 CC Camp 2019. I'm very happy to introduce our next speaker. And his name is Harry Halpin. He's the founder of NIM and the project coordinator of The Next Sleep. And he's talking about fighting back against Libra, decentralizing Facebook Connect, NIM anonymous authentication credentials. And I'm happy he's here. Please give a big applause for Harry Halpin. Yeah. So it's always good to be back at Chaos Computer Camp. A few years ago, when I first came to Chaos Computer Congress, I was working on JavaScript cryptography. Was really thrilled that the community here came back for camp, where I talked about my own rather personal experiences in terms of surveillance. And over the last few years, what I've been up to with a lot of other people who will congratulate the end and who really have done a huge amount of work is we've been trying to build something which I think Chaos Computer Congress inspired me to work on, decentralized privacy enhancing technologies. And in particular, we're going to look at the case of Facebook as a whole. But in particular, what we believe is the most dangerous part of not only Facebook but all of the centralization inside of Silicon Valley, which is their identity systems, in particular Facebook Connect. And then we're going to see how privacy enhanced decentralized alternatives work. So fighting against back against Libra. And I think the issue with Libra, originally called Globalcoin, is incredibly politically and philosophically interesting. It signals that the nation state order that arrived in Germany at the Treaty of Westphalia is collapsing. And that now private companies are now taking over parts of infrastructure and parts of services that were traditionally provided by governments. Currency is obviously one case. And identity is another. And they're intimately connected. And Globalcoin shows that the ambition of Mark Zuckerberg and the ambition of, I think, any of these companies is to build a global system of identity, which is a necessity for a global system of currency. And that, I believe, is extremely dangerous insofar as if it is ran in an authoritarian manner. And all for-profit companies are ran in an authoritarian manner. This is actually considerably worse than nation state identity and incredibly dangerous in compared to, for example, decentralized key-based identity or federated email-based identity. So Libra is announced as a global cryptocurrency. It actually makes quite a lot of sense as a design of a technical perspective. I'm not going to go too far into it. I think Morgan Beller, the designer, is somewhere here at camp, so you can talk to her about it. But effectively, it is a blockchain. There are validators. There are blocks. Transactions are collected and written to blocks. On that level, not actually particularly interesting. It uses a fast consensus algorithm, which has the rather hilarious name Hot Crap, and is essentially the validators confirm transactions. And this is where it gets interesting, because the validators are the exact same companies and, to some extent, investors and startups that really power surveillance capitalism. So it's not just Facebook, although Facebook has built the technology and initiated the effort. They've created what's called a Swiss varine, which is equivalent to a mutual association. And in this mutual association, there are different companies, including some traditional blockchain companies, such as Coinbase, large investment firms, Anderson Horowitz, but also startups Uber, Lyft, and huge Silicon Valley companies such as eBay, telco providers such as Vodafone, and the current sort of payment providers, Mastercard, Visa, PayPal. I mean, this is an incredibly powerful groove of companies. And the primary design bet of the Facebook Libra Association is that each of these companies paid $10 million upfront to be a validator for these transactions, so that even though the blockchain itself will be public, there will be an API against it, you'll probably be able to write apps against it. It is interesting, and I think very, to some extent, cipherpunk to try to put open source in the middle of such a titantically huge company, which really controls the identity of a third of sentient life in terms of humanity. Nonetheless, these are the companies that we're trusting to validate the transactions. So on that level, it's not exactly decentralized. But that's not the real problem. There's been lots of complaints. Is it the blockchain system? Is it the real blockchain system? Is it decentralized? The real problem from an economic perspective, which I think we should actually congratulate Facebook on, is that they're saying it's completely absurd that the US government is the reserve currency of the world. I mean, come on, Trump's in power. They're doing a trade war with China. They are printing tons of money to sustain unsustainable American consumer debt. So they took a basket of uncorrelated assets, yen, dollars, Swiss franc, combined them with percentages, and they've created a new currency. And this actually does threaten the US dollar as a reserve currency. And that's where the action's been. You can see the US Congress is called the kind of media head and the director of the Libra inside of Facebook to testify at Congress. But I think, weirdly enough, probably Facebook screwed it up. Probably the regulators will not allow private companies to create a new global payment and transaction system based on essentially a basket of currencies which will disrupt the dollar. And I would be dubious if the kind of $6 billion that got put in the Libra Association Swiss bank account, the US government can't poke through and get all the way to the $60 billion, or however much it is, inside of Facebook's bank account. Nonetheless, if it does happen, and we already know these things, will eventually work, even if Facebook doesn't do it, people will have phone numbers and be able to send payments in their phones. And this will lead to tons of