Complete Knowledge: Preventing Encumbrance of Cryptographic Secrets
Authors: 
Mahimna Kelkar, Kushal Babel, Philip Daian, James Austgen, Vitalik Buterin, Ari JuelsAuthors Info & Claims
Mahimna Kelkar, Kushal Babel, Philip Daian, James Austgen, Vitalik Buterin, Ari JuelsAuthors Info & ClaimsPages 2415 - 2429
Abstract
Most cryptographic protocols model a player's knowledge of secrets in a simple way. Informally, the player knows a secret in the sense that she can directly furnish it as a (private) input to a protocol, e.g., to digitally sign a message.
The growing availability of Trusted Execution Environments (TEEs) and multiparty computation (MPC), however, undermines this model of knowledge. Such tools can encumber a secret sk and permit a chosen player to access sk conditionally, without actually knowing sk. By permitting selective access to sk by an adversary, encumbrance of secrets can enable vote-selling in cryptographic voting schemes, illegal sale of credentials for online services, and erosion of deniability in anonymous messaging systems.
Unfortunately, existing proof-of-knowledge protocols fail to demonstrate that a secret is unencumbered. We therefore introduce and formalize a new notion called complete knowledge (CK). A proof (or argument) of CK shows that a prover does not just know a secret, but also has fully unencumbered knowledge, i.e., unrestricted ability to use the secret.
We introduce two practical CK schemes that use special-purpose hardware, specifically TEEs and off-the-shelf mining ASICs. We prove the security of these schemes and explore their practical deployment with a complete, open-source, end-to-end prototype with smart-contract verification that supports both. We show how CK can address encumbrance attacks identified in previous work. Finally, we introduce two new applications enabled by CK that involve proving ownership of blockchain assets.
References
[1]
2022. Intel Enhanced Privacy ID (EPID) Security Technology. https://intel.com/content/www/us/en/developer/articles/technical/intel-enhancedprivacy- id-epid-security-technology.html.
[2]
[Accessed Dec. 2022]. Ethereum Consensus Notes. https://eth2book.info/ bellatrix/part2/building_blocks/randomness/.
[3]
[Accessed Dec. 2022]. Stratum mining protocol. https://en.bitcoin.it/wiki/ Stratum_mining_protocol.
[4]
[Accessed June 2022]. Oasis Labs website. https://www.oasislabs.com/.
[5]
Amazon Web Services. [Accessed Nov. 2022]. AWS Nitro Enclaves website. https://aws.amazon.com/ec2/nitro/nitro-enclaves/.
[6]
AMD. 2020. AMD SEV-SNP: Strengthening VM isolation with integrity protection and more. White Paper (2020).
[7]
Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In HASP. 7.
[8]
Android Open Source Project. [Accessed Nov. 2022]. Android Open Source Project: Key and ID Attestation. https://source.android.com/docs/security/ features/keystore/attestation.
[9]
Apple Inc. [Accessed Nov. 2022]. Apple Developer Website: Establishing your app's integrity. https://developer.apple.com/documentation/devicecheck/ establishing_your_app_s_integrity.
[10]
Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene Tsudik. 2000. A practical and provably secure coalition-resistant group signature scheme. In CRYPTO. 255-- 270.
[11]
Josh Benaloh and Dwight Tuinstra. 1994. Receipt-free secret-ballot elections. In STOC. 544--553.
[12]
Bitmain. 11 Feb. 2022. Specifications of T19/S19 Liquid-Cooling Miner. https://support.bitmain.com/hc/en-us/articles/4418373232153-Specificationsof- T19-S19-Liquid-Cooling-Miner.
[13]
Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable Delay Functions. In CRYPTO. 757--788.
[14]
Nikita Borisov, Ian Goldberg, and Eric Brewer. 2004. Off-the-record communication, or, why not to use PGP. In WPES. 77--84.
[15]
Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, and Michael Schwarz. 2022. ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture. In USENIX Security. 3917--3934.
[16]
John Brainard, Ari Juels, Ronald L Rivest, Michael Szydlo, and Moti Yung. 2006. Fourth-factor authentication: somebody you know. In CCS. 168--178.
[17]
Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, PieterWuille, and Greg Maxwell. 2018. Bulletproofs: Short proofs for confidential transactions and more. In IEEE S&P. 315--334.
[18]
V. Buterin. 11 Jan 2021. Why we need wide adoption of social recovery wallets. vitalik.ca blog post at https://vitalik.ca/general/2021/01/11/recovery.html.
