQxGM2Of7X+beuN4IXRQZlpm2UHtRKHojeLOCuy3srs3mW+2YfNHkikMwz6CT+OtfRBfwycwMztUqx4InJzvO0m+k8wI7nyS/OhFN27eun1n6+72vfsPHj7q7+xOnC4twzHTQtuzDBwKrnDsuRd4ZiyCzASeZqv3Tf30Aq3jWn32lcG5hKXiBWfg7Tov/r4pZ5JYOvFhM60EaWjV8qIHv/e9AfJMGlB/yVpRwakw2ix0tnuWalROWZAOemaWL8vAbrORO43p6VDg2wFSxGqgCiW5etxOt6cug5LTQNizlav+6ahBOlfJLHRK8Ofu71oj/q82LX3xdl5zZUqPim0uKkpBvaZNPDTnFpkXVSDALA9vpewcLDAfQrx2UlHEDr2LIW/yBVvFK6xcbCyXwXaBLtYGLXhtXSzCh+QC73kLFa6id617jCwrYzXTOchkjbkoxZ0Qw4POnKUXoU82Rum+8O9TweDk3d3FvkKXlBXpOUHJIT8oGMyJgw8pV8I9/JZe9n9CR6Fj3ftEa9zvOYXEP05he4cb+2</latexit>

KEnc, KMAC

P

<latexit sha1_base64="WXHmGe4M1uPDwDegGRUY2IHXwew=">ACWnicbZDLahsxFIbl6S2Xuymu25ETaELYWaSQJpdSDeFbFyIk4DtmDOaM46wNBKSJmUY/CjZts9U6MNEMx5C0/YHwc9/dKRzvtRI4Xwc/+pFT54+e/5ia3tn9+Wr12/6g7cXTpeW4Rrqe1VCg6lKHDihZd4ZSyCSiVepqsvTf3yFq0Tuj3lcG5gmUhcsHBh2jRH5xdz7Dg7Oy6ning68V40R/Go7gV/dcknRmSTuPFoJfMs1LhYXnEpybJrHx8xqsF1ziemdWOjTAV7DEabAFKHTzup19T+GJKO5tuEUnrbpnx01KOcqlYabCvyN+7vWhP+rTUuf57XojClDwtuPspLSb2mDQiaCYvcyoY4FaEWSm/AQvcB1yPXspz5tA7BlDEmzFVlg5ZqxQoe0WHdMGLXhtHZMBfQZM6qXgrNANZNd2h4VtZbzmOgtIWsjHrejGHB125jh5gHyxP0oORvfDocnpx3uLfKefCfSEKOyAn5SsZkQj5Tu7ID/Kz9zuKou1od3M16nU9e+SRonf3jru25A=</latexit>

KMAC

V

<latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit>

KEnc, KMAC

<latexit sha1_base64="4dlizgJ9ycYTN8M5ELxAHwAMzvM=">ACWHicbZDLahsxFIbl6SWXuKky25ETaELYWaSQJpdSDeFbFKok4DtmDOaM46wbkiawD4SbpNH6p9mrGQ2na/iD4+Y+OdM6XWyl8SNMfg+TJ02fPt7Z3dl+8fPV6b7h/cOVN5ThOuJHG3eTgUQqNkyCxBvrEFQu8TpfWr1/fovD6a6gtzhUstSgFhxCjxXDv4naGmrOL2amgK8Xw1E6TjvRf03WmxHpdbnYH2SzwvBKoQ5cgvfTLVh3oALgktc784qjxb4CpY4jVaDQj9vusnX9H1MCloaF48OtEv/7GhAeV+rPN5UEO7837U2/F9tWoXy47wR2lYhrf5qKwkDYa2GghHPIg62iAOxFnpfwOHPAQYT16qSyZx+AZFC1HcDVbYe2ZdULFtnv0zFh0EIzTEbwBTBploIzbVrEvuOC7vaBsNEZF0kE870Y05Oe7NafYb8tXhODsaH345Hp2d97i3yVvyjnwgGTkhZ+QzuSQTwklFvpEH8n3wMyHJVrKzuZoM+p435JGSg1/tOLYh</latexit>

Prover Verifier DECO logo

slide-18
SLIDE 18

DECO Overview

1/20/20 RWC '20 18

Prover Verifier Phase 1: Three-party Handshake TLS Server

Query Response

Phase 2: TLS session as usual

Response

KMAC

V

<latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit>

Phase 3: proof generation

Verify MAC; Decrypt or prove in ZK

KEnc, KMAC

P

<latexit sha1_base64="WXHmGe4M1uPDwDegGRUY2IHXwew=">ACWnicbZDLahsxFIbl6S2Xuymu25ETaELYWaSQJpdSDeFbFyIk4DtmDOaM46wNBKSJmUY/CjZts9U6MNEMx5C0/YHwc9/dKRzvtRI4Xwc/+pFT54+e/5ia3tn9+Wr12/6g7cXTpeW4Rrqe1VCg6lKHDihZd4ZSyCSiVepqsvTf3yFq0Tuj3lcG5gmUhcsHBh2jRH5xdz7Dg7Oy6ning68V40R/Go7gV/dcknRmSTuPFoJfMs1LhYXnEpybJrHx8xqsF1ziemdWOjTAV7DEabAFKHTzup19T+GJKO5tuEUnrbpnx01KOcqlYabCvyN+7vWhP+rTUuf57XojClDwtuPspLSb2mDQiaCYvcyoY4FaEWSm/AQvcB1yPXspz5tA7BlDEmzFVlg5ZqxQoe0WHdMGLXhtHZMBfQZM6qXgrNANZNd2h4VtZbzmOgtIWsjHrejGHB125jh5gHyxP0oORvfDocnpx3uLfKefCfSEKOyAn5SsZkQj5Tu7ID/Kz9zuKou1od3M16nU9e+SRonf3jru25A=</latexit>

KMAC

V

<latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit>

KEnc, KMAC

<latexit sha1_base64="4dlizgJ9ycYTN8M5ELxAHwAMzvM=">ACWHicbZDLahsxFIbl6SWXuKky25ETaELYWaSQJpdSDeFbFKok4DtmDOaM46wbkiawD4SbpNH6p9mrGQ2na/iD4+Y+OdM6XWyl8SNMfg+TJ02fPt7Z3dl+8fPV6b7h/cOVN5ThOuJHG3eTgUQqNkyCxBvrEFQu8TpfWr1/fovD6a6gtzhUstSgFhxCjxXDv4naGmrOL2amgK8Xw1E6TjvRf03WmxHpdbnYH2SzwvBKoQ5cgvfTLVh3oALgktc784qjxb4CpY4jVaDQj9vusnX9H1MCloaF48OtEv/7GhAeV+rPN5UEO7837U2/F9tWoXy47wR2lYhrf5qKwkDYa2GghHPIg62iAOxFnpfwOHPAQYT16qSyZx+AZFC1HcDVbYe2ZdULFtnv0zFh0EIzTEbwBTBploIzbVrEvuOC7vaBsNEZF0kE870Y05Oe7NafYb8tXhODsaH345Hp2d97i3yVvyjnwgGTkhZ+QzuSQTwklFvpEH8n3wMyHJVrKzuZoM+p435JGSg1/tOLYh</latexit>

This denotes a TLS ciphertext.

slide-19
SLIDE 19

Standard TLS handshake

1/20/20 RWC '20 19

TLS Server TLS Client Verifier

  • Leverage the homomorphic

properties of ECDHE.

  • Perform secure Two-party

computation (2PC).

  • Key exchange (e.g. ECDHE)
  • Key derivation
slide-20
SLIDE 20

Three-party handshake: key exchange

1/20/20 RWC '20 20

yv = gxv

<latexit sha1_base64="AsvSdBYnMkuV9n8A1UuVG/ktPc=">ACUnicbZJBaxQxFMcza9W2Vm3tsZfQRfAwLDO1UHsQil56rOC2he26vMm82YbNJCF5szgM+zG86pfy0q/Sk5nZQaz6h8Cf/8tLXn4ks0p6SpK7aPBo4/GTp5tb2892nr94ubv36tKbygkcC6OMu87Ao5IaxyRJ4bV1CGWm8CpbfGzrV0t0Xhr9mWqL0xLmWhZSAIVoUs+W7+dfmq+z5Wq2O0xGSf+r0l7M2S9LmZ7UXqTG1GVqEko8H6SJpamDTiSQuFq+6byaEsYI6TYDWU6KdN/OKvw5JzgvjwtLEu/TPjgZK7+syCztLoFv/d60N/1ebVFS8mzZS24pQi/VFRaU4Gd4C4Ll0KEjVwYBwMszKxS04EBQwPTipKGKP5GPIW4Lg6niBtY+tk2VoW6KPjUHZJyPVUCeQ6zMXIpYmxau7rDg1tyQiTByQd5NOfG1Ojntzmv6GfHk0St+Oj4dD8+9Lg32QE7ZG9Yyk7YGTtnF2zMBDPsG/vOfkQ/o/tB+CXrYOo79lnDzTY+QUGNbXH</latexit>

yclient = gxp · yv

<latexit sha1_base64="e1TK7ECG6x/5ANmLVoTEJxJxz74=">ACaXicbVFNa9wENW6X2n6tdteSnsRXQo9mMVOA2kOhdBckyhmwR2t2YsjzdiZUtI4yXG7LW/ptf2v/Q35E9E9prStH0geLw3M9I8pUZJR1H0axDcuXv/oOdh7uPHj95+mw4en7mdGUFToVW2l6k4FDJEqckSeGFsQhFqvA8XR23/vkarZO6/EK1wUBy1LmUgB5KRnyOpkTXlEjlMSNh+X5urxGzmItPkzXUyHEeTqAP/l8Q9GbMep8loEM8zLarCjxMKnJvFkaFA5akULjZnVcODYgVLHmaQkFukXTrbLhb72S8Vxbf0rinfpnRwOFc3WR+soC6NL97bXi/7xZRfmHRSNLUxGWYntRXilOmre58ExaFKRqT0BY6d/KxSVYEOTuzUpz0OH5ELI2mDB1uEKaxcaKwvftkYXaoMWSFsXKv8TGYRKL6UIS91m7rpuv7CtDWmhMx9JF/JhB74lB/s9OYx/h3y2N4nfT/Y+74+PvVx7DX7A17x2J2wI7YCTtlUybYN/ad/WA/B9fBKHgZvNqWBoO+5wW7hWB8A2MHvls=</latexit>

z = yxs

client

<latexit sha1_base64="7Z/xgrdMdpAYZbznNPUPrYB1CkI=">ACYHicbVFNa9wENW6X9v0I7vNodBeRJdCD2axk0CaQyA0lx5T6CaB3a2R5fFGrCwJaRziGP+aXtsflGt+SWvKU3bB4LHm3kjzVNqpHAYRbeD4MHDR4+fDJ9uPXv+4uX2aPzqzOnScphxLbW9SJkDKRTMUKCEC2OBFamE83R90tbPr8A6odVXrAwsC7ZSIhecoZeS0euboypZIFxjzaUAhc23+jpxTKaRNOoA/2XxD2ZkB6nyXgQLzLNy8LP4JI5N48jg8uaWRcQrO1KB0YxtdsBXNPFSvALetug4a+90pGc239Ug79U9HzQrnqiL1nQXDS/d3rRX/V5uXmH9c1kKZEkHxzUV5KSlq2sZBM2GBo6w8YdwK/1bKL5lH1o9yblegAXciyNk9mq3ANlQuNFYW3XYELtQHLUFsXSv8BGQulXgkeKt1G7Tq3X9hWBjXmY+kC/mwA92Qg/2eHMa/Qz7bncZ7090v+5PjT3cQ/KWvCMfSEwOyDH5TE7JjHDSkO/kB/k5uAuGwXYw3rQGg96zQ+4hePMLTEG6ow=</latexit>