payment. And the vision that Facebook is pushing with the Libra all is that this will allow us to bank the unbanked. This will allow us that the large portion of humanity in countries like India, Sub-Saharan Africa, that do not have access to bank accounts as an American in Europe. It's actually really hard to get a European bank account. This will allow people to have bank accounts. However, even though Facebook has said, we will not use your personal data in the Libra Association, we will not share your personal data with, say, PayPal or whoever, the people running the validators. There is this giant loophole, and that is that the Wallet, the Caliber Wallet, will have to do what's called KYC-AML, know your customer, anti-money laundering. They will essentially have to identify every person using the Caliber Wallet. And they will be able to, as they have stated in their response to the regulators, they will be able to leverage the tremendous amount of personal data that they control, at least they easily can, in order to take these synonymous keys, which are on the Libra blockchain, which has validators, which is replicable, and et cetera, et cetera. And they will be able to attach identities to those keys. And how they do that is software which no one has talked about, which is the most important part of Facebook's current empire. And to be honest, I believe Caliber and Libra are just another way to leverage this kind of technology to create even more personal data. Because right now, Facebook obviously has your friends, and your name, and all of that. But they really would like your bank account. And this is done via what's called Facebook Connect. Everyone who uses the app typically signs in with Facebook Connect. And there are probably as many Facebook Connect, or on the same magnitude at least, Facebook Connect transactions as there are Visa transactions. This is the identity system of the internet currently for the vast majority of users, whether we like it or not. And as hackers, as programmers, as people who want to change the system, we should understand this incredibly vital technology and build alternatives. So the technology is built on a very innocent standard called IETF OAuth, which stands for Web Authorization. And what OAuth is, it was invented. A good friend of mine, another great anarchist partner called Blaine Cook, was working at Twitter. And at the time, in 2003, four, five, people wanted to sign onto Twitter, but they wanted some profile data from them, a photo, easy access, not having to repeat passwords. So at the time, they said, well, just give us your Gmail password and it'll give you access to Twitter. But that's very dangerous because then Twitter has access to your entire Gmail. So OAuth was invented not as a mass personal data collection scheme, but as a way to essentially help people log in for a single sign and log in, and then authorize the transfer of data. And the transfer of data takes place through the following players, the identity provider, who is, for example, Facebook, who has a lot of your personal data, and you would like to hand that data to a service provider, also called a relying party, that needs this personal data. And you have the user who gave the personal data to the identity provider to begin with. It needs to authorize the service provider. So they've already authenticated using a password, two-factor authentication, whatever, to the identity provider. They've approached a new service, for example, say Twitter, and they want to use their Facebook ID to log into Twitter. And so you want to transfer data without sharing any authentication credentials. You might want to transfer all sorts of data, cities, age, whatever. You want to authorize that. And how OAuth does is very simple, because at the time, JavaScript cryptography and web cryptography in general is very immature. So they couldn't use digital signatures. People couldn't interoperate with digital signatures. Instead, all security boils down to TLS. This is the kind of flow. I'm just going to step through the flow really quickly. But you've all done this a million times, so you kind of know how it works. In the first step, you go up to Twitter and you say, hi, I would like to use my Twitter account. Twitter says, do you want to log in with Facebook? You click that log in with Facebook button and you are effectively shipped over to the IDP, which in this case would be Facebook. Now you've got ship. That's step two. Step three, you say Facebook says, do you want to authorize Twitter to have my data? You click yes. That's step three. When you click step four, you go back to Twitter. Twitter, you have a token, which is called a bearer token. That token is basically a timestamped hash, which is when we think about it, essentially capability if you're into that kind of way of thinking about things. You hand that token, which functions as a capability, to Twitter. Twitter then shows that the Facebook, and step six, and in step seven, all that precious personal data flows from Facebook to Twitter. And what's really dangerous is that you have to do that when you use Calibra. When you use a wallet, which is compliant, and they'll use the compliance regulations as the kind of excuse. There are privacy ways to be compliant, but of course, I would be highly dubious that people would not leverage the amount of public data they can, that they already have to use here, that they will be able to control your financial data and send that data back and forth using this kind of centralized identity scheme they've already set up with Facebook Connect to both verify who you are and what you're purchasing. Because in the current scheme, as you may have noticed, the identity provider, which is Facebook in this case, has a 100% transparency into which services you're using and when you're using them. In what Calibra, they would have a 100% transparency into what purchases you're making and who you're making them with and when you're