What Lies Ahead for Cryptography and Why it Matters
Best of: Internet Summit 2018
- Dr. Dan Boneh - Professor of Computer Science, Applied Cryptography Group, Stanford University
- Moderator: John Graham-Cumming - CTO, Cloudflare
Cloudflare Engineering Manager Ashley Williams discusses common workflows and the developer experience using the Workers serverless platform, at Cloudflare Connect.
🎵Outro Music🎵 🎵Outro Music🎵 All right.
I've got one important word written on my notes here and that is lunch.
So we're between you and lunch so I apologize if your stomachs are starting to rumble.
I have with me Dr. Dan Boneh who is professor of computer science in the applied cryptography group at Stanford University and you've also started a center for blockchain research so we're going to talk about that because that's something I'm mildly suspicious about but I hear Stanford's a good university so it's probably something in it.
But before we get started on that sort of blockchain-y kind of side of things, when I was growing up the word hacker meant someone who did something and then it we did something with computers or electronics or things and it veered into being somebody breaks into things and it sort of slightly reclaimed its place but we need to talk about the word crypto right so what's happened to the word crypto?
Yeah that's actually a pretty interesting so the word crypto I hope in this audience means cryptography.
Cryptography is the science of protecting information and more and the word crypto has morphed in the last couple of years to also mean cryptocurrencies and these days when you use the word crypto there's a bit of confusion.
Is it cryptography? Is it cryptocurrencies?
So I want to set the record straight and crypto means cryptography and I should have worn that but at the same time I have to say blockchains are a really really exciting area they're a fantastic application of cryptography so maybe we can even use the word blockchain instead of cryptocurrencies to be clear about what we're discussing.
I do want to say that every in fact we did start a new center for blockchain research and I'm really excited about the science behind behind blockchains for researchers in cryptography like me literally every project that I talk to I walk away with three new research problems to work on so there's a lot of questions that these projects bring out that have never been asked before and so this is really exciting time to work on cryptography both for protecting information and also for other its application.
Alright we'll dig into blockchain as we go as we go through this but you were mentioning to me just before just with the last talk which was about education and the previous one about usable security that you're seeing in your undergraduates a great interest in security education so can you talk about that?
Of course so let's see so if I have to ask you what is the most popular area in computer science for our undergraduates?
Let's see I imagine you all know the answers we can say it all together I'll just say it it's actually machine learning right machine learning is actually the most popular area but security is actually the most the second most popular area among our undergraduate students so our security courses our crypto courses they're very very well packed as I said second most popular area among undergrads well justified lots of jobs that are open in the industry so I'm you know we're edgy we're graduating students in the area as quickly as we can and I hope you know all of you guys are hiring them.
Okay brilliant well that's that's that's that's reassuring to know because it only seems to get more and more important to have everything be secure as we go forward.
Alright just to dig into some areas which you're actually doing work on so I was using this idea of aggregation of information how you deal with information in a secure way I think it's called PRIO right?
Yeah yeah so that's actually a good that's a really a fascinating topic to talk about so so cryptography as we said it's kind of the science of protecting information right so how do we protect information but that it goes way beyond just encryption which is what the public typically thinks of and I want to give you one example of how we use cryptography to do much more than just encrypt data and that has to do with aggregating information aggregating data so what happened was there are a lot of companies who are interested in pretty much the same problem which is the following they put their products out there and then they want to understand how their customers their users use those products so today the way that's often done is you send telemetry back from the product to headquarters and then you build statistics based on that telemetry so this comes up again and again and again in many different verticals so cars for example car manufacturers want to know how the customers use their cars you know what what features of the radio did he use did he use the you know the electronic the electric you know windshields the windows and so on so what features did he use how did he drive the cars all that information can be collected from a modern collected car and abuse for statistics cell phones want to know cell phone vendors want to know how customers use their cell phone browser vendors want to know how browser how their customers use the browsers and so on again all that information can be collected by telemetry but of course is a huge privacy it's kind of this is a good follow-up to the previous panel is a huge privacy issue here with collecting information about customers use so for example just to give you one example suppose you wanted to know you know you're a web browser and you wanted to know or maybe you're a cell phone provider and you want to know how many of your cell phones in the field are infected with particular malware yeah so today what you would do is you would have basically the phones report back whether they're infected or not and you would kind of aggregate that information over all the data that you got from the different customers the problem with that is all you were interested in is how many people are infected you