金融科技專場 Opportunies for innovaon in FinTech and Cyber-security -Bill Roscoe

Opportuni)esforinnova)oninOxfordUniversityandChie7inLab,Shenzhengesmicroprocessorssecuritymilitarysystemsdevelopment.WorkingonSecuritysinceonFinTechsince.eadofOxfordComputerSciencemakingitintoalargegeneralCSdepartmentrated3rdintheworld.?Recentlytookpar@alre@rementfromOxfordandseTngupChie7inLabhereinShenzhen.Chie<inLab?CentredonFinTech.?BuildingIPthatcanbelicencedorspunout.morejuniorresearchers.?BuildingteamsinPayment,BlockchainandBigData.ncedfourpatentsfromOxfordmiddle.cryptographicsignature.bleHISPseliminanganaackvectorfromaclassofcryptoprotocols.4.AuditablePAKEsandstochas@cfairexchange:anexci@ngnewapproachtomakingtransac@onssafeandsecure.WearedevelopingmuchnewIPappingtechniquesforpostquantumandIoTNovelPQsignatureschemeogynologyeenhonestmistakesandaacks4.Lossofservicefrompasswordguessinga]acksplicableInspira)on?PAKEs:twopar@estryingtobuildasecurechannelontopofapasswordthatdoesnothaveenoughcontenttobeakey.Searchablegiventheopportunity.uldshedoellhavemadeamistakeeitherrememberedwrongpasswordormiss-typed).?Soifsheraisesthealarmforana]ack,shewillo7enberound.?Wewantameansofpreven@ngBobfrommakinghonestmistakes,atleastonesthatwillgetasfarasAliceforchecking.?Giveeachpasswordacriterionbasedonitspurposethatithastosa@sfy,andhelpAliceandBobchooseonethatdoes.onwillbebasedonasignatureforthepurposeforwhichitis“Alice’sinternetbankingpasswordforBarclays”,“Bob’sOxfordSSOpassword”ionforpasswordpwillbesomethinglikehashpsCwhereCisatagivenpercentageofrandomstringswillpasssayiteratedhashing).?Bob’spasswordsfordi?erentpurposeswillallbedi?erent.akesanhonestmistakesuchastypinginhispasswordforsomethingelseitwillbepubliclydiagnosableasthis,andinaPAKEthecheckingwillnotinvolveAliceBayesianprobabilitytellsusthataguessthatdoesmeetthecriterionismuchmorelikelytocomefromana]acker.Falseposi@vea]ackswillbe1%or0.1%ascommonaswithordinarytechnology.?Inthecaseofadistributedpasswordguessinga]ack,eitheritwillbemuchmoreexpensivetomountoralmostalloftheguesseswillbe?lteredoutbeforereachingthecentralpassword?le.?Weimaginethatuser(s)willenteraprototypepassword,whichwillbeasuitablemeasureofentropyandthenthetoolwillcalculate?Couldbechoosingasecondwordornumbertobeplacedatsomepoint.?Couldbereplacingcharactersinsomeway.?Obviouslyhastobedoneo?ineorviaasecureservice.theentropythatwillbetakenawaybythetest,butpossiblymore.Ques)onsoflongerandmorevariedpasswordsstructureeterionmeanslongerpasswordsandlongertoconstructbalanceprototypesincludinghowtheya?ecthumanbehaviour.?Theseareusuallyvaria@onsofthediscretelogarithmproblemandbuildaquantumcomputer.?Wedonotknowwhenonewillbebuilt,butthisisarealproblemnow!?Weneedoursignaturestoremainreliable,andanysymmetrickeykwhichethodswillberevealedandhenceeverythingencryptedunderk.?Itisnotcomfortabletoknowthatyourcommunica@onsandrecordsfromtalldependonthesupposedintractabilityoftalldependonthesupposedintractabilityofcertain?Thismeansameansofsecuritythatwillnotbebrokenbyaquantumcomputer.trapdoors)thoughttobeproofagainstquantumcomputers.?ThebestcandidatescomefromlaTce-basedcryptography.?Cancreateverylargekeys,andno-onereallyunderstandswhatcanbedonewithaquantumcomputer.vulnerabletoquantumcomputersAndiftheyareweareinrealtrouble!)basiccrypto.Wehaveproposalsforbothsignatureandkeyagreement.ureesarecipientreasontobelievethatthemessagewascreatedbyaalteredintransit(integrity).Formally,adigitalsignatureschemeisatripleofprobabilisticpolynomialtimealgorithms,(G,S,V),satisfying:?G(key-generator)generatesapublickey,pk,andacorrespondingprivatekey,sk,oninput1n,wherenisthesecurityparameter.?S(signing)returnsatag,t,ontheinputs:theprivatekey,sk,andastring,x.?V(verifying)outputsacceptedorrejectedontheinputs:thepublickey,pk,astring,x,andatag,t.Forcorrectness,SandVmustsatisfyPr[(pk,sk)←G(1n),V(pk,x,S(sk,x))=accepted]=1.[9]Adigitalsignatureschemeissecureifforeverynon-uniformprobabilisticpolynomialtimeadversary,APr[(pk,sk)←G(1n),(x,t)←AS(sk,·)(pk,1n),x?Q,V(pk,x,t)=accepted]<negl(n),whereAS(sk,·)denotesthatAhasaccesstotheoracle,S(sk,·),andQdenotesthesetofthequeriesonSmadebyA,whichknowsthepublickey,pk,andthesecurityparameter,n.hatwerequireanyadversarycannotdirectlyquerythestringxonSLet’scallthistheintensionalde?ni@on:comeswithaclearde?ni@onabouthowitistobedone.forexampleLamport’ssignaturescheme.anuseeachpublickeysecretkeypaironlyonceandarefairlyelaborate.?Wewilldispensewiththedