 Hello there, I am Florian and I will now tell you a little bit about encryption beyond encryption and signatures For the start we will look into what is cryptography or just skip skim it at least This is the Wikipedia definition of cryptography It is the practice and study of techniques for secure communication in presence of third parties called adversary That's basically saying nothing The most common thing that people think about when talking about encryption about cryptography is encryption we Look into two kinds of encryptions mainly symmetric encryption and asymmetric encryption Symmetric is where we already have a shared key as a metric is where we don't like the PGP signing party Right now was for asymmetric encryptions Then there are signatures which should prevent tempering with Documents so to ensure that a document was created by someone who actually claims that he created it and The nice thing for both of those problems. There are good solutions and We will now look into some other problems and what we can do otherwise The first one are commitments This can be a very useful thing. Let's say Alice has some message that she wants to be able to prove at a later point to the public that she already knew it and Now she is able or she wants to be able to compute something that we will call a commitment that she can publish But no one else should be able to extract any information about the information that she doesn't want to publish at that point So this is what we call the hiding eigenshaft. It means that Bob cannot learn the message that Alice commits to We also however want that it is binding so that if Alice later on claims that she already knew this at Earlier point that everyone believes her because she is not able to change what she committed to this is the binding eigenshaft binding property, sorry and If you want to look into how these things work, I suggest you start with hash commitments. They are relatively simple to understand You can also ask them as a question later on But I would like to get through the slides relatively fast and another important one are Patterson commitments They are a little bit harder, but still on a level that lay people can understand if they are willing to look a little bit in the group theory So what can we do with that? Let's say Alice and Bob want to do a little bit of gambling they are need to compute Random value and let's say they are not in the same room. So they cannot just simply toss a die and hope that die is Fair one, but let's say they are just talking over the phone and We usually start with a simple case and say they just want to compute one bit. So we call this a coin toss and Of course, they don't trust each other in this case because if Alice can control the outcome She will always pick the outcome that is favorable to her and Bob will do the same An example protocol for how this can work is the following one and this uses commitments Which is one of the reasons among others that I just talked about them Alice will throw a coin and said Bob a commitment for her result So and since commitments are hiding Bob will not be able to learn the results. So he learns absolutely nothing from that Bob then throws his own coin and will send the results to Alice Who will then open her commitment? This means that she will provide some information that allows Bob to verify That means that Alice will send Bob Alice will send Bob her result and she will also provide some information that allows Bob to verify that that was Indeed what she committed to at an earlier point and then they come and compute the X or and then they have a random bit If at least one of them actually picked his bit at random and if they are both cheaters they deserve whatever they get a nice Exercise for those who want will be here. This is a slightly changed version of the protocol This is insecure and if you want to see why cryptography is very hard Take a try at this one via this insecure. I leave that to you again You can ask question about these things in the Q&A if you want Now I was already asked about an explanation for zero knowledge proofs, and I think we'll start with something That might make this a little bit easier to understand. I need a volunteer. Yeah, okay. Let's take the guy in the great t-shirt We can use mine Come to the front. We will just use mine. We just need one mic now What I haven't told you before is that I'm a mind reader. I can read Numbers that people think now our volunteer will think of should think of a number between one and one thousand Yeah, I have you thought of a number between one and one thousand. Yes Okay, I Think your number is three hundred seventy eight. Is that correct? Yes So I have a one in thousand chance of doing that But it's still a one-in-south and chance that maybe I was just lucky. So let's repeat it Think of a number. I Believe the number is six hundred and eighty Yes Okay, now I have a one in a million chance. Are you convinced that I can read minds? Unbelievers I cannot fathom it. Yeah, I just had a one in a million chance I and I managed to get both right so and you still are not convinced should he at least be convinced Yes, indeed if you were here on the stage and you didn't know that we were not cooperating I would basically have had no chance of doing this But of course we did what was the obvious thing. I told him before that he should just say yes And this is the idea behind your knowledge proofs. You can sit down again. Thank you very much Please give him a warm around off of loss so We call this as your knowledge proof. What does this mean? A Proof in this case means I want to prove a statement the statement was I'm a mind reader and The proof it goes like this. I'm not actually proving the statement. I'm proving Either the statement is true or I know your random values or your secrets And if you're not cooperating with me and have no reason for me to believe that I know them It's of course quite convincing if my chance is like one in two to the 128 However, if this was a true confirmation No one of you believed that I could actually read minds and the reason for this was that He could have just created a random or I could have just created a random Transcript of this thing and it would look exactly like a real one There's no way to distinguish those and this is where it's your knowledge The actual transcript cannot contain any kind of information that a party do not parties that participate in it do not know up front and Since everyone can simulate something we know it's true and Let's see what I've written down here else wise Yeah, the second-class statement is that this is that there are zero knowledge proofs for all NP complete problems or all NP problems what this means in easier terms for every problem where you have Witnesses if they answer is yes in case of decision problems. There is a zero knowledge proof like this So you can prove basically everything that you care about in this way, which is pretty awesome I think and the example where I can see this is three colors your knowledge proofs. These are again At a point where if you put a little bit of sort into it They should be manageable for lay people to understand Now what else can we do in crypto? I mean the topic of the talk is of course what else can we do in crypto? Let's look into secure multi-party computation the motivating example here is usually the millionaires problems Let's say you have two filthy rich millionaires who want to know who of the two is richer and They don't want to tell each other how rich they are because then maybe the tax Governmental offices might get a wind of it and would find out that what they are doing is not very legal so But I still want to know who is richer because that's basically there, you know what measuring contest and We are now looking into can dissolve this and the answer is yes, and actually we can do it in a much more general case So The more general case shall be both have both parties have some kind of secret in the case of the millionaires it was how rich they are in other situations it might be very very different things like let's say secret keys for encryptions or whatever and Then there shall be a function that allows to compute something that both parties are interested into If you put all the secret inputs into it like who is richer in the case just now And you can easily compute a function if you have all the inputs, but none of the parties willing to publish their input and the nice thing about the secure part multi-party computation is that there are protocols that actually ensure that you can do this for arbitrary functions that you are able to compute in Somewhat remotely reasonable amount of time basically if you don't have enough time to break a random crypto by brute force then you also Or if your algorithm takes less time than that you can compute it and you can even extend that to Arbitrarily many parties like a 10-party protocol and if you want to look into that though I think this might get to point where it's too difficult The keyword would be yaos garbage circuits Now what is another application that we could use it for I just said it is very secure How about elections we have? 80 million people and They all have one party that they want to watch for vote for and they all just care about the end result and not who voted our Well, you could do this, but this really is the sledgehammer approach and it is quite inefficient But there are actually more efficient protocols and this is basically a current research topic How you can do elections in a way that is secure This starts out by having three different kinds of elections the first ones are paper-based elections They are like the elections you're doing now you go into to the polling station You get some papers and there is minor difference in how you cast your vote like for instance You get a stamp and you have two papers and there is hole in the upper one And you put your stamp so that both are marked in the same spot And then you get some kinds of proof that Hopefully allow you on the one hand to demonstrate if the left if the election was rigged on the other hand to That they are still in a way that preserves the privacy of the vote And The problem with those is it's pretty limited what you do and most of those Approaches do have severe problems But if you want to look into it punch scan might not be the most terrible points to start at which is one of the examples I mentioned below The second kind of schemes is present schemes, which is basically You go to the polling station similar to what you in a similar way into what you apparently do in the US And there are some kind of machines And I actually call the machines here on purpose and not computers because if you do it right there Hopefully just machines and not computers that can execute chess and with those they were a set up by the voting authority and So they are not really trustworthy In many regards, so the schemes are basically revolving around how can they produce? How can they give you some kind of receipt that does not allow you to prove to anything else how you voted because then someone could Kidnap your hamster and say vote for let's say Donald Trump and otherwise I kill your hamster and we don't know We don't want this so you should not be able to prove how you have been voting This is where currently there are some schemes that are Relatively close to being reasonably usable, but still not it's still not there yet so this is an open research topic and the third one is online schemes where you just use your own computer and you have all the problems with Someone looking over your shoulder while you are voting on your computer mail where on your computer all that stuff and Yeah, for the so for the third one there are some schemes. I didn't like any of them very much But for the second one you might look at bingo voting and one of the reasons I Mentioned that is because it was also developed at KIT Though I'm just a student there, but I know the people who came up with it. So yeah And this was basically the main talk I do have a couple of bonus slides or you can now ask questions and go much much deeper in