zp = yxp

server

<latexit sha1_base64="He+UTrx95DNSNdRSOT2Lq5gMdeA=">ACYnicbZFda9RAFIZn41dv3btlehFcBG8CEtSC7UXhaI3XlZw28LuGk4mJ9thJzPDzElpGhZ/jbf6e7z3hzjJBrHqCwMv7zlnPp7JjBSO4vjHILh1+87dezv3hw8ePnr8ZDR+eup0ZTnOuJbanmfgUAqFMxIk8dxYhDKTeJat37f1s0u0Tmj1iWqDyxJWShSCA/koHT27Ts1RnS4Ir6hxaH3v5nNzlZpNOprE07hT+K9JejNhvU7S8SBZ5JpXJSriEpybJ7GhZQOWBJe4GS4qhwb4GlY491ZBiW7ZdG/YhK98koeFtn4pCrv0z4kGSufqMvOdJdCF+7vWhv+rzSsq3i4boUxFqPj2oKSIemwBRLmwiInWXsD3Ap/15BfgAVOHtuNnYoickgugrwlCraO1li7yFhR+rFLdJE2aIG0dZH0X5BDJPVK8EjpFrbrpv2DbW1Ic517JB3kw07h1hzs9+Yw+Q35dG+avJnufdyfHL/rce+w5+wle80SdsCO2Qd2wmaMsy/sK/vGvg9+BsNgHOxuW4NBP7PLbih48Qtaubub</latexit>

zv = yxv

server

<latexit sha1_base64="ZqwAQsoDOH3EvQh7vNvaqE7Saos=">ACYnicbZFdi9NAFIan8WutX617JXoRLIXoSTrwroXwqI3Xq5gdxfaGk4mJ92hk5lh5qRsDMVf463+Hu/9IU7SIK76wsDLe86Zj2cyI4WjOP4xCG7cvHX7zt7d4b37Dx4+Go0fnzldWY4zrqW2Fxk4lELhjARJvDAWocwknmfrd239fIPWCa0+Um1wWcJKiUJwIB+loyef082bOl0QXlHj0Pre7afmKt1s09Eknsadwn9N0psJ63WajgfJIte8KlERl+DcPIkNLRuwJLjE7XBROTA17DCubcKSnTLpnvDNnzhkzwstPVLUdilf040UDpXl5nvLIEu3d+1NvxfbV5R8XrZCGUqQsV3BxWVDEmHLZAwFxY5ydob4Fb4u4b8Eixw8tiu7VQUkUNyEeQtUbB1tMbaRcaK0o9t0EXaoAXS1kXSf0EOkdQrwSOlW9ium/YPtrUhzXukXSQjzuFO3N02Jvj5Dfks4Np8mp68OFwcvK2x73HnrLn7CVL2BE7Ye/ZKZsxzr6wr+wb+z74GQyDcbC/aw0G/cw+u6bg2S9x87un</latexit>

yserver = gxs

<latexit sha1_base64="1pTPKPQpuFH0X8YaND9t4S36Nx8=">ACYHicbZFda9RAFIZn49daP7qrF4LeBfBi7AktVB7IRS98bKC2xZ21zCZnGyHncwMc05KQ8iv8VZ/kLf+EifZIFZ9YeDlPefMxzOZVRIpjn+Mglu379y9N76/9+Dho8f7k+mTMzSVE7AQRhl3kXEJTUsSJKC+uAl5mC82z7oaufX4FDafRnqi2sS7RspCk4/SybM6XRFcU4PgfF/7bvOluU6xTSezeB73Cv81yWBmbNBpOh0lq9yIqgRNQnHEZRJbWjfckRQK2r1VhWC52PINL3VvARcN/0L2vCVT/KwM4vTWGf/jnR8BKxLjPfWXK6xL9rXfi/2rKi4u26kdpWBFrsDioqFZIJOxhLh0IUrU3XDjp7xqKS+64IA/txk5FESEQRjzveHJXR1uoMbJOln7sCjAyFhwn4zBS/gNyHimzkSLSpkON/bR/sKstGWFyj6SHfNwr3Jmjw8EcJ78hnx3Mkzfzg0+Hs5P3A+4xe8FestcsYUfshH1kp2zBGvZV/aNfR/9DMbBfjDdtQajYeYpu6Hg+S9Ybqo</latexit>

Prover Verifier

z = zP ? zV

<latexit sha1_base64="evWecPeq9KSzb5cz3sJQgfbMHLk=">ACKnicbVDLSgMxFM34tj7a6tJNsAgupMxIQTeC6MZlBfuAdhgy6a2GZiZDckeYln6JW935Ne6KWz/EtJ2FbT0QODn3uRwkQKg647cdbWNza3tnd2C3v7B4fFUvmoaVSqOTS4kq3Q2ZAihgaKFBCO9HAolBCKxzcT/3WK2gjVPyEWQJ+xJ5j0RecoZWCUnF4MwzqtGuQaToMmkGp4lbdGegq8XJSITnqQdlZ7/YUTyOIkUtmTMdzE/RHTKPgEsaFbmogYXzAnqFjacwiMP5olnxMz6zSo32l7YmRztS/GyMWGZNFoZ2MGL6YZW8q/ud1BpCZi0SLSKB4nX2oswQVz2w8/PLYjTsX/sjEScpQsznyfqpKjotDfaExo4yswSxrV9lVP+wjTjaNst2Nq85ZJWSfOy6tWqtcda5fYuL3CHnJBTck48ckVuyQOpkwbhJCVv5J18OJ/OlzNxvueja06+c0wW4Pz8ApYvpl8=</latexit>

EC group

  • peration
slide-21
SLIDE 21

Three-party handshake: key derivation

1/20/20 RWC '20 21

zp

<latexit sha1_base64="ToTAKHR7ZlYrAQ3sujDXpdz2zs=">ACSnicbZDBTtwEIadLbRASwv02IvFqlIP0SoBJMoNwYUjqCwgLavVxJks1jq2ZU+Q0hWPwLV9qb4Ar9Fb1QtONqpKy9Z+vWPx575MqukpyR5iHovlpZfvlpZXv9Zv3tu43NrQtvKidwKIwy7ioDj0pqHJIkhVfWIZSZwstsdtzUL2/ReWn0OdUWxyVMtSykArRl68TO9noJ4OkFf/fpJ3ps06nk80ovc6NqErUJBR4P0oTS+M5OJC4d3adeXRgpjBFEfBaijRj+ftrHf8Y0hyXhgXjibepn93zKH0vi6zcLMEuvH/1prwudqouLzeC61rQi1WHxUVIqT4c3iPJcOBak6GBOhlm5uAEHgKeJy8VReyRfAx5Qw5cHc+w9rF1sgxt+hjY9EBGedjFVDnECszlSLWpoHq2+6wsKstGWHygKSFfNCKL8z+XmcO0j+QL3YG6e5g52yvf3jU4V5hH9g2+8RSts8O2Qk7ZUMm2JTds2/se/Qj+hn9in4vrvairuc9e6Le0iPObrQp</latexit>

PRF

KEnc, KMAC

<latexit sha1_base64="4dlizgJ9ycYTN8M5ELxAHwAMzvM=">ACWHicbZDLahsxFIbl6SWXuKky25ETaELYWaSQJpdSDeFbFKok4DtmDOaM46wbkiawD4SbpNH6p9mrGQ2na/iD4+Y+OdM6XWyl8SNMfg+TJ02fPt7Z3dl+8fPV6b7h/cOVN5ThOuJHG3eTgUQqNkyCxBvrEFQu8TpfWr1/fovD6a6gtzhUstSgFhxCjxXDv4naGmrOL2amgK8Xw1E6TjvRf03WmxHpdbnYH2SzwvBKoQ5cgvfTLVh3oALgktc784qjxb4CpY4jVaDQj9vusnX9H1MCloaF48OtEv/7GhAeV+rPN5UEO7837U2/F9tWoXy47wR2lYhrf5qKwkDYa2GghHPIg62iAOxFnpfwOHPAQYT16qSyZx+AZFC1HcDVbYe2ZdULFtnv0zFh0EIzTEbwBTBploIzbVrEvuOC7vaBsNEZF0kE870Y05Oe7NafYb8tXhODsaH345Hp2d97i3yVvyjnwgGTkhZ+QzuSQTwklFvpEH8n3wMyHJVrKzuZoM+p435JGSg1/tOLYh</latexit>

zv

<latexit sha1_base64="FG3qz4zXd7Ve1RlAvxXxhScgeEk=">ACSnicbZDPTtwEMadLW0p/QOUYy8Wq0o9RKsEkIAbai8cQe0C0rJaTZzJYq1jW/ZkpXTFI/TavlRfgNforeKCk42q8ueTLH36xmP/DKrpKckuYl6z1aev3i5+mrt9Zu379Y3Nt+feVM5gUNhlHEXGXhUuOQJCm8sA6hzBSeZ7MvTf18js5Lo79RbXFcwlTLQgqgEH39PplPNvrJIGnFH5u0M3W6WSyGaWXuRFViZqEAu9HaWJpvABHUi8XrusPFoQM5jiKFgNJfrxop31mn8MSc4L48LRxNv0/4FlN7XZRZulkBX/mGtCZ+qjSoqDsYLqW1FqMXyo6JSnAxvFue5dChI1cGAcDLMysUVOBAU8Nx7qShij+RjyBty4Op4hrWPrZNlaJuj41FB2Scj1VAnUOszFSKWJsGqm+7w8KutmSEyQOSFvJhK740+3udOUz/QT7bGaS7g53Tvf7R5w73KvAtknlrJ9dsSO2QkbMsGm7Af7yX5Fv6M/0d/odnm1F3U9W+yeit32ca0Lw=</latexit>

Prover Verifier

z

<latexit sha1_base64="pBvuJKW3s8w/I3oKtzP3A0SdzU=">ACGnicbVDLTgIxFO2ID8QX6NLNRGLiwpAZQ6JLohuXkMgjAUI65QINnemkvUMyTvgCt7rza9wZt278G8swCwFP0uT0nHvbk+OFgmt0nB9rK7e9s7uX3y8cHB4dnxRLpy0tI8WgyaSQquNRDYIH0ESOAjqhAup7Atre9GHht2egNJfBE8Yh9H06DviIM4pGajwPimWn4qSwN4mbkTLJUB+UrFxvKFnkQ4BMUK27rhNiP6EKORMwL/QiDSFlUzqGrqEB9UH3kzTp3L40ytAeSWVOgHaq/t1IqK917Htm0qc40eveQvzP604h1teh4j5HPks/VHGIkskhmPnlZTUaju76CQ/CFgy2SjSNgo7UVP9pArYChiQyhT5lVmswlVlKFps2Bqc9dL2iStm4pbrVQb1XLtPiswT87JBbkiLrklNfJI6qRJGAHyQl7Jm/VufVif1tdydMvKds7ICqzvX3/coLc=</latexit>

