Zero-knowledge proofs are effective cryptographic primitives which may provide additional properties and guarantees to security systems and communication protocols. However, they are still being underused in modern world. Unfortunately, even with today’s strong cryptography solutions and increased user security awareness information leaks still happen. As the data on the Web becomes more valuable, attackers develop more sophisticated attacks often involving more than just technical assets, but also other techniques like social engineering. The talk presents possible ways of using zero-knowledge proofs to improve authentication and phishing prevention on the Web taking novel implementation of well known technique (socialist millionaires’ protocol) as an example.

1. Enforcing Web security and privacy
with zero-knowledge protocols
Ignat Korchagin

2. Why?
• You provide your personally identifiable information (PII)
most of the time

3. Why?
• You provide your personally identifiable information (PII)
most of the time
• Service provider promises to take all “relevant measures”
to store such information “securely”

4. Why?
• You provide your personally identifiable information (PII)
most of the time
• Service provider promises to take all “relevant measures”
to store such information “securely”
• Service provider aims to make your experience secure

5. Reality
• Databases leak
• UK medical records
• Turkish citizenship database

6. Reality
• Databases leak
• UK medical records
• Turkish citizenship database
• PII leaks
• no clear definition of “relevant measures” and “securely”
• mostly organizational measures, no encryption

7. Reality
• Databases leak
• UK medical records
• Turkish citizenship database
• PII leaks
• no clear definition of “relevant measures” and “securely”
• mostly organizational measures, no encryption
• Service provider (or their partner) takes advantage of PII
• credit reference agencies

8. Reality
• Databases leak
• UK medical records
• Turkish citizenship database
• PII leaks
• no clear definition of “relevant measures” and “securely”
• mostly organizational measures, no encryption
• Service provider (or their partner) takes advantage of PII
• credit reference agencies
• User passwords get stolen
• using obsolete crypto
• fake login prompts
• no SSL/TLS

9. ZKP more formally
• Zero-knowledge proof is a method by which one party (the prover) can
prove to another party (the verifier) that a given statement is true, without
conveying any information apart from the fact that the statement is indeed
true.
• Properties:
• Completeness: if the statement is true, the honest verifier (that is, one following the
protocol properly) will be convinced of this fact by an honest prover
• Soundness: if the statement is false, no cheating prover can convince the honest
verifier that it is true, except with some small probability
• Zero-knowledge: if the statement is true, no cheating verifier (or others) learns anything
other than this fact. This is formalized by showing that every cheating verifier has some
simulator that, given only the statement to be proved (and no access to the prover), can
produce a transcript that "looks like" an interaction between the honest prover and the
cheating verifier

10. A cave with a magic door

11. A cave with a magic door
1
Peggy randomly
enters A or B

12. A cave with a magic door
1 2
Peggy randomly
enters A or B
Victor randomly
shouts A or B

13. A cave with a magic door
1 2
3
Peggy randomly
enters A or B
Victor randomly
shouts A or B
Peggy reliably
appears on
requested side

14. 50% cheat probability. Really?
• One round of protocol has 0.5 cheat probability
• if Peggy chooses to enter the same side which Victor will shout later, she can
convince Victor even without knowing the magic word

15. 50% cheat probability. Really?
• One round of protocol has 0.5 cheat probability
• if Peggy chooses to enter the same side which Victor will shout later, she can
convince Victor even without knowing the magic word
• To address above we just need to repeat the protocol N
times
• each round outcome is independent
• cheat probability: P = 0.5 * 0.5 * 0.5 * … * 0.5 = (0.5)N = 2-N

16. 50% cheat probability. Really?
• One round of protocol has 0.5 cheat probability
• if Peggy chooses to enter the same side which Victor will shout later, she can
convince Victor even without knowing the magic word
• To address above we just need to repeat the protocol N
times
• each round outcome is independent
• cheat probability: P = 0.5 * 0.5 * 0.5 * … * 0.5 = (0.5)N = 2-N
• If we repeat the protocol ~128 times, we can make it as
secure as AES

17. Socialist millionaires
• Socialist millionaire problem is a way for two
millionaires to check whether their wealth is equal

18. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.

19. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*GG2a, G3a, G2b, G3b

20. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb

21. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb

22. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb

23. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb
a3 * Rb = b3 * Ra = (Pa - Pb) + (a3 * b3 * (x - y)) *
G2

24. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb
a3 * Rb = b3 * Ra = (Pa - Pb) + (a3 * b3 * (x - y)) *
G2

25. Socialist millionaires
• Socialist millionaire problem is a way for two
millionaires to check whether their wealth is equal
• can be used to verify whether two parties posses the same secret
• a passive attacker learns nothing about the protocol and its outcome
• MiTM can do no better than passive attacker except disrupting the
communication channel
• even if one of the parties is dishonest, he learns nothing more that the
protocol outcome
• unlike most other zero-knowledge proofs requires O(1) protocol iterations
• is adopted and has good history

26. OTR SMP
• Uses 1536-bit group calculations

27. OTR SMP
• Uses 1536-bit group calculations
• BUT: LogJam!

28. OTR SMP
• Uses 1536-bit group calculations
• BUT: LogJam!
• 512-bit broken
• 1024-bit probably
• 1536-bit is very close!

29. Themis SMP vs OTR SMP
• Improving SMP
• moved all cryptographic operations in ECC domain
• modern (boring) cryptography (ed25519)
• timing attacks protection
• fast and performant
• reduced memory footprint
• support for many high-level languages
• simple API
• GitHub: https://github.com/cossacklabs/themis

30. Possible use-cases

31. Possible use-cases

32. Possible use-cases
• Credit reference agency knows your PII, even if you were not on file before
PII PII

33. Possible use-cases

34. Possible use-cases

35. Possible use-cases
Hash(UniqueID) = AnotherUniqueID

36. Possible use-cases
• Credit reference agency knows your are at least client of both banks even if
you were not on file before (able to trace you later)
Hash(UniqueID) = AnotherUniqueID

37. Possible use-cases
• Credit reference agency does not get anything if your were not on their file
previously
Hash(UniqueID) = AnotherUniqueID

38. SMP vs PAKE
• PAKE - password-authenticated key agreement

39. SMP vs PAKE
• PAKE - password-authenticated key agreement
• basic PAKE requires only 1 roundtrip
• simple, requires small number of asymmetric cryptographic operations
• easy to implement
• provides a negotiated secret key as a protocol outcome

40. SMP vs PAKE
• PAKE - password-authenticated key agreement
• basic PAKE requires only 1 roundtrip
• simple, requires small number of asymmetric cryptographic operations
• easy to implement
• provides a negotiated secret key as a protocol outcome
• Example: SPAKE2 (https://tools.ietf.org/html/draft-irtf-
cfrg-spake2-03)

41. SPAKE2
• EC curve: G - base point, n - order of G, M,N - known fixed points on the curve
• Alice and Bob know w.
Generate x
X = x*G
T = w*M + X
Generate y
Y = y*G
S = w*N + Y
K = x*(S - w*N) K = y*(T - w*M)
T, S

42. Myth 1: PAKE is MUCH faster
• PAKE is better because it is simpler
• requires much less computations
• only 1-RTT compared to 3-RTT SMP

43. SPAKE2
• EC curve: G - base point, n - order of G, M,N - known fixed points on the curve
• Alice and Bob know w.
Generate x
X = x*G
T = w*M + X
Generate y
Y = y*G
S = w*N + Y
K = x*(S - w*N) K = y*(T - w*M)
T, S

44. SPAKE2
• EC curve: G - base point, n - order of G, M,N - known fixed points on the curve
• Alice and Bob know w.
Generate x
X = x*G
T = w*M + X
Generate y
Y = y*G
S = w*N + Y
K = x*(S - w*N) K = y*(T - w*M)
T, S
Key confirmation?

45. Myth 1: PAKE is MUCH faster
• SPAKE2 requires additional roundtrip for authentication
scenario

46. Myth 1: PAKE is MUCH faster
• SPAKE2 requires additional roundtrip for authentication
scenario
• Pure C: SMP is only ~20 times slower
• small price for zero-knowledge guarantee

47. Myth 1: PAKE is MUCH faster
• SPAKE2 requires additional roundtrip for authentication
scenario
• Pure C: SMP is only ~20 times slower
• small price for zero-knowledge guarantee
• High-level languages: SMP is only ~3 times slower
• more probable real-world use-case
• more time is spent on network communication and language runtime

48. Myth 2: SMP doesn’t negotiate a key
• PAKE is better because it negotiates a key out-of-the box
and SMP does not

49. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb

50. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb

51. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb
SMP actually negotiates 2 keys!