making them. And that, of course, is a tremendous amount of very valuable data currently spread in a heterogeneous manner among various banks. Seems to be a great business ploy to push that all together inside of Facebook. And we have to do something here, I think, to prevent what will be effectively a totalitarian identity system on a scale that we have never seen before. It will destroy, people may think however they want about the blockchain space, but essentially attaching Facebook identities via Facebook Connect to pseudonymous keys will kill innovation in the blockchain space of divide the blockchain and essentially a mass market identified blockchain. And it will be, to be honest, total nonsense in terms of the people they're trying to serve. Obviously people who are in countries such as, India, China may not have all the identity papers, may not be able to pass normal banking compliance, will also not be able to pass very easily banking compliance for the calibre wallet and maybe Facebook can help do that via leveraging all this data, but it still seems to be a very flimsy excuse to engage in this truly tremendous amount of data collection. So what we want is we want an alternative and luckily Cypherpunks have been working on this along with the academic cryptographers for more than 20 years. So the quote that I'd like to repeat is that privacy is the power to selectively reveal oneself to the world which means under your control when you want it and with whatever data you believe is sufficient for the operations of whatever service you choose to use. And that really is freedom. Otherwise you will be tracked and services can be censored and it's exceedingly dangerous. So these are the sort of two fundamental problems we have to tackle. One is how do we create, how do we not create the kinds of activities that people want to do logging into things, paying for things, without a centralized identity provider like Facebook in the middle. And I hope we'll talk about this briefly but there was a great talk about it yesterday by David Stanton. Even with that massive, powerful out of various cities such as the NSA can just kind of watch the traffic and use that to violate privacy so we do need some traffic, TCPI, UDP level protection as well. So the centralized identity providers, just to repeat, they're kind of a tax they can use on ordinary people, they capture identity data, they know exactly which services a user uses, when they use them, they can transfer personal data, ideally with consent but they don't have to ask for consent technically and they can even impersonate you to other service providers and they can censor service providers. They can prevent people from logging in to service providers they may not agree with. Luckily there is technology and this is the main technology I'm going to explain. It was created by an obscure London startup. I recommend looking at the Wired article called Chainspace that came out of University College London and was acquired by Facebook but luckily for us that software was left open sourced and the papers are all published without patents and all that stuff. And it's very ironic this happened because the researchers that were working on this were funded by the European Commission mostly to create privacy enhanced decentralized technologies in cities such as Barcelona and Amsterdam to enable citizens to own their own data. So that's kind of the background of where this technology came from and the particulars technology some of it also came from another project called NextLeap which I coordinated which is trying to say after the Snowden revelations how can we build better decentralized privacy enhanced identity systems. So this is going to be a quick overview. I'm just going to give the intuitions behind the cryptography but I think you'll probably get something from it. The solutions on a very broad scale is in order to in metadata collection as mentioned earlier you need something like Tor or ideally something even better such as a MixNet. We're going to focus on authentication you want privacy enhanced transfer of any data under absolute user control that's why we're going to use anonymous authentication credentials and you want tokens which can basically subsidize the whole system. Make sure that's sustainable and people can do transfer in a privacy way privacy enhanced manner. And we also want a few other properties we want possibly these transfers of data to be cryptographically unlinkable actually anonymized. We want users to be able to not only show data such as IM18 but also private attributes proof that they know something without revealing it such as proof that I own a secret or proof that I'm a member of a country citizen in Europe without revealing which country. And we also may want a lot of anonymous technologies makes it very hard to produce some very useful applications such as for example long term messaging we want a profile which can receive and send messages over long periods of time so we want pseudonymic integration not just complete anonymity. So anonymous authentication credentials have been around for a very long time the initial work was of course done by David Chom who's one of the fathers of the modern cypherpunk movement and most of the interesting work you see in cryptography including mixed nets that we're now finally getting to market and it but what they do is a very simple blinded signature scheme where you basically have some credentials you verify that these credentials are true these attributes such as age, name, citizenship and the blinding basically prevents the issuer to kind of know exactly what the credentials are they can just show that they're they have been issued correctly that they are indeed correct and that other service providers can verify them but the problem is every time you reshow that credential you allow yourself to be linked again you know blind signatures you see the same even if you see the same ciphertext more than