 Okay. So thank you everyone for joining this virtual hyperledger meetup. Today we're going to be talking about a new hyperledger lab named Agora and Mike Lauder will be talking about that. Mike Lauder is an active member of the hyperledger community, a security researcher and implementer and he will share details about Agora and if that is something that you're interested in just like everything and hyperledger it's open and you're welcome to get involved take a look at it check it out and contribute so if you are interested hopefully you will learn some interesting stuff today and we hope to see you in the community checking it out and and contributing so with that Mike why don't you take it away. Well cool thanks David. Yeah so Agora at least to me means you know it's a gathering place at least that's what it was in ancient Greek and so I've been in hyperledger a long time since about 2016 since it's almost since its inception so this is a way for hyperledger to help me out as well as maybe help some of you out as well so here's kind of how it got started so Hart Montgomery and I were at a conference together talking about various things and I have developed quite a few cryptographic libraries over the years and lots of different companies have been wanting to use them in various capacities and because so then they don't have to rewrite their own code and they've been trying to get a lot of collaboration across these the same with researchers and they're off and on they're you know some are lukewarm some are more involved some are like well there's reasons why we can't do that and so I was trying to figure out why and so Agora is one reason to fix the problem why why they won't and one of the reasons is they often say well you're the only maintainer you know you're the only person who knows the code in and out and then if the contrary you know if we contribute to it who gets to own it should we make a copy and fork it into our own repos can we get you to sign a contract and then we'll take over the code I mean that kind of thing some of them have tried to take it over when they haven't even contributed to it I've even gotten sued because the company wanted to steal my code from me and take it legally so it was it's been kind of a nightmare off and on all these years to do that and so when art and I were talking we proposed this as a viable option which could help mitigate many of those problems so hence the Agora approach which is you know if you've ever been to Athens and seen the Acropolis this is where the inspiration comes from so I we said well let's create a new labs project where all of that cryptography code can live and it's a common place for any cryptography code not just blockchain but any that could be you know donated for research purposes or used in production the goal is that this code should be able to be used in production and some of it is but it will be owned by Hyperledger I'm just one of the maintainers and then any other new maintainers that come on obviously they have to abide by the code of conduct and then if I ever decide to leave then the code will still live on and anyone else can you know keep it going so that was the idea so a more modern day Agora if you will rather than the ancient version so the main thing I'm trying to also contribute to is coding cryptography tends to be quite scary for people because they see a lot of you know problems that happen when you do it wrong and they often hear the phrase don't don't roll your own crypto and so the goal with this is to kind of help onboard people to the fact that hey you know sometimes you do have to roll crypto for newer algorithms and methodologies and because there's no way around it no one's written anything how else would you know it would work and I'm going to be donating quite a bit of code to it I'm trying to get because some of my code has contributions from other people so I'm just making sure that they're okay with the move that's why you don't see too much in there yet and the other parts of my code are being audited and I'll kind of go over those in a minute that's why none of it has primarily gotten there yet but that is the ideas I'm going to be donating quite a bit of code to this to start and then adding some new ones I've already got quite a few researchers that are excited about it to contribute to this and then that way we don't have to worry about the licensing or who owns it and all of that because it'll just belong to Hyperledger which will be nice here's the link if you want to know more about the main goals of Agora but I'm just kind of touching basically on that so again I don't want it to seem like when you go to the supermarket and you see these really scary chillies that cryptography code is the same right it should be quite pleasant and fun to code in because I enjoy it these are the initial repositories that I will be donating to the cause I'll kind of cover what all of these are and why they exist in the first place and what problems they solve so some of these cover cryptographically big number libraries you may have heard there's like you know big multi-precision libraries out there but they're not safe for cryptographic use because of for various reasons like they're not constant time is the main thing or they're not side channel resistant some of these libraries are for MPC multi-party computation that is very useful for blockchains and some of the newer cryptography I'm developing is that's coming from papers is specifically for blockchains and that's why it's an ideal home for Hyperledger some libraries are for enabling safer secrets management when you're using it in memory so we often deal with data at rest and data in transit but no one's really written much for in memory other than say oh just put it in some enclave stuff like Intel SGX or AMD's 7 environment and so on but those can be really complicated to set up so this offers a kind of a safe alternative to that I wouldn't say you would replace all of your if you've already written code for SGX and those kinds of things that's great keep it there but if let's say you want to develop something minor or maybe you're just testing out some things and you're not quite ready for those more advanced enclaves or you don't trust them yet then that's what some of this code would be good for the code I've written is in Rust and Golang but the other idea behind Agora is we can expand that and I'll see what that it I'll talk about or about what that is later but in either case this should be exciting as like getting a big cake but if you're not into cake maybe you're big into ice cream either way this should be a fun project for you to look at and participate in so let me start with one of the biggest ones there is a big BLS library here if you're not familiar with that this is what Ethereum 2.0 is planning to use quite a few other blockchains use it like Sovereign does and Definities internet computer uses it League of Entropy and so on BLS is becoming quite a big standard especially among blockchains so the library I've written here is based on this particular curve the 12381 version provides all the operations you would need if you want to write your own cryptographic algorithms with using that library there's all the BLS signatures according to the standard that's out there they work for both threshold and non-threshold versions there's an it implements the Algomall encryption sign encryption which is where you get a signature and an encrypted cipher text at the same time with one operation instead of doing it twice there's identity based encryption in here which I haven't seen implemented anywhere else there's a threshold encryption which is really cool I've added some zero knowledge proof for signatures so if you have a BLS signature and you don't want to leak it you can send a proof instead which will be verified just like a signature but it without showing the signature itself which is really cool that's written in Rust and Golang and Intel has a library called Blast that is optimized for this particular curve so you can take your pick for which one you want to use it with and it is currently being audited and so as soon as the audit is done because the auditors didn't want me to move it yet once the audit is done it will be put into Agora which is really cool so the next big thing that you commonly see with blockchains is distributed key generation right now I've got a Genaro based version in there which has been the most popular one and safest one out there it's got all of the verifiable secret sharing schemes that are popular out there in there but now I'm also working with a team in Israel that they have submitted a candidate for NIST called Bingo and it's really great in the sense that so Genaro when you implement it with blockchains it's a very synchronous algorithm in that all of the nodes have to be in the same rounds otherwise they can get out of sync and they have to complete four to five rounds before you're done whereas Bingo is an asynchronous version in that each node only does one round and then they just wait for the responses from a threshold number of nodes and then they're done and that's it so it's been submitted to NIST so that'll be cool so I'm working with them to get implemented in Rust which is really cool but why stop at Rust when we can do lots of other languages as needed okay big number libraries believe it or not RSA is still not dead and there's still some pretty nifty algorithms we can do with this especially when we start talking about class groups in cryptography so we do still need big number libraries to implement some of these things class groups are supposed to be quantum safe post-quantum safe and we'll see how that rolls out to some extent but you need these and so some of the libraries I'm donating wrappers around the open SSL version Ganu's multi-precision library and pure Rust and they are all constant time which you know take your pick based on speed and performance and compatibility across devices or desktops or servers or whatever you can just pick one so you don't even have to think about swapping out and adapting your libraries to do one of these this already that's already taken care of for you and if you're doing any blockchain based on that kind of logic Piers homomorphic encryption scheme is implemented for you I'm also adding it to be threshold based and there is also a verifiable encryption scheme that's based on a very secure standard that's been around for a long time okay um then I talked about the in-memory protection um the idea is that rather than just holding your secrets in RAM while you're operating with them this library helps you handle it such that it mitigates some attacks like specter meltdown and row hammer rambleed which are all kind of similar but they they're complicated to deal with and so as I've been researching and trying to figure out ways to avoid these attacks that's what this library does for you and also a way to tokenize authentication with symmetric cryptography which has been pretty standard at Red Hat and on other companies but I've implemented some libraries that not only are compatible with those but also modernizes it somewhat so in the near future um what I'm planning to do within the next year or so is expand what language implementations I have like I said most of it's in Rust and then I do have some implementations in Go but to expand it so it's in all four of those so if you don't want to have to compile for a specific platform and you just want to work 100% and say .net or the Java runtime then you don't have to or go laying you don't have to wrap and go native it'll just work because it's uh specifically written for those environments the downside is you have to go with uh the specific garbage collection or just in time compiling for those other three whereas Rust you don't have that at all and I have implemented some wrapping that can go around the Rust for Node, Python, and Wasm and C++ but the goal is to expand it so uh the programming language of your choice shouldn't be an issue and then to add some more zero knowledge primitives because that's the area I love to work in. BBS Plus is a standard that's approaching completion I'm also starting to work with the authors of the Poncheville Sander signature specifically all of our Sanders because he has a version that works with elliptic curves he's also got a post-quantum version and they're almost interchangeable and so I want to help him standardize those some cryptographic accumulators other forms of verifiable encryption porting bulletproofs to work for any particular curve will be really cool and then some ZK snarks as well so all of that will probably start making its way in there within the next year now for long term I mentioned Bingo already but there's some other cool signing algorithms like Frost and Kate Sith for ECDSA I'd like to add those in there so that if you are a blockchain and you want to pick out some signing algorithms and you just need it in a threshold way they're available there's also the idea of symmetric threshold encryption and decryption where you don't have to worry about whether these keys will be broken by post-quantum computers because it's symmetric based and so you can just make it strong enough and it should just work and then other obviously post-quantum algorithms that I'd love to get my hands on like I said the Poncheville Sanders post-quantum version some DKGs as they come out believe it or not there are no distributed key generation algorithms that are post-quantum secure because post-quantum cryptography is very very complicated but I know a few authors who are working on it and such I'd like to continue researching with them and then putting code into Agora so if you're following Agora you'll be one of the first to know when that actually happens specifically around the Falcon signature since that one's very hard to get right okay so like I said Agora is a place of gathering nature Greek but I'm encouraging everyone here and anyone that's not here to collaborate as much as possible there's already a discord channel in Hyperledger you can come and talk about features or bugs or new things you would like to see or how you could help I'm always looking for any kind of help you know you don't have to be software engineer to help with this stuff I there's all sorts of ways you can be put to work and specifically try to use it in your production because the goal is to make this code production ready most of it like I said is already being used in production systems and let's continue to make it better so with that I am done any questions I haven't been paying to the chat at all so maybe I'll start I did have one one question and maybe maybe a little to detail but the in-memory protection on mobile this is some kind of a big issue if you're not using a crypto that's you know secure on claim across education environments compatible which none of these are so with that work in a mobile setting where the device can be rooted and other other things or is it obfuscation or is it actually totally secure no no that library so the specific one let me bring it up oh it's not letting me I'm gonna have to exit full screen mode here not that it matters but yeah it should work on a mobile device it specifically is this one so in rust you just do something like this like here's my secret right and then whenever you go to use it you just say unprotect use it briefly and as soon as rust deems it's been quote-unquote dropped it's now secure again so if I don't remember the mobile device it would be it would be um I guess if I got got it that's you know right at that point it'd be there but otherwise it would not be in memory nope it's like you call unprotect and then as soon as it's quote-unquote dropped it's gone from memory it's wiped so okay thank you it can sit in memory this this thing protects it so it is still in memory but if anyone were to try to read it it's just garbage so it uses uh this encryption algorithm and like I said the encryption keys for that are so large and they're not overly large but they're large enough that they mitigate these types of attacks so it makes it really hard and given that most secrets are in RAM for just say a couple of seconds it's not going to be that big of a deal you'll protect it load it up maybe it sits in RAM for minutes doesn't matter as long as you're not touching it exactly at that moment they can't get it out until you call this see then I get it and then as soon as you drop it it's it's zero it's like wiped from memory and it's protected again and the encryption key changes every single time it's touched so anyway