PRF

KMAC

V

<latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit>

KEnc, KMAC

P

<latexit sha1_base64="WXHmGe4M1uPDwDegGRUY2IHXwew=">ACWnicbZDLahsxFIbl6S2Xuymu25ETaELYWaSQJpdSDeFbFyIk4DtmDOaM46wNBKSJmUY/CjZts9U6MNEMx5C0/YHwc9/dKRzvtRI4Xwc/+pFT54+e/5ia3tn9+Wr12/6g7cXTpeW4Rrqe1VCg6lKHDihZd4ZSyCSiVepqsvTf3yFq0Tuj3lcG5gmUhcsHBh2jRH5xdz7Dg7Oy6ning68V40R/Go7gV/dcknRmSTuPFoJfMs1LhYXnEpybJrHx8xqsF1ziemdWOjTAV7DEabAFKHTzup19T+GJKO5tuEUnrbpnx01KOcqlYabCvyN+7vWhP+rTUuf57XojClDwtuPspLSb2mDQiaCYvcyoY4FaEWSm/AQvcB1yPXspz5tA7BlDEmzFVlg5ZqxQoe0WHdMGLXhtHZMBfQZM6qXgrNANZNd2h4VtZbzmOgtIWsjHrejGHB125jh5gHyxP0oORvfDocnpx3uLfKefCfSEKOyAn5SsZkQj5Tu7ID/Kz9zuKou1od3M16nU9e+SRonf3jru25A=</latexit>

*

Magic box that does two-party computation (2PC)

EC group

  • peration

Do this outside the circuit (using add. homomorphic enc.) Hand-optimize the binary circuit.

slide-22
SLIDE 22

Three-party handshake Performance

  • AND complexity of ~770k
  • Runtime: 1.40s in LAN, 5.70s in WAN
  • Not blazingly fast, but sufficient for DECO applications.
slide-23
SLIDE 23

GCM and TLS 1.3

  • Handshake for GCM
  • Essentially the same as CBC-HMAC
  • Need a key commitment step (GCM ciphertext is not committing)
  • Overall: small impact on the performance
  • DECO supports modern TLS versions
  • TLS 1.2: CBC-HMAC & GCM
  • TLS 1.3: GCM

1/20/20 RWC '20 23

slide-24
SLIDE 24

DECO Overview

1/20/20 RWC '20 24

Prover Verifier Phase 1: Three-party Handshake TLS Server

Query Response

Phase 2: TLS session as usual

Response

KMAC

V

<latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit>

Phase 3: proof generation

Verify MAC; Decrypt or prove in ZK

KEnc, KMAC

P

<latexit sha1_base64="WXHmGe4M1uPDwDegGRUY2IHXwew=">ACWnicbZDLahsxFIbl6S2Xuymu25ETaELYWaSQJpdSDeFbFyIk4DtmDOaM46wNBKSJmUY/CjZts9U6MNEMx5C0/YHwc9/dKRzvtRI4Xwc/+pFT54+e/5ia3tn9+Wr12/6g7cXTpeW4Rrqe1VCg6lKHDihZd4ZSyCSiVepqsvTf3yFq0Tuj3lcG5gmUhcsHBh2jRH5xdz7Dg7Oy6ning68V40R/Go7gV/dcknRmSTuPFoJfMs1LhYXnEpybJrHx8xqsF1ziemdWOjTAV7DEabAFKHTzup19T+GJKO5tuEUnrbpnx01KOcqlYabCvyN+7vWhP+rTUuf57XojClDwtuPspLSb2mDQiaCYvcyoY4FaEWSm/AQvcB1yPXspz5tA7BlDEmzFVlg5ZqxQoe0WHdMGLXhtHZMBfQZM6qXgrNANZNd2h4VtZbzmOgtIWsjHrejGHB125jh5gHyxP0oORvfDocnpx3uLfKefCfSEKOyAn5SsZkQj5Tu7ID/Kz9zuKou1od3M16nU9e+SRonf3jru25A=</latexit>