once you can look at the byte pattern and the ciphertext and link it so luckily there's been some really amazing work that's been a more research papers that I can possibly go into primarily by Jan Komenisch and many other people talking about blinded showing which allows multiple shows of the same credential and that's really I think a wonderful work but it's very complicated and we're going to talk about some new work that uses algebraic max which is we think much more efficient but not decentralized and then we're going to discuss how we can make it decentralized okay so the big picture is you have the user wants to prove that they have some attributes they get a certified credential from what we call the issuer so this is sort of a standard what we would call sigma protocol game if you're familiar with cryptography you show these assertions to a verifier could be the third party service providers such as twitter and then the verifier can for example like check that these are correct and the general intuition is that unlike when I go to for example a bar in the United States or I go to vote I show you my ID card but you know all you really want to know is the age you instead you get my name and my date of birth and my where I was born we allow you just to show just the age and they learn nothing else so we can use max which are essentially a symmetric cryptographic authentication mechanism which can guarantee integrity and authentication and symmetric crypto to sort of make this work in a privacy enhanced fashion but we need a little bit extra so we want to be able to effectively we have an issuer and they want to be able to verify these credentials are indeed correct that they've issued them correctly there's the user the prover they get the certified credential we've seen this before and they can make some assertions which can be proven but we essentially there's a secret mac key which is then used to actually mac the credential and we use a new cryptographic formulation which we'll discuss right now called algebraic max to basically make it private because if you just use a normal mac it's a normal signature and you can sort of you don't have any privacy over the credential itself algebraic max allow a number of basically the way to think about it is it's a normal mac but you can basically make them unlinkable and they're very efficient just like max typically very efficient so you have efficient proofs of mac creation efficient proofs of possession and you use the possession of the mac as showing an attribute and the issuer basically uses max as the sort of signature over the attribute and you can do these protocols in the clear for parameters and key generation if you want the whole paper it's a Sarah Mikkeljohn and Melissa Chase algebraic max and keyed verification anonymous credentials and what we did is we took algebraic max and we said let's make a privacy enhanced version of Facebook connect and we made a system called unlimited ID which embeds the tributes into the mac messages but we want not only again we don't want people to be able to say yes you know my name is my age is but we also want private attributes possession of keys for example possession of keys which could access a bank account which could access a financial transaction and so we take this construction embedded in the previous setup we saw and then using the issuing authority you just kind of run it like you would run it with a normal mac-based credential so you you know you you ask a prover yeah make sure sign off the fact that I'm of age x I'm a European citizen whatever you get that credential the algebraic mac can sort of with over non-zero knowledge, non-directive zero knowledge proofs can hide the private attributes the mac prevents you from just forging it from just making it up so some third party has signed off on it but you can use an anonymous channel to basically have these algebraic macs verified and that's kind of one way to create a centralized version of OAuth which has privacy that's the unlimited ID technique and you can do all sorts of great things you can rate limit you can check for duplication and a lot of these things you can do is by simply embedding various hashes strings proof of knowledge of strings and keys into the credential itself and so for example this prevents reuse so you can sort of say hey I can't just keep showing you the credential multiple times I can show it to you once which sounds sort of silly but it actually could be very useful that credential was for example sending money because then you don't want to you want to say hey yes I got a bank account this bank account has let's say thirty euros in it and I send the anonymous credential to a verifier and I ship them the money they don't know no one who's watching can figure it out your bank has verified that you have thirty euros in your account that thirty euros then transfers to the service provider but the service provider can then check with the bank to make sure that thirty euros is still there but you can still maintain your privacy so there's very neat tricks with algebraic macs but unfortunately I did not have time to go into but we're interested not just in a privacy enhanced alternative to Facebook Connect but a decentralized and privacy enhanced a version of Facebook Connect so we want something that's a little bit more complicated we want to have we don't want to have trust in a single third party even if they don't know anything about us to be able to hold our keys so we have a issuing authority multiple, so you see multiple sort of bobs, multiple bananas as is in the screen we get a threshold signature with multiple signing keys and then we kind of get that credential we merge the credential and then we can show that credential to third parties service providers so I'm going to show a little bit of code about how that works so we have this code for this and I'm going to explain it on GitHub but let me just show you a little video while