that's the idea of that one let me thank you did I answer your question oh yes it does thank you okay let's see oh Stephen Curran have a brief description of constant time attack and side channel attack okay a constant time attack is when it as it relates to cryptography not software engineering is no matter what the input is it is it takes the same amount of time to complete there's no nothing specific about the inputs that causes the code to run any different this is a very dangerous thing as it relates to cryptography because it's the only attack on cryptography that can be done remotely so if I have code running on a server that is not constant time as an attacker I can send various inputs measure the time difference and extract a secret from that information so that's why constant time cryptography is so important is it that is the only way to attack it remotely the rest of it has to be done through site channel attacks and site channel attacks you either have to be really close to the system or on the exact same system to get those to work so a site channel is any method that when you're on the same system or network that allows you to extract cryptographic secrets so I mentioned one which was rambleed or row hammer specter and meltdown which is like taking advantage of speculative branching and things like that to get the secrets to be dumped and ram or timing even on when you're on the same machine so that's what the site channel is it's any other way to get at it without actually disclosing the secret directly okay let's see can you point to an example of an mpc deployment yes I can lip protocol is doing they're not a blockchain but they are doing an mpc as a service so they are using a bunch of my libraries in fact they're the ones paying for some of the audits and you post the link on the discord server to what my slides I think they mean where the agora channel is maybe yeah sorry where the agora channel is well let's see oh it's just oh it's just on the hyper ledger foundation oh okay yeah if you go to the hyper ledger discord and scroll down there's a section for labs got it okay cool there is a direct link to it though I'm here I can get the direct link and drop it yeah no one no one but me's posted in it maybe because nobody cares but that's fine well I think it's just new and people haven't heard about it yet hopefully this yeah meetup will help so yeah I just dropped a link to the direct channel yeah yeah I thought I only had 30 minutes so I tailored it to 30 minutes so I know I mean as long as you like if you want to keep going I if there's a demo or anything and I mean not to put you on the spot but you're welcome to have a mic and walk you through probably like I said the biggest one that's under audit that is probably the most interesting part of it is I it's called blissful because for BLS this is in production you can ignore this because within another two weeks that I can drop this and actually give you the actual audit report as it's happening like I said it's already it's already compatible ready to go to hyper ledger so it's properly licensed Apache and MIT it has already been deployed as a rust crate so you can see here so I'll probably walk through this because this is more documentation rather than code and so you might be a little scared by seeing a lot of this but like I said it's got all the BLS implementations you'd ever need it's got signature proofs all the signature algorithms sign encryption and then it's I say time crib but it's actually identity based encryption so there's a lot of cool stuff in here and it's all thresholdized so if you want to do threshold decryption that's what the decryption share is and this is also a wrapper around like the back end you can pick whether you want to use like I said Intel's blast library or just the pure rust version by default it uses the Intel one but let's say you're targeting like an iPhone that's not going to work therefore you have to switch it but it's it's a very simple thing all you do is say all right switch from blast to rust and you're done no code changes after that it just works so that's a really fun one to implement all the the information you want it also the non creds project at hyper ledger will will be using this I recently donated a bunch of code for that that is using this library as well that implements a lot of stuff for anonymous credentials so the other one I mentioned was the big number library well wait that's yeah it actually is here okay I named it unknown order but it really does more than that so if you want to work with hyper elliptic curves or the last groups or even like it the non creds could drop all of their big number libraries and just use this one this one's big audited as well and it wraps like I said those open SSL rust begin and the crypto begin that's all constant time so anyway those are probably the most interesting ones oh one the other one is the Genaro one so if you want this this is being used in production so I'm going to update it to 1.0 after the audit's done and then he fixes are applied but if you need to distribute a key generation until we get bingo this is your algorithm here's the paper it's based on which is actually quite old but it's been deemed secure by many many many many cryptographers so and once I've moved these all to agora they'll say you know the owner will be hyper ledger agora not just me anymore so anyway those are probably the main libraries I showed you this the other one oh can you expand on what you said about symmetric threshold in your presentation