weren't interested in who is infected yeah and by collecting telemetry kind of in a naive way you learn more than you need than you wanted to learn and of course you know the best way to not lose your customers data is to not collect it in the first place this is kind of a good you know mantra to live by you know if you don't the best way to not lose the data is not to collect it so the question is how do we aggregate information from our customers without actually collecting that information that's how do we learn statistics about data without learning the underlying data and that's actually an area where cryptography can help a lot yeah so there's a system that this is one example of such a system that we built called pre -oh what it does is essentially exactly that you can kind of figure out you know how many people are infected with a particular malware how many people have their home page sets to google.com how many people are currently on the Bay Bridge yeah all that information you can collect in aggregate form without learning anything about the underlying data yeah so that's what the system allows you to do and I have to say it's kind of fascinating this is actually getting deployed now there's a you'll be hearing soon there's as I said there's a lot of interest in this from many many different verticals so the pre-oh is actually starting to get used now which is kind of cool the interesting thing to say though is the way pre-oh works is it collects information in basically in secrets shared form so you can think of it as though I the you know the user sends the information to the cloud but the cloud doesn't really get to see the information in the clear nevertheless it's able to aggregate the information from all the customers and once everybody's contributed their data the data becomes the aggregate data becomes available now there's an immediate interesting problem that comes up which is since I can't see your individual contribution who's to say that you're not sending me junk data like that's way out of bounds so for example if I wanted to if I'm a I don't know I'm a maps provider I want I wanted to know how many people are currently on the Bay Bridge well if you're about to go on the Bay Bridge you have a huge incentive to report an unusually large number just from your own car say or from your own phone so that the system thinks that there is a huge number of cars on the Bay Bridge and they'll route every everywhere everyone everywhere else and you'll get a free you know an empty run through the Bay Bridge yeah so so it's kind of important to make sure that the data that people contribute is in fact in the right range and satisfy whatever predicates for validity that needs to be satisfied yeah so you don't people are not contributing junk data just just throw off the computation and actually so how do we do that that you know the cloud provider doesn't get to see the data in the clear and yet it needs to make sure the data is within range yeah so this is exactly where this beautiful application of cryptography comes in this is what's called this is an area called zero knowledge proofs where you can actually very efficiently convince the cloud provider that you're sending valid data without telling the cloud provider what the data is yeah it's kind of a magical aspect of cryptography it's kind of something that I think everybody should be aware that it's possible it's actually possible to send you data without you knowing what the data is and yet they can convince you that the data satisfies certain properties yeah so if it's just whether I'm on the Bay Bridge or not I can convince you that I sent you say an encryption of zero or one without telling you whether it's a zero or a one yeah and then once the service is convinced that the data has integrity it has validity it can aggregate it in private form and once everyone has sent their data the data becomes available the aggregate data becomes available in the clear yeah so the system that does this is called prio the the property that it's robust I can't against malicious contributions while it's called robustness and yeah it's very scalable very efficient and as I said it's actually getting deployed I've always been fascinated by zero knowledge proofs because they are one of those moments where you think about them you go how is that possible to do this thing and the example I've always seen is there are zero knowledge password systems where you can prove to a system that you know a password without revealing anything about the password even if the other end was malicious so if the other if the other end was taken over by someone else you haven't given anything away and that seems like how does how is that possible okay well I'm happy to explain how that works but now we're gonna have to go to okay let's talk about some equations although this what you said is actually really a really good point in that it is important to understand also with password management systems today when you log into a website you send the website your password right well what if it's the wrong website which is what we call a phishing attack and you send the password to the wrong website well there are good authentication systems that I can just prove knowledge of the password without actually sending the password to the other side as you said yeah now even if I'm at a phishing site the other side will get nothing yeah from from that from that interaction so you know cryptography you have to understand it's not just about encrypting data cryptography does a whole bunch of things for us and it's a remarkable tool to put to use and I'm actually really happy to see it actually getting more and more use and to be honest this is why I'm kind of excited about these blockchain projects because they are really at the cutting edge of what cryptography can provide and they're even asking questions that we as a research community never considered before so you know they're coming to us and saying can we do this X Y & Z and we go yeah that's actually a pretty good question and then we go and work on that so for us it's stopping you talking about blockchain yes till the end but I want to talk about it I want to talk about one other thing which is SG ah yes yes you know in the news today there's a scary news story about harder attack in the supply chain with chips being added to motherboards and SGX is a hardware component yes take us through what SGX is and also you're interested in the security oh yeah yeah so actually this is again something that I think that everybody needs to know about so we do a quick show of hands I'm really curious how many of you have heard of Intel SGX oh very few okay so let me do a quick recap of Intel SGX I think this is something that everybody needs to know about so what it is is basically it's not a hardware component it's something that is part of the main processor on your system and in fact if you bought a machine and on that last couple of years you already have Intel SGX built in what it is is a technology that allows you to kind of create what's called a hardware enclave so it allows you to run code on your main processor in a way that the code and the data that the code acts on are isolated from the rest of the system okay so literally you can have in your in your processor you can kind of cut off part of the processor and have it run a job that no one can see from the outside can see what it's doing not even your operating system so not even malicious entities who are on your main processor even they cannot look into the enclave at least in theory yeah so that's what Intel SGX allows you to do I think that I've actually been so interrupt you what do you do with that yeah I'm gonna explain that okay great that's that's a great question I'm gonna explain so there have been recent attacks on the hardware enclave but so Intel SGX right now is not is not as secure as we would like but you know we hope that over time it actually will become better and there are actually many hardware enclaves architectures out there Intel SGX is just one example that's shipping widely but there are many others that are available so what do we do with it well so let me talk about an application of it in the cloud and let me talk about application of it on your end user machine so in the cloud you can imagine one thing people worry about is if I send if I outsource all my competing resources to the cloud including all my data then perhaps you know a corrupt administrator could somehow get a hold of that data and do something with it you know basically we're trusting the trout the cloud to keep our data in our and our codes you know intact well with with hardware enclaves you can reduce the trust in the cloud because all your basically your code will run inside of the hardware enclave the hardware enclave will have a secret key built into it so that only inside of the enclave the data will be available in the clear outside the enclave everything will be encrypted so now even if someone tries someone in the cloud tries to exfiltrate your data in some way all they see is ciphertext the only place where data lives in the clear is inside of the enclave where no one can see it yeah so that's kind of a typical application for enclaves in the cloud we're not there yet yeah we're very far away actually for making this a reality but that's kind of the long-term vision on the end user on the end user side I want to describe something that we we did recently which I think it's kind of useful and something that well something I wanted all the time so the problem that always kind of was really frustrating to me was every time I log into a remote system and I type in my password or you know maybe I type in my social security number on my bank account number on my credit card on my tax information that information that I typed into my laptop you know I never know I mean maybe there's a key logger on my laptop and it's recording everything I type in and sending it to who knows where right I just can't tell if there's a key logger on my laptop because who knows maybe the operating system got compromised and I can't even trust my own my own operating system to tell me what's what's running on the machine so what I really wanted was a way for me to have like guarantees that whatever I type on my laptop is not visible to malware on my laptop no matter how deeply the malware is embedded on my system so only the remote website can see what I type in anything on my system cannot yeah well so hardware enclaves are actually like a perfect match for this type of problem and the way the system works it's called Fidelius by the way that's for your Harry Potter font fans I hope you recognize what Fidelius is but anyhow so the system what it does is the following so it's you know it's again it's not quite ready for deployment but let me explain how it works essentially everything that I type on my keyboard goes through a little encryption and encryption engine in the keyboard inside the keyboard yeah so literally every click gets encrypted on the way to the to the to you know to the main processor the way we do that is basically you know the way we we hack hardware these days is we using we use Raspberry Pis so keyboard is connected to a Raspberry Pi the Raspberry Pi is connected to the main machine so literally everything that I click gets encrypted at the Raspberry Pi on its way to the machine all right so fine so now we have my clicks basically are all encrypted the question is who can decrypt that that information and the answer is well you guessed it basically you can decrypt only inside of the hardware enclave so as I type basically nothing on the system can see what I'm typing other than the code running inside of the hardware enclave okay fine so we're not done yet that's step number one step number two is how do I see on the screen what I just typed right so if the hardware enclave sense the clicks that you know my keep my keys that I entered if it sent it to the graphics card in the clear well malware could just intercept it and steal it so we need to have a trusted path from the hardware enclave onto the screen and here we need we used another Raspberry Pi which where what it does is it basically has two HDMI streams going to the display one HDMI stream coming from the main graphics card and one