52. Possible use-cases
• Automatic key rotation for long-lived encrypted connections

53. Possible use-cases
Encrypted communication (K1)
• Automatic key rotation for long-lived encrypted connections

54. Possible use-cases
SMP (or PAKE with confirm)
Encrypted communication (K1)
• Automatic key rotation for long-lived encrypted connections

55. Possible use-cases
SMP (or PAKE with confirm)
Encrypted communication (K1)
• Automatic key rotation for long-lived encrypted connections
save negotiated key

56. Possible use-cases
SMP (or PAKE with confirm)
Encrypted communication (K1)
Encrypted communication (K2)
• Automatic key rotation for long-lived encrypted connections
save negotiated key

57. Myth 3: using PAKE for authentication
• PAKE has many other reasons to be better for
authentication

58. Myth 3: using PAKE for authentication
• PAKE is a KEY AGREEMENT

59. Myth 3: using PAKE for authentication
• PAKE is a KEY AGREEMENT
• the goal of the protocol is to negotiate a shared secret, not authenticate a
peer
• PAKE protocol outcome does not provide the proof that your peer knows the
secret

60. SPAKE2
• EC curve: G - base point, n - order of G, M,N - known fixed points on the curve
• Alice and Bob know w.
Generate x
X = x*G
T = w*M + X
Generate y
Y = y*G
S = w*N + Y
K = x*(S - w*N) K = y*(T - w*M)
T, S

61. SPAKE2
• EC curve: G - base point, n - order of G, M,N - known fixed points on the curve
• Alice and Bob know w.
Generate x
X = x*G
T = w*M + X
Generate y
Y = y*G
S = w*N + Y
K = x*(S - w*N) K = y*(T - w*M)
T, S

62. SPAKE2
• EC curve: G - base point, n - order of G, M,N - known fixed points on the curve
• Alice and Bob know w.
Generate x
X = x*G
T = w*M + X
Generate y
Y = y*G
S = w*N + Y
K = x*(S - w*N) K = y*(T - w*M)
T, S
To successfully complete the protocol:
• the peer may not even know w (the real secret
information)
• but only w*M and w*N (its public derivatives)

63. SPAKE2
SPAKE2 by itself does not provide the basic proof of secret
knowledge

64. SPAKE2
SPAKE2 by itself does not provide the basic proof of secret
knowledge
• can be enforced on implementation level
• made as a constraint in the target system
• treat public counterparts as secret themselves
• etc

65. SPAKE2
SPAKE2 by itself does not provide the basic proof of secret
knowledge
• can be enforced on implementation level
• made as a constraint in the target system
• treat public counterparts as secret themselves
• etc
But anyway: it has to be considered somehow and protocol
users have to be aware of this

66. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb

67. Socialist millionaires
• EC curve: G - base point, n - order of G
• Alice and Bob have x and y respectively. Both want to know whether x==y.
Generate a2, a3,
s
G2a = a2*G
G3a = a3*G
Generate b2, b3,
r
G2b = b2*G
G3b = b3*G
G2 = a2*G2b
G3 = a3*G3b
Pa = s*G3
Qa = s*G + x*G2
G2 = b2*G2a
G3 = b3*G3a
Pb = r*G3
Qb = r*G + y*G2
Ra = a3*(Qa-Qb) Rb = b3*(Qa-Qb)
a3*Rb == Pa-Pb b3*Ra == Pa-Pb
G2a, G3a, G2b, G3b
Pa, Qa, Pb, Qb
Ra, Rb
Secrets are combined with random shared values
with contributions from both peers

68. Conclusions

69. Conclusions
• Zero-knowledge protocols are useful building blocks for
enhanced security and privacy preserving protocols
• They can be useful in a scenario where one of the protocol participants may
be malicious

70. Conclusions
• Zero-knowledge protocols are useful building blocks for
enhanced security and privacy preserving protocols
• They can be useful in a scenario where one of the protocol participants may
be malicious
• You may use PAKE for many real world tasks, but you
have to be aware of the caveats

71. Conclusions
• Zero-knowledge protocols are useful building blocks for
enhanced security and privacy preserving protocols
• They can be useful in a scenario where one of the protocol participants may
be malicious
• You may use PAKE for many real world tasks, but you
have to be aware of the caveats
• Socialist millionaire protocol provides more security
guarantees, although with some performance penalty

72. References
• Paper: https://www.cossacklabs.com/files/secure-
comparator-paper-rev12.pdf
• Code: https://github.com/cossacklabs/themis

73. Thank you!
Questions?