[19]
V. Buterin. 2 May 2019. Minimal anti-collusion infrastructure (MACI). Ethereum Research blog post at https://ethresear.ch/t/minimal-anti-collusioninfrastructure/ 5413.
[20]
Ran Canetti. 2001. Universally composable security: A new paradigm for cryptographic protocols. In FOCS. 136--145.
[21]
Ran Canetti, Yevgeniy Dodis, Rafael Pass, and Shabsi Walfish. 2007. Universally Composable Security with Global Setup. In TCC. 61--85.
[22]
David Chaum, Peter YA Ryan, and Steve Schneider. 2005. A practical voterverifiable election scheme. In ESORICS. 118--139.
[23]
David L Chaum. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 2 (1981), 84--90.
[24]
Benny Chor, Amos Fiat, and Moni Naor. 1994. Tracing Traitors. In CRYPTO. 257--270.
[25]
Jeremy Clark and Urs Hengartner. 2011. Selections: Internet voting with overthe- shoulder coercion-resistance. In FC. 47--61.
[26]
Michael R Clarkson, Stephen Chong, and Andrew C Myers. 2008. Civitas: Toward a secure voting system. In IEEE S&P. 354--368.
[27]
Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2017. A formal security analysis of the Signal messaging protocol. In EuroS&P. 451--466.
[28]
Philip Daian, Tyler Kell, Ian Miers, and Ari Juels. 2018. On-Chain Vote Buying and the Rise of Dark DAOs. https://hackingdistributed.com/2018/07/02/on-chainvote- buying/.
[29]
Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk. 2006. Deniable authentication and key exchange. In CCS. 400--409.
[30]
Cynthia Dwork and Moni Naor. 1992. Pricing via processing or combatting junk mail. In CRYPTO. 139--147.
[31]
Stefan Dziembowski, Sebastian Faust, and Tomasz Lizurej. 2023. Individual Cryptography. In CRYPTO. 547--579.
[32]
Uriel Feige, Amos Fiat, and Adi Shamir. 1988. Zero-knowledge proofs of identity. Journal of cryptology 1, 2 (1988), 77--94.
[33]
O. Fernau. 13 Aug. 2022. Royalty-Free Sudoswap Is Finding Favor With NFT Traders. The Defiant (13 Aug. 2022).
[34]
Marc Fischlin. 2005. Communication-efficient non-interactive proofs of knowledge with online extractors. In CRYPTO. 152--168.
[35]
O. Goldreich, S. Micali, and A. Wigderson. 1987. How to Play ANY Mental Game. In STOC. 218--229.
[36]
Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1985. The knowledge complexity of interactive proof systems. In STOC. 291--304.
[37]
Lachlan J Gunn, Ricardo Vieitez Parra, and N Asokan. 2019. Circumventing cryptographic deniability with remote attestation. PETS 2019, 3 (2019), 350--369.
[38]
Markus Jakobsson and Ari Juels. 1999. Proofs of work and bread pudding protocols. In Secure information networks. 258--272.
[39]
K. Wei Jie. 12 Oct. 2021. Release Announcement: MACI 1.0. Medium Post at https://medium.com/privacy-scaling-explorations/release-announcementmaci- 1-0-c032bddd2157.
[40]
Ari Juels, Dario Catalano, and Markus Jakobsson. 2005. Coercion-resistant electronic elections. In WPES. 61--70.
[41]
Mahimna Kelkar, Kushal Babel, Philip Daian, James Austgen, Vitalik Buterin, and Ari Juels. 2023. Complete Knowledge: Preventing Encumbrance of Cryptographic Secrets. Cryptology ePrint Archive, Paper 2023/044.
[42]
Aggelos Kiayias and Philip Lazos. 2022. SoK: Blockchain Governance. arXiv preprint 2201.07188 (2022).
[43]
Aggelos Kiayias and Qiang Tang. 2013. How to Keep a Secret: Leakage Deterring Public-key Cryptosystems. In CCS. 943--954.
[44]
Yashvanth Kondi and abhi shelat. 2022. Improved Straight-Line Extraction in the Random Oracle Model With Applications to Signature Aggregation. In ASIACRYPT. 279--309.
[45]
Wouter Lueks, Iñigo Querejeta-Azurmendi, and Carmela Troncoso. 2020. VoteAgain: A scalable coercion-resistant voting system. In USENIX Security. 1553--1570.
