 I have the pleasure to introduce Rüdiger Weiss, he's a computer science professor from Berlin and his PhD student, Bruno. And they will give a talk about Math Protected Social Interaction stages yours. Maybe it's kind of a hobby for a mathematician to motivate people to have a different view on math. And what I want to present with my colleague, Bruno Kirschner, today is some combination of very hard mathematics, very nice but very genuine mathematics and how to combine it in existing application to provide a better way to protect social interaction and even provide something like authenticated anonymity. Let's start with one of my favorite quotes from Bruce Schneier. Draster mass encryption is your friend. If you make then a logical evaluation of the situation, you can say in some kind of thinking mass might be your friend when you want to project your privacy against biotrapping and secret agents, these which biotrapping all, maybe all, or almost all the traffic around us. There is cryptography, the one protection which helps. I think it's a very nice or at least interesting fact that if you take a look on the situation that the government are not able or not willing to protect their people from secret agencies from other countries to biotrap, all the information they present on the internet. And if you use encryption, you can make really a game changer because if you use appropriate cryptography, this is a very strong protection for your privacy. And we want to extend this in some direction to protect social interaction and enable totally new trust models. Let's start with the stuff we have integrated our protocols and the old protocols in. That is elliptical curves. And allow me to give an introduction. And the introduction is very funny. It's a statement from Gauss, I stated by Hardy now, which said that if mathematics is a queen of science, the theory of numbers is the queen of mathematics. And it's also very interesting because of what? Because of its supreme uselessness. So very clever mathematicians have made a statement that number theory is something which is very poor and very useless. And now we are in a situation that number theory is one of the really main technology if we want to protect our privacy in the internet. And let's make this claim in another direction and make a short statement to say that elliptical curves are because of their supreme non-uselessness can be seen as queens of practical theory of numbers. So I want to make the statement that if you think mathematical problems are very challenging, take into consideration that the theory of numbers is around the mathematician as one of the hardest fields of this science. And in this very hard science, elliptical curves are really some of the very challenging candidates for research. And so we really connect us to a very special kind of mathematics if you use elliptical curves. And if you have listened to my talks in former camps on the CCC convention, you know that I'm a bit critical in some aspects of elliptic curve. Nevertheless, elliptical curves have a lot of interesting properties. And one of the very important in the practice is that it's using strata key lengths. And so we have the situation that in a lot of embedded systems, in a lot of personal devices, and also in the field of cryptocoins, there is a very heavy use of elliptical curve cryptography. And this is the case, even though there are at least three problems. One I mentioned first is it's very hard mass. That is so hard mass that only a few men and women can really evaluate elliptical curve in an appropriate way. Second point is that it's interesting if you think about embedded systems, you need very strong random on every signature you have to perform. This is something which is usually a big problem if you have embedded systems where it's very hard to get random bits. And the last point is beware of quantum computing. And I have to acknowledge that when I make the statement that elliptical curves have really very big problems if you have quantum computing, usually that was some statement. I was not so sure if it's fair in a specific way because we don't know the actual state of the research in the field of quantum computing. But in 2017, there was a really very nice statement from Coplitz and Menace, a riddle rubbed in Enigma. And this is very interesting because they were discussed in a lot of pages why it might be not a good idea to switch to elliptic curves regarding the problems with quantum computing. And I make only one quote. And this quote says that the NSA has really a statement that they prefer, as are 3072, because it's more resistant against quantum computer attacks than the usually used ECC 256 and maybe also ECC 384. And really the main statement is when we have quantum computers, then the attacking possibility is very closely related to the length of the keys. And so I would make the statement that even elliptical curves with 512 bits will not provide the same security than as are 4096. 