we have a second so this is what's called a NIM wallet you can embed even currency which we call NIMs into this wallet and then you basically this is why this step takes a while you can ask different validators to validate that you have that money in your wallet so this is like three of five validators or sixty of a hundred or we even get kind of pretty good performance when you have up to ten thousand validators when that validator confirms that transaction so it confirms it on a essentially a blockchain you get you can type in how much you want you get that in a credential you can embed other stuff such as name and age or whatever else you want and then you send it and this is the real trick you make it privacy enhanced by unlinking it so you can see there's a re-randomized button you can click on that button and the ciphertext itself re-randomizes by simply taking the existing ciphertext and taking it to another exponent and boom you've just created an unlinkable decentralized privacy enhanced transaction and you can send the money to whatever service provider you want so they go back to the slides so the codes A-G-P-L-D free software online we'd love to have people play with it but just to give you intuition for the tricks that we use it's very simple to algebraic case but there's a few different things going on and you should read the coconut paper talk to Mustafa al-Basam if he's here if you can see him around in the audience you embed the attributes as commitments sort of standard Peterson style commits like I said earlier you can use non-active zero knowledge proofs if you want private attributes and then you have pairing based elliptic curve cryptography which helps allow the signature itself to be re-randomized so you package up your commits into an encrypted package using L-Gamal encryption because you can then re-randomize it ship it up the validators they validate it let's say three of five validate it you ship it back and you have some new functions so while you can get partial credentials from an issuer a validator so to speak the user merges these credentials together they don't have the any third party do it for them and that creates a full credential that embeds all the information for identity they need which can be shipped to a verifier in a service and as I showed in the demo they can then the user is under control re-randomizations at any time they want to unlink a transaction they want no one to connect their validation and their issuing they just basically hit the re-randomization button simple explanation and they can re-randomize the signature itself and the two other tricks the tricks well-known tricks which essentially allow this to work as you use threshold cryptography to achieve decentralization and in order to achieve verifiability because you have to the people who get these credentials they have to verify that they're really the they're really valid that they actually you know you someone actually saw something that said you're 18 or you actually do have this amount of money in your bank account you can basically use the hashing trick over the secrets similar to identity-based encryption to make a hash which anyone can check which can be publicly published so we built this whole giant system which I actually just demoed to you minus the mixed net component already taking essentially some sort of NIM some sort of token shipping it around embedding all sorts of attributes into anonymous authentication provider credential you take you can have third-party sign off of them you can create these attributes yourself and make them self-sovereign so you can sign them ship them up through from to a validator the validator doesn't know what credentials you're you're getting signed off on they don't know where you're going with them they just said yep looks valid someone signed that I don't really care we trust the user here they ship it back depends on the kind of attribute you want you can then ship it through something like a mixed-net or tour an anonymous communication channel bring the lakeability on the timing aspects and various other metadata the service provider can then check the credential go back to the blockchain make sure that there's been no double-spending and then you can both do one-time attribute shows for essentially financial transactions or other kinds of one-time sort of things and also multi-shows for things like age date whatever your name we really want to tell multiple people you can just do it an unlimited amount of time and you know because we're not using full zk snarks we're using these kind of very specialized non-interactive zero-knowledge proofs we get pretty linear scaling things operate on linkability can take place in two milliseconds verification you know tends to be around fifty it's a bit more expensive a procedure because you have to check all the secrets and you can see the more and more people you add to the system it of course get slower because there's more and more things to check but it's it's slower in a linear fashion so we think that's pretty cool uh... and i think we won't really go into this but we're really thinking really hard about rewards and how that works how we can actually make sure that to make privacy enhances services really sustained a sustainable surveillance capitalism is obviously not sustainable and neither are u.s. government grants to tour and other projects we really need to be able for privacy enhancing technologies to be able to plug into something that looks like facebook connect that's decentralized that defends user privacy and then lets them get paid in a way where they don't have to essentially hold user data for example if i'm hold if i run a vpn service i don't want to have anyone's credit card information i don't want any more personal data ideally zero i just want to provide a vpn service and get paid at the end of the month and know this real users coming through and there's tons of other use cases outside of the