[46]
Patrick McCorry, Siamak F Shahandashti, and Feng Hao. 2017. A smart contract for boardroom voting with maximum voter privacy. In FC. 357--375.
[47]
Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie-Hurd, and Carlos Rozas. 2016. Intel® software guard extensions (Intel® SGX) support for dynamic memory management inside an enclave. In HASP. 1--9.
[48]
Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In HASP. 10.
[49]
Rafael Pass. 2003. On deniability in the common reference string and random oracle model. In CRYPTO. 316--337.
[50]
Rafael Pass, Elaine Shi, and Florian Tramèr. 2017. Formal Abstractions for Attested Execution Secure Processors. In EUROCRYPT. 260--289.
[51]
Rafael Nat Josef Pass. 2006. A precise computational approach to knowledge. Ph.D. Dissertation. Massachusetts Institute of Technology.
[52]
Hoai Luan Pham, Thi Hong Tran, Tri Dung Phan, Vu Trung Duong Le, Duc Khai Lam, and Yasuhiko Nakashima. 2020. Double SHA-256 Hardware Architecture With Compact Message Expander for Bitcoin Mining. IEEE Access 8 (2020), 139634--139646.
[53]
David Pointcheval and Jacques Stern. 2000. Security arguments for digital signatures and blind signatures. Journal of cryptology 13, 3 (2000), 361--396.
[54]
Ivan Puddu, Daniele Lain, Moritz Schneider, Elizaveta Tretiakova, Sinisa Matetic, and Srdjan Capkun. 2019. TEEvil: Identity Lease via Trusted Execution Environments. arXiv preprint 1903.00449 (2019).
[55]
Charles Rackoff and Daniel R Simon. 1991. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In CRYPTO. 433--444.
[56]
Amit Sahai. 1999. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In FOCS. 543--553.
[57]
Claus-Peter Schnorr. 1989. Efficient identification and signatures for smart cards. In CRYPTO. 239--252.
[58]
C. P. Schnorr. 1991. Efficient Signature Generation by Smart Cards. J. Cryptol. 4, 3 (1991), 161--174.
[59]
Signal. [n. d.]. https://signal.org.
[60]
Shi-Feng Sun, Man Ho Au, Joseph K Liu, and Tsz Hon Yuen. 2017. RingCT 2.0: A compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. In ESORICS. 456--474.
[61]
Michael Bedford Taylor. 2017. The evolution of bitcoin hardware. Computer 50, 9 (2017), 58--66.
[62]
Langston Thomas. 26 Apr. 2022. Fractional NFTs: The Good, the Bad, and the Weird. NFT Now (26 Apr. 2022).
[63]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In USENIX Security. 991--1008.
[64]
Stephan van Schaik, Andrew Kwong, Daniel Genkin, and Yuval Yarom. 2020. SGAxe: How SGX fails in practice. https://sgaxe.com/files/SGAxe.pdf.
[65]
Joseph Weinberg. 21 Jan. 2022. NFTs and compliance: Why we need to be having this conversation. Cointelegraph (21 Jan. 2022).
[66]
E Glen Weyl, Puja Ohlhaver, and Vitalik Buterin. 2022. Decentralized Society: Finding Web3's Soul. Available at SSRN 4105763 (2022).
[67]
Andrew C Yao. 1982. Protocols for secure computations. In FOCS. 160--164.
Index Terms
- Complete Knowledge: Preventing Encumbrance of Cryptographic Secrets
Recommendations
Constant-round adaptive zero-knowledge proofs for NP
Secure two-party computation allows two parties with private inputs to securely compute some function of their inputs, even in the presence of a malicious adversary. In this work, we revisit zero-knowledge proofs and focus on adaptive adversaries, which ...
On the communication complexity of zero-knowledge proofs
The fact that there are zero-knowledge proofs for all languages in NP (see [15], [6], and [5]) has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer "which languages in NP have zeroknowledge proofs" but ...
A note on (im)possibilities of obfuscating programs of zero-knowledge proofs of knowledge
CANS'11: Proceedings of the 10th international conference on Cryptology and Network SecurityProgram obfuscation seeks efficient methods to write programs in an incomprehensible way, while still preserving the functionalities of the programs. In this paper we continue this research w.r.t. zero-knowledge proofs of knowledge. Motivated by both ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 148Total Downloads
- Downloads (Last 12 months)148
- Downloads (Last 6 weeks)66
Reflects downloads up to 03 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in