topics that interest you And yeah, thank you for the attention for now everything clear or any What about dining cryptographers and multi-party communication Could you repeat to me what this was about I've definitely heard about it, but Dining cryptographers is a problem where you have a group of cryptographers sitting in the restaurant and they want to know if the Food they have been eating has already been paid for But they don't want to answer who paid for it. Just that it was paid for or not. Yeah, I remember I remember Basically the story was like you had a couple of bunch of cryptographers sitting in a restaurant And they want to pay and someone told him it is already paid and they are like did the NSA pay for us And they want to threaten us or was it someone among us? You can of course use multi-party computation for that you simply Compute the sum of the inputs and the people who claim that they don't have paid for it input zero and the people who claim That they have paid for it input one and then you compute the sum and Everyone gets the sum and you see if it is zero then no one of the people who participated claims that he has Done it and you actually you don't need the full sledgehammer of multi-party computations for that This is where this is more about an encryption scheme But it's also going beyond what is usually thought about you do have so-called homomorphic encryption schemes that Allow you given two cyber texts to compute a new cipher text that has Whose plain text is in a specified relation to the Original plain text so the simplest case in this one is given to cipher text I can compute a cipher text of the sum of the two plain texts and if I everyone encrypt encrypts either zero If you didn't pay or one if you paid you take all those cipher texts you Combine them and you decrypt them and you could can do protocols there in with at least some encryption schemes Where you can do reasonably well shared and shared decryption Then you decrypted and you see what the result is Any other questions with the other talk about the election hacking and election voting machines You just spoke about one of the options being on machines Not necessarily computers, but I believe it was at Defcon that all 38 machines that were used for voting in the US were Basically flawed in some way or another All right, yeah Those are not cryptographic voting machines. Those machines are Basically the person who decided to use them is either malicious or insane There's basically no other way to put it real cryptographic voting schemes Would Give you much better guarantees and you also would try to not put what what I know what they put CPU day but it were general purpose CPUs and Yeah, if you can play chess on it You cannot fake the proofs that a vote was counted correctly So that's not a problem, but you can easily do things like posting the votes online So in fact, this is actually also the problem with the mentioned schemes that they still have kind of trouble To protect your vote because if you enter The party you want to vote for on the machine the machine learns your vote and there is no real way around it and one of the research topic at KIT for instance is How they are trying to see if they can build a machine where all the logic parts and the memory And storage parts are separated in physical ways such that this becomes less plausible But as I said, this is really current research this the paper that they are they are currently working on the Platinum So this is not even published. Okay. Thank you other questions someone interested in giving the broken commitment scheme a try I See a hand there. Yeah, so let's see that Okay, you remember the original scheme there just Alice through the coin so the first line is exactly like just like in the previous scheme and The difference is now that before Alice opens her commitment Bob Just sends a commitment instead of the result and he opens the commitment after he after Alice opens her Commitment and then there's the computer xor does someone see an attack on this Let's start like this. It's pretty obvious when you see it in a sense that you would say but but Alice will notice that There's a way to also fix that Alice notices it But for the start pick do something where you would say normally Alice would notice that Bob was cheating any ideas Well Let's start with that It's this after the first line Bob knows a commitment He doesn't know on what but he knows this is a commitment on something and he knows Yes, he doesn't know what Alice committed to but he knows it is a commitment And he knows it is a commitment to something and he also knows that this commitment will be in a relation to the end result namely the XOR relation I Think you're even thinking too complicated Let's Get a little bit further with it Let's give you the hint that say Bob wins if the end result is zero now Independent in what relation does Bob's input have to be to Alice's input in order to get zero It has to be the same. So what can we do? We know a commitment for something Yes, this is indeed the answer Bob can simply send the commitment back. He doesn't know what but he knows that a That the XOR will be zero and you could say well, but we can fix that we simply Check whether it's the same commitment There you get into some kind of problem because several commitment schemes have another feature and in many cases It is a feature called that you can mask a commitment This means you create a new commitment that is looking indistinguishable from previous commitments from from a random commitment But it will be a commitment the same and once you know the opening Information for the first commitment you can compute the opening information for your second commitment And there is nothing you can do about it hash commitments are I believe not vulnerable to this masking? But the Patterson commitments I mentioned are actually a vulnerable to this and they even allowed to Compute the negated commitment to them Okay, so I think we are now at the end of time or are we? Okay, so yeah, thank you very much again for your attention