pn's one which i think can you know the european commission worked on tribute-based credentials and funded a lot of this for identity management to make an alternative facebook connect uh... but there's also i think there's a very powerful use case around secure messaging you know when you use for example signal you have a phone number you have contacts all the stuff should be embeddable within a privacy enhanced credential and we have some software i'd recommend taking a look at status which actually is decentralized which tries to provide some of the same capability as signal and this software should be embeddable and some of the newer standards coming out to try to make open standards that have better scalability than the signal protocol in terms of large group messaging and to be an actual ITF open standard and these standards because they're built to support things like facebook connect is the fundamental identity system we want to make sure we can slot in sort of decentralized privacy enhancing credentials into uh... these kinds of next-generation messaging protocol so i'd recommend anyone interested in messaging check out the ITF message layer security work uh... i won't go to mix that's because running out of time but again it was a great talk yesterday just check that talk out essentially it is possible to obfuscate metadata and cook that to a credential this is all the wonderful people who've been working on the on the project claudia's, Anya Dave who actually left Libra and has now joined us Jared Andrew who's done a lot of the hard work on the code and i would really recommend you know if you want to get involved everything's on github i want to review some of the papers that you may want to take a look at if you're interested in deep diving so again the key words are chain space a lot of the code is on their website lots of good links even though they were purchased by facebook they're still website and the code's still there uh... for early work on the omnis authentication credentials a real classic paper that goes over snore signatures all the way from nineteen ninety one efficient signature generation by smart cards and then the kind of use of this and well it ended up being Microsoft Passport by Stefan Braun and the real core paper for coconut credentials is called coconut that gives you the decentralization of privacy but if you're interested in the algebraic mac work which allows to have centralized privacy enhanced identity could be useful for some use cases like governments in places you really need to really a lot of speed a lot of transactions you can look at my work on unlimited id and that's it uh... i do want to there was a lot of information at once by just one and i'm just gonna reiterate the fundamental points and the fundamental points are this that everyone's very concerned about currency but identity is the real currency and any plays for new global cryptocurrency schemes are effectively plays to make global identity systems we already have the world's largest identity system operational right now bigger than any nation state ran by facebook luckily to twenty years of research we have the technology to build alternative we even have working code we just have more people be aware of the problem build this in their own apps and work with us to make more efficient more private in a more decentralized alternative because to be honest i don't think anyone wants to live in a society where single authority can watch all your transactions and have the control over both your financial transactions and the most intimate details of your life we need to have privacy enhanced decentralized alternatives and i welcome you to just join us and help me make this true make this reality fight back against libra any questions thank you that was emotional but i think that's really really worth it we need engagement we need to fight okay do we have questions there was a white light is that my signal angel hello i have a question about the Libra basically when everybody puts money there they pile up a lot of cash so it's kind of like a debit card i couldn't find any information about what happens with the money after you give it to facebook and before you spend it for something yeah so this is something which there hasn't been too much work on in the public because facebook has published very little about this that being said it would likely work with a fractional reserve banking system so that when you give control over sort of let's say you get a i give facebook 50 dollars 50 euros they can then have that under their control at least the Libra association control and then relend it out so that it will effectively lead to mass capital accumulation by the Libra association if you add that by one third of humanity being stuck under facebook connect that's essentially a parallel corporate payment and banking infrastructure which can rival traditional banking infrastructures and that's on some level very cypherpunk on another level very terrifying okay we have one more question we just have one more question sorry i'm here afterwards so hi any thoughts on decentralized identity providers so would they verify government credentials or anything or are there different ideas about that to do that decentralized yeah so what we tried to do if i can get back to the picture is we tried to build a system where we disintermediate centralized providers from validation and verification so there it is so you can see in this diagram in step two okay your identity could be the german government which is a big centralized entity they might sign off on just your age or just your passport and you can make up some other stuff and you can work these together and have them be validated in a decentralized way so we don't think they're incompatible okay thank you so much you will be here for questions and thank you for watching please wash your hands take your stuff with you and don't leave any garbage and a big applause for Harry Hilbert