KMAC

V

<latexit sha1_base64="rT+KBKPiFBVCe3hgeMny7Gokhtk=">ACUXicbZBNaxRBEIZ7xq+Y+JHo0cvgIngYlpkYiLmFeBG8RHA3wd1qemp2TbX3TXBIZh/0Wu+qc8+VO82TM7iFfaHh5q6u76imsFJ6y7EcU37l7/6DnYe7e48eP3m6f/Bs6k3tOE64kcZdFuBRCo0TEiTx0joEVUi8KNbvuvrFNTovjP5EjcWFgpUWleBAIfr84Us7V8A3y+lyf5SNs17JvyYfzIgNOl8eRPm8NLxWqIlL8H6WZ5YWLTgSXOJmd157tMDXsMJZsBoU+kXbj7xJXoWkTCrjwtGU9OmfHS0o7xtVhJsK6Mr/XevC/9VmNVvF63QtibUfPtRVcuETNLtn5TCISfZBAPciTBrwq/AadA6dZLVZV6J9C2QE16RrbHxqnVCh7Rp9aiw6ION8KgPxElJpVoKn2nRsfd8dFnaNJcNGZD0kE96JVtzfDSYk/w35OnhOH8zPvx4NDo9G3DvsBfsJXvNcnbMTtl7ds4mjDPNbthX9i36Hv2MWRxvr8bR0POc3VK89wuLRLUL</latexit>

KEnc, KMAC

<latexit sha1_base64="4dlizgJ9ycYTN8M5ELxAHwAMzvM=">ACWHicbZDLahsxFIbl6SWXuKky25ETaELYWaSQJpdSDeFbFKok4DtmDOaM46wbkiawD4SbpNH6p9mrGQ2na/iD4+Y+OdM6XWyl8SNMfg+TJ02fPt7Z3dl+8fPV6b7h/cOVN5ThOuJHG3eTgUQqNkyCxBvrEFQu8TpfWr1/fovD6a6gtzhUstSgFhxCjxXDv4naGmrOL2amgK8Xw1E6TjvRf03WmxHpdbnYH2SzwvBKoQ5cgvfTLVh3oALgktc784qjxb4CpY4jVaDQj9vusnX9H1MCloaF48OtEv/7GhAeV+rPN5UEO7837U2/F9tWoXy47wR2lYhrf5qKwkDYa2GghHPIg62iAOxFnpfwOHPAQYT16qSyZx+AZFC1HcDVbYe2ZdULFtnv0zFh0EIzTEbwBTBploIzbVrEvuOC7vaBsNEZF0kE870Y05Oe7NafYb8tXhODsaH345Hp2d97i3yVvyjnwgGTkhZ+QzuSQTwklFvpEH8n3wMyHJVrKzuZoM+p435JGSg1/tOLYh</latexit>

This denotes a TLS ciphertext.

slide-25
SLIDE 25

Now that we can prove provenance…

  • Ciphertexts are commitments.
  • Open the whole thing (forgoing privacy)
  • Selective opening: decrypt partially
  • Record (16KB) and block (128bit) level
  • Selective opening + ZKP
  • E.g., age > 18 or bal > $5,000.

1/20/20 RWC '20 25

Record 1 Record 2

M1 M2 … M512

Commitment

Binds to

slide-26
SLIDE 26

Proof Generation Performance

  • Application-specific
  • E.g., Age proof: prove age > 18 according to University Registrar

website

1/20/20 RWC '20 26

slide-27
SLIDE 27

DECO Applications

  • Blockchain applications
  • Decentralized identity (DID)
  • Decentralized finance (DeFi)
  • Non-blockchain applications too!
  • Age proof
  • Anonymous proofs of ownership of accounts
  • Privacy-preserving personal data marketplace
  • Allow users to export private data w/ integrity

guarantees without server’s help.

1/20/20 RWC '20 27

slide-28
SLIDE 28

Take home

  • DECO is a privacy-preserving oracle protocol
  • Works with modernTLS versions (1.2 & 1.3)
  • Requires no trusted hardware
  • Requires no server-side modifications
  • Visit https://deco.works for our blog post and paper.

1/20/20 RWC '20 28

Fan Zhang PhD Candidate, Cornell https://fanzhang.me