yeah there's an algorithm that was developed by visa called dice I don't remember what it stands for but that's the algorithm I'm looking to implement that does threshold uh encryption decryption let me see if I can find the paper for you but that's that's the one I'm talking about hope that helps any other questions or comments jokes maybe maybe I'll comment on this one comment I or question I get often is how is this different than hyper ledger ursa well ursa had the goal of being the sole cryptographic library for all of hyper ledger whereas agora is not does not have that goal it's more of a research and production based cryptography for not just blockchains but all sorts of spaces so whether other hyper ledger projects user not that would be great if they did but it's not the primary goal the primary goal is to have a community of researchers and security implementers for this stuff so that everybody can feel safe using it because it's been scrutinized by a lot of eyes and some of it's been audited by third parties Mike you mentioned um you were gonna post the audit report once it's done for blissful I think it was um that that seems like a really important big step so appreciate that hope that's gonna happen with all the libraries so we get an idea of what's been reviewed yeah yeah yeah anytime I get an audit report I'll just put it in the repo itself yeah most of them come as a PDF and those audit and those companies are aware like it's kadoski that's auditing them right now and they they're aware that it will be made public so excellent that's really good yeah Mike and you're always welcome to if we want to organize another one of these sorts of events in a couple months when some of the reports have come in you're welcome to you know we can do this again we can go through the reports and if you want to maybe you can also have a hands-on section if you want to show people kind of how to how to do some of the stuff we can have structure it more as a tutorial too if you want if there's if there's interest in that sure yeah um to follow up on to follow up on Tim's question um because I know that one I know why he's asking that one um is that library which library was it again and is it been audited what's the status of it from a review perspective oh the library the in memory one yeah the library's called soteri after one of the greek minor gods or whatever um that one has not been audited but it's also not very complicated it's a very small library but it's very efficient so it does it does what it does um it follows the recommendations on how to mitigate those attacks so I should probably link those papers in that repo but it's there you're and you're welcome to take a look at it the hard part is simulating those attacks is very difficult right so it's it it's better than what you have now I should say which is most people just read it into memory and then it just sits there or then they go read it off disk and I don't know if that's any safer so yeah yeah exactly the only other option yeah the only other option you've got us to use the key ringer the key chain which is great I actually do have a library for that too and they probably will donate it that as well it's called cryptics I'll type it in here that that talks to all the various key chains and some encrypted databases so you're you can be agnostic to what's behind the scenes so those two kind of complement each other so cryptics is like where do you store a secret when you don't want to use it and so tarea is when I'm using it how do I keep it safe so it doesn't get attacked by a side channel neither of those have been audited but they're minor they're very very simple libraries so it wouldn't be hard to do your own audit they're mostly just wrapping the libraries that pull secrets in and out that's about it they're not very complicated I'm always accepting donations for an audit if that's another way you can contribute because audits are very very expensive all righty I think it looks like we're done there's no oh sorry hey this is pretty quickly the cryptics library is that available anywhere right now or is it making your own um github or is it it is on it's yeah it's in github it's public uh let me get the link for it thank you now there's tools out there where you can dump the key chain fairly easily if it's not on course five thanks yep yeah oh I know I've written many myself yep in fact this this tool I wrote cryptics actually does just that will dump the entire key chain if you ask it to yep that code's public thank you all right well if there's no other questions uh feel free to shoot me uh any comments or suggestions and things in the hyperledger discord channel I monitor that channel sadly no one's talked to me there yet quite lonely in there I need some friends well I'll send them to the discord channel along with the recording and the slides to over 130 people registered for this so hopefully I'll send the link out to that later today so hopefully that will get some people showing up okay another place uh another place to carry on with some of these things is going to be the um a non creds group because we are going to be using these libraries in in a non creds v2 there is in a non creds v2 code base that mike has contributed already that will is the foundations there's a to-do list related to it so we'd love to see contributions towards that and and that will be either directly in a non creds or in the agora um libraries upon which a non creds is built awesome thanks everyone for coming appreciate it great thanks everyone