HDMI stream coming from the actual hardware enclave yeah so the real website is rendered by the main processor and that appears in the main HDMI stream and then whatever I type in is sort of rendered by the hardware enclave and that's sent in a separate encrypted HDMI stream to the Raspberry Pi so now there are two HDMI streams one is plaintext one is encrypted going to the Raspberry Pi the Raspberry Pi decrypts the encrypted stream overlays it on top of the regular HDMI stream and then there's one HDMI cable going to the display and so you can see it because it's an overlay you can see the keys that I just typed on the screen so I can tell exactly what I what I actually just entered but the amazing thing is if you run like screen capture on the system basically the screen capture just sees an empty field like I type and type and type and I see it appearing on the display but you look at what the system thinks is on the screen and it just sees empty yeah empty empty data so this is a way for me basically to type I can see what I type but nothing on the system actually is seeing what I'm typing other than the hardware enclave and then the hardware enclave in addition also takes what I type and prepares it as an HTTP request to the remote website so it's encrypted again under the remote websites public key so that only the remote website can see the data that I just typed so these components eventually I hope the keyboard Raspberry Pi will get embedded into the keyboard the display Raspberry Pi will get embedded into the display yeah so you would just buy these secure keyboard and secure displays and now actually you're guaranteed when you're typing on your keyboard in the secure mode you have to make sure you're in secure mode then nothing on the system sees what you're typing other than the remote website and the hardware enclave which is isolated from everything else so to me this gives me kind of peace of mind now I would feel much more comfortable say doing my tax return on my computer knowing that nothing on my computer can actually steal what I'm typing fascinating so that's a kind of interesting application for hardware enclaves but I say like I said there are many many many others and it's quite promising technology all right I'm gonna unleash your blockchain knowledge yeah tell me about the Center for blockchain research okay in five minutes all right all right so blockchains yes so maybe you've noticed but blockchains is an area that's just a little bit overhyped tiny tiny bit overhyped yes I actually think that all the hype around it is causing damage to the field because it's turning away some people but when you ignore the hype there's really interesting science happening in the world of blockchains really really fascinating questions and when you start to look at like what areas of technology and beyond do blockchains affect it's mind-boggling yeah so blockchains impact distributed systems they impact programming languages we need new programming languages for writing these smart contracts if you write bugs into your smart contracts you know it's not someone some someone's computer crashing it's 50 million dollars getting locked up and no one can get that can get access to that money so there's real huge amounts of money at stake as a result of these bugs we need new verification tools to make sure that this code actually is correct and implementing things as we expect we need new cryptography which is what what I'm excited about we need new game theory new mechanism designs for correctly distributing incentives in blockchains and that actually impacts economics in fact economists are quite fascinated by what blockchain enables in terms of currencies and such and then there's a huge aspect legal aspects to cryptocurrencies and crypto tokens in fact cryptocurrencies and crypto assets have become like a pretty large subdiscipline of the law now and there are many academics and in fact legal professionals working working in this area so when you think about this I don't remember in the last you know many many years like one technology that impacted sort of all of computer science economics and law to the level the blockchain is impacting yeah so there's really massive massive ideas that are being generated here that are impacting many different fields of technology and you know there's a need for research that this is these are like fundamental questions that have never been asked before and so we realized that you know obviously researchers across the campus were waking up to these problems and there was a lot of activity around blockchains and our Center for Blockchain Research kind of brings it all together under one umbrella so we run so please come we run a lot of events on campus for for blockchain people in the blockchain space so if you're interested go to CBR Center for Blockchain Research cbr .stanford.edu you'll see there are a lot of events that we run please join their events in fact in January there's a conference that we're running on new technology new developments and blockchains it's open to everyone everything we do is free open to the public so you know please come if you want to speak you know submit proposals so it's really quite an exciting quite an exciting area and you know new developments happen every time every every day I can tell you we're teaching a course on blockchains this is the third time we're teaching this course it's very popular this this time around as you can imagine we have almost 250 students a very large number I can tell you that the number every year this is the third year we're teaching it the number of students who register for the course is correlated directly with the price of Bitcoin yeah so I'm hoping that it goes up and then next year we'll have 500 students yeah so that's my I just want to I want more students that's my interest is it directly correlated so if I could get people to go to Stanford I could affect the Bitcoin price I think it's yeah because all of it goes the other way okay unfortunately pretty yeah so then within the space so I say more keep going keep going okay so within the space of blockchain as I said I'm I'm really excited about the