3072 maybe also, but there would have to make some deeper evaluation. So I make the statement that it's now pretty content that elliptical curves might have big problems if we have a breakthrough in the field of quantum computing. So it's very interesting also to evaluate cryptocurrency which use elliptical curves. And I have a good news. There is a lot of features in Bitcoin which make attack with quantum computers not so problematic than in a lot of other fields. Nevertheless, elliptical curves are interesting, are wisely used, but nevertheless take also the problems into the consideration. But I have also a good news. I told you that we have elliptical curve which is very hard mass. And I have advised the diploma thesis in mass regarding elliptical curve in 1999. That's 20 years ago. And I have still not the feeling that I have a sufficient understanding of elliptical curve that I could present, for instance, a new elliptical curve for cryptographic proposals. And so I want really to state that it's very complicated mass. So coming to the second point, we use blind signature. And there I have a good news, but because blind signatures are really very easy to understand. Even in a normal exercise in cryptography, you can present it within the first two months. And this simplicity really has a lot of nice properties. For instance, the security proofs are very understandable. And blind signatures are mainly introduced by David Schaum in crypto 1982 and had a first implementation in DigiCash, a company which has been founded by Schaum and was the first really anonymous digital cash system. Interesting from a cryptographic standpoint is that we really integrate a very new trust model. And we can this trust model use in the field of electronic voting and very actual, if you see some secure mixing providers, use it for providing anonymity for cryptographic coins. And this was our idea. We have elliptical curves in a lot of fields. We may be a bit critical and not too enthusiastic about elliptical curves. Nevertheless, it's in heavy use. And as a resorter and as a hacker, it's interesting to play around with existing technology. And though we had really the idea to make really blind signature using also in the field of elliptical curves, and especially in open P2P. And this was a very fantastic work by my student and now colleague Bruno Kirschner. And we will present it in the second part of this talk. Yeah, thank you very much for having me. OK, Mr. Tom. OK, yeah, thank you for the introduction. As really just told you, my part in this was that using blind signatures somehow or giving blind signatures more to the open world was part of my master thesis a few years ago. So I'm first giving you a short introduction how blind signatures actually work, or even better, what is the idea behind blind signatures? Because normally if you try to speak with someone about it, they haven't heard about it or don't have a clue what's actually going on. So the first idea you normally give to someone is the real-world example, how you would do it without electronics. And there you would take something you would want to have signed, but the person will have to sign it, actually should not know what is on this letter. So you take the letter, put it in an envelope, and you also take a piece of carbon paper to it so that as soon as the person gets the closed envelope, he or she can sign the outside of the envelope and the carbon paper will actually copy the signature onto the letter inside. Then you can hand back the envelope you open it and you have a sheet of paper with a signature. The idea for blind signatures is actually to do the same in electronics. So we need something that allows us to encrypt data so that it's not that you can't read it. Then put a signature on it, decrypt it, and have some kind of data with a valid signature on it. And this is what you can see in the graphics. This has some problems, because normally you don't want to sign something you don't know. If you sign something you don't know, it can happen really quickly that you sign something bad or that you lose something you actually want to still own. So you want to verify that the person who you're going to interact with is only handing you in valid information or something context relevant. So you could just say, we are doing an election inside our company and you're only allowed to vote. If you're inside our company, show me that you're working here or maybe I know your face and then everything is fine. But as soon as you get into a bigger context, this doesn't work. And also another fact is that normally you don't want this signer to know who you actually are. Because it could happen that just from the case that he knows who's going to take part in an election or in something else, going to sell something if you go into the idea of cryptocurrencies, he can take advantage of this fact. So you introduce a third party, the Identity Broker, which you use to authenticate against. So you authenticate against the Identity Broker. He or she will hand you in a certificate and the signer will only know the public key to verify this kind of certificate. So as soon as you take part in the election or whatever else you want to do, you can just take a hand in the envelope and show the certificate. And the signer can go and verify the certificate and say, that's fine. I will go and work with it. Another way, if you don't want to introduce the Identity Broker, is that you can actually only do if you want to sign data that is somehow randomized. Then you could say, just hand me in 100 envelopes. I will open 99 of them. Look inside. And if 99 of them somehow match the kind of data I would expect, I will sign the 100. But this only works if the piece of data inside is somehow randomized. Like, I want to have a pseudonym. And I doesn't care about if there is a prefix or suffix or whatever. It's just completely garbage. And I want to have one of them to take part in an election, for example. The next thing, OK, we have this idea of blind signatures. How can we spread them? Or other people said the idea of blind signatures. And how can we actually spread them? And so we thought about how do you spread a good idea? First thing is you could make it simple to understand. So try to explain it and just push the idea into the heads of other people. The other thing is you could simplify it as much as possible that other people are going to implement it somewhere else. And the third thing is show that it's easy to inject and already existing standards. Or at least show that it's very easy to change the existing standards in a minimal invasive way that you can use it in. And there we moved over to OpenPGP. Because we thought, especially for email encryption and decentralized communication, it's a very common used way. It's still not an official standard, but it's a de-facto standard. Because if you want to use, if you want to encrypt emails or other decentralized communication in the last 20 years, it was the way to go. And there we decided, OK, if you want to show that it's easy to integrate and it's easy to use, it should be flexible. So we, especially someone who wants to have signed data, shouldn't be forced to create a new key pair or do something else, just reuse whatever already exists. And we should try to avoid to change the signature definition of OpenPGP so that you can go and everything you have looks like a typical key signature or data signature or whatever. And there should be almost no difference. And yeah, then we looked into OpenPGP and we decided that there's actually one thing you need to add to make it somehow possible. And this is the blinding scheme you actually want to use. Because blinding schemes are almost identical to the typical signature schemes, like the signature scheme you use for RSA or ECDSA. But sometimes you run into blinding schemes which need to somehow change definition of how to verify the signature in the end. And if you want to also maybe add them later or allow to use them, the signature must somehow state that which blinding scheme you actually used. But if you want to allow the key reuse, you don't want to introduce a new public key scheme and new signature scheme for every blinding scheme, because sometimes you can reuse a key for ECDSA, for example, for different blinding schemes. And therefore it wasn't necessary to introduce a small change. Here you can see how a typical signature in OpenPGP is actually built up. It's quite easy. The top part is some metadata, like the version you used, the signature type, the PAKDP algorithm, and other stuff. This is just meta information of the signature. And then you have three other parts. The stuff in the bottom is the signature itself, so the design data. The most interesting part, at least for this work, was the different kinds of sub-packets. We have unhashed sub-packets and hashed sub-packets. The unhashed stuff is also just additional, yeah, it's not metadata, it's additional data you can add, but it's just not necessary to verify the signature. So you don't need this information to check if the signature is valid or not. More interesting are the hashed sub-packets. These are all information you somehow want to have if you want to verify a signature, like when was the signature created, was it already valid at a specific point in time, or which blinding scheme actually was used, and other stuff. So we decided that the blinding scheme should be part of the hashed sub-packet, because there we can ensure that if someone wants to manipulate it, the signature wouldn't verify anymore, because it was changed. Yeah, this is, yeah, command line interface output. It's mostly not interesting in here. You can just see that all the stuff you already had on the slide before is outputted on the command line. You have the sub-packets in the middle. There is, for example, the hashed sub-packet with an ID of two. This is the signature creation date. And then the red highlighted one is the new introduced one. It's a critical hashed sub-packet in this time. Critical means in here that if your implementation of OpenPGP doesn't know it, it will recognize that it can't verify this kind of signature, and it will notice you that it wasn't able to verify the signature because it didn't understand the specific change. If it not marked as critical, it could try to avoid, it could just try to ignore the information, and this is not what we want in here. Next to then, it's number 100 because it's marked as experimental. And we decided to use an ID, so the ID here you can see is number one, which is an ECDSA-based blinding scheme. There was also number zero, which is for all blinding schemes which use the same verification method they would use if you don't have blinding, just a typical signature. Yeah, and most important here is that for a user who actually received a blind signature which was created through a blinding scheme, there is no difference in verifying that the signature is valid or not. He or she will just use the normal command line interface or programming interface, whatever actually is. It's the signature in there and it's the signature valid. So the line at the bottom, the signature one, was one created through blinding. Yeah, the information is still online. It's a few years old. I tried to get it back working in the last days. It's still not totally done because for some reasons I decided to do it with web technology. Web technology is moving fast. It's not working after four years. So yeah, feel free to look into. Thanks a lot and I want to really close with a statement of Edward Snowden some years ago. Maybe I have presented on the last camp. CryptoWorks, it's not a black art. It's a basic protection and we must implement it and active research in it. And this is, I think this is a very challenging task for researchers and hackers. As I mentioned, if you want to protect your citizen in a state against really unlawful interaction from the outside, then in a political system, I make really the jokes four years ago. The government is not willing or not able to protect European citizen against US and other secret agencies. And I have to acknowledge that after the change in the government in the United States, the situation has not become better. So the discussion we will maybe have in the field of Bitcoin, if we should trust mass or more than our government, I think in the field of protecting our privacy, we don't have to make evaluation. It's very clear that we have the situation that unlawful secret agencies wiretrap citizen in other states. It's not unlawful for them. They have special law that citizen of countries which are not the place of the headquarter of the secret agencies are much less protected. This is also in Germany the case. But if you make really the statement that every government can spy on every other government, you say, even if our government not misbehave, we have problems with so many other agencies. And it's very clear. And we have really also results in politics that sometimes agencies are their friends in other agencies. If they want to do actions against citizen, they are not allowed. They tried to make it possible if they cooperate with other secret agencies. And to make a very clear statement, crypto is a protection. You have only trust in mass. And this is open science. And the best results in cryptography come from public research. And so this is really a very important business protection. And what I stated out here, we have a lot of advanced crypto protocol where we can really modify new trust models. If you take a look at the old protocol of digit gas and electronic voting, you'll find a lot of surprising ideas really doing really strange or almost magical stuff. So if you just make the idea, we can provide a really private electronic coin. An electronic coin you can duplicate as much as you want. And making this possible in a field of DigiCash with blind signature is really amazing. And what's even more amazing, I make a lot of statements in the first part of the talk that elliptical curves are very hard to understand cryptographic constructs. Blind signature are not very hard to understand and are not very hard to implement and really provide another level of protection for many social interactions. And though I really want to invite you to take a look on the mass, as I told you, elliptical curve is maybe with a hard starting point. But blind signature is really pretty easy to understand. And easy to understand is not only good to implement. It's also good for mathematicians because they can really prove very easily properties of this field. And to make it very short, blind signatures are understood, are easy to implement, and have provable security margins. You have to take a close look what you have exactly proven. And you just talk about proof and secure cryptography. Nevertheless, blind signature build a very interesting level. And I had some years ago where we have the funny and this time very successful private party. They have really discussed about participation with liquid feedback and so on. And really, there is a lot of cryptographic research which is in the market since the 80s or the 90s, which we can really use to improve privacy and making a lot of stuff possible. And so really, the two methods we have, cryptography is very important, integrated wherever it's possible. And this is one thing I'm a bit more optimistic on in a lot of other fields. If I compare it with our last talk on the camp four years ago, I have to acknowledge that cryptography has been grown in a lot of fields. Using HTTPS is not a very exotic hacker hobby anymore. And also a lot of instant messaging using very good, publicly evaluated cryptography. Something I just, it's so simple and so understandable for a lot of people. Not only in the hacker community is that we should use everything as open source. And of course, also Bruno's work is open source. So take it, improve it, and think about really problems. One of my favorite PhD thesis I've read was a thesis from a student which provided, I think, 1.6 million different signature schemes. So blind, blind verification and so on. And make a statement, now we have 1.6 million different schemes. We are heavily looking for application to use it. And this is also my statement. If you rethink trust models and really a trust model where you can, you must, the certifications agency, you have not to trust them that they record your key number they have signed because they don't have it. And if you make really a certification with this protocol, it's also a legal protection for the certification agency in some scenarios. And really you can use a lot of practical problems just using the right living time of keys, using different keys for different property. And what I really want to make a statement is that we should continue in this work. And if you work in other fields, if you think about new trust models and new social interaction, talk to your local cryptographer because they have a really rich box of tools lying around. And a good starting point is, as I mentioned, blind signatures because they are pretty easy to understand and are very powerful to use. Thank you for your attention. Thank you, Julian Bruno. And we have a lot of time for Q&As. So there are microphone angels. One is over there. And there's none other. So signal to him or just walk over to him. That wasn't a wave. That was a dog wagging its tail. There's one. So what technologies other than blind signatures do you see as being important in this field, which recently have lost patent protection and were discovered a long time ago? Zero knowledge, for instance. This is a whole family, which I also would enjoy to present here. But it's a bit more difficult, Maas. The idea is you can prove some properties without presenting your secret. And this is, for instance, losing Zcash, for instance. There are some applications in the outside. And real history knowledge protocols are very interesting points. But for mathematical standpoint, much more involving than the protocol represented here. Here is just some simplification. It's just a multiplication with a random number. And exponentiation. The main proofs are very easy to understand and a good starting point. If you are then you have enjoyed this challenges, take a look on zero knowledge. There is really about 20, 30 protocols which are interesting and should be implemented. And it's a bit scary that they make a small field in this thing with the technologies from 1982. And I think that was at least one of the first implementation in 2016 or 2015? 16. 16. As you see, more than 30 years. And really, this is my request for the mathematician. Try to communicate it more and maybe only a bit simplified and start with a thing. But on the other side, people which have the questions, how we can improve, for instance, electronic cash protocols. I give a talk about different blockchain construction the day after tomorrow. And it's very clear you have the situation that in a public blockchain, every transaction is readable until the end of time. And if you don't use cryptographic solution, it's a complete nightmare. And even if people say, yeah, OK, Secret Agency might not intact me if there are data and if the agency is in, then I have to acknowledge that some hackers have not the high moral standpoints we have. There are really, in short, if a Secret Agency can hack it, other people can hack it too. And this is a really dramatic game changer. And if you do something like Mpenza or Libra or even Bitcoin, you can wake up in a completely privacy nightmare. And so I think you have, even in the field of cryptocurrency, a responsibility to provide privacy on the lowest level. And here is really a very good low level. We are here at the bits. We make manipulation on the bit layer. And you can not attack in this layer. We protect one layer. There are a lot of other problems. But this layer is mathematically protected. And this is a good way to do things like that. OK. Yeah, you explained the idea of the blind signatures. I'd like to know a little bit more how it's actually doable. Like, as I understand, probably you have something encrypted, probably with a symmetric encryption. And you want to do the signature with a symmetric encryption? No? Asymmetric encryption. Can you hear me? No, actually, there is no symmetric encryption. It's all done in the asymmetric way. So you use public-private key pairs on both sides. But mainly, you make one multiplication with a random number? Yeah, or you can also include it. But there is no symmetric encryption inside. It's no symmetric cryptography. It's the main proposal for blind signatures have been as a scheme. And in this case, it's just a multiplication with a random number. And then it's a very basic mathematical change of the formulas. And in the field of elliptical, it's a bit harder, but not much. OK, any more questions from the crowd? And maybe from the internet? Big? There's one question from the audience. Have you seen any interesting applications of blind signatures in recent years? Not many. But as I stated, there are cash protocols which have not been so successful. There have been voting protocols. I think some discussion and one clear statement. I'm even with strong cryptography, I'm not a friend of electronic voting. I think there's a good place to stay on paper. And if somebody which laughs mass, which laughs cryptography statement, it's better to make election with a paper way, something we know since decades and centuries. It's a good idea. In crypto, we can solve a lot of problems, but these problems are not the main problems where we are against electronic voting systems. Nevertheless, cryptographic solution can make electronic voting screens much more secure than the actual situation outside. But nevertheless, I see the practical problems there as so important that we should not mess around with voting. Voting is from a philosophical standpoint, the only point, the only spiritual point where we distribute power in a democracy. And we should not mess around with this. Last statement, as I mentioned, maybe if you take a look in actual mixing schemes for digital currency, there are some protocols which use in blind signatures. So not many, but some application using blind signatures outside. And we hope we can improve that because this is a reason why we have chosen OpenPGP as a worldwide accepted standard. And so if you want to play around with the system, you can use it in this TPT world. OK, any more questions from the audience? That's not the case. Then thank our speakers again with a one round of applause.