area of crypto research that's motivated by blockchain just because of all the new questions they're asking so let me give you just one example of something that we did that we did recently yeah so that that has to do with again with privacy privacy in the blockchain so I don't know how many of you actually know how cryptocurrencies work but I'll let me just tell you that the Bitcoin currency which is the largest one out there works basically by saying you know every time I want to pay someone I basically I have an address the payee has an address and I write to the blockchain the fact that you know Dan is paying John five bitcoins say yeah and that transaction gets recorded on the blockchain fine so if you think about that you realize wait a minute there's some something funny here so the whole world the blockchain is public it's replicated all over the world it's public so the whole world actually gets to see that I just paid John five bitcoins well I'm not sure that's something that I want the whole world to see in particular if Stanford say you wanted to pay my salary in Bitcoin the whole world would see what my salary is right or if you were a vendor who's buying you know equipment from a supplier when you have supply chain and you pay in bitcoins the whole world would see how much you're paying your supplier this is sort of fundamentally in conflict with business needs so the question is could we add privacy to the blockchain and there are many this is again faceting fascinating area could we do cryptocurrencies with privacy so there are actually cryptocurrencies that kind of provide complete privacy things like Zcash and Monero if you've heard of those there you can't tell who's paying who and what amounts completely private system we were interested in a way in a system that's kind of goes halfway and only hides the amounts so everybody will know that Stanford pays my salary everybody knows I work at Stanford but they shouldn't know what the amount is they shouldn't know what what the salary is okay so the way we do it is effectively the value that gets written on the blockchain the transaction on the blockchain says Stanford pays Dan Bonet but the amount is in some sense encrypted technically we use what's called a cryptographic commitments but the technically we can think of it as a as an encryption so the amount actually is encrypted okay fine so now we have all these transactions encrypted with encrypted amounts in the blockchain well the interesting thing is the fundamental problem with the fundamental guarantee of what Bitcoin does is it guarantees every transaction is valid one of the things where validity that validity means is that the sum of the money coming into the transaction has to be at least as big as the sum of the money coming out of the transaction so money can't be created out of thin air and everybody has to be able to verify that publicly that's kind of the public verifiability of the blockchain now I just told you all the amounts are encrypted so how do you verify that no money is created that the sum of the inputs is greater than the sum greater or equal to the sum of the outputs how do you do that can anyone think we have encrypted data that we need to prove properties of it how do we do it you tell me your knowledge exactly so that's another wonderful application of zero knowledge and just to show you why this is a new area the challenge here is data putting data on the blockchain is extremely expensive because it's replicated all over the world and it's data per transaction so you want to minimize the amount of data on the blockchain so the question is what is the what is the shortest possible zero knowledge proof that will allow us to prove that the transaction is valid so we're looking for short zero knowledge proofs yeah and so we designed a system called bulletproofs that actually gives the shortest zero knowledge proofs that we have without trusted setup and actually you know that actually is something that's getting adopted again this is why I love the space you kind of invent something and you know projects actually go and adopt and deploy it so I don't know so this is okay one example let's do this we're very close to lunch let's let the audience ask a question if there's a question let's see let's go all the way back over here enough can you talk a little bit of a little bit about homomorphic actually maybe multi -part computing Shamir secret sharing kind of the applications for that oh sure sure sure I think you started with with homomorphic encryption yeah so oh man so you're asking me in one minute to talk about homomorphic encryption okay well I'll say that 30 seconds so more thinking so fully homomorphic encryption is basically a development actually by one of my former students from a few years ago that basically allows you to compute unencrypted unencrypted data yeah so even though the data is encrypted you can still compute on that data so I can each so that I don't know that there are many applications for that technology but maybe instead of giving applications I'll just give a caveat in that fully homomorphic encryption we know how to do it now in polynomial time but unfortunately in practice it's still a little bit too slow to actually deploy in the real world so it's technology that's coming hopefully we'll you know crypto systems can only get better they can't get worse so I guess unless they're broken yeah other than that they only get better so hopefully we'll have better and better homomorphic encryption at some point that can actually be used in practice so I'll leave it at that okay we're seconds away from lunch so I'm gonna stop not have another question but so two things so lunch is on the roof and in the basement so you can choose whether you want to be in the dark or in the Sun we'll be back here at one o'clock I'll actually be back here at one o'clock with Sophie Wilson who was the designer one of the designers of the first arm chip and every single person in this room has multiple arm chips what I was basing you were using raspberry pies which are an arm core so she's going to talk about the genesis of arm and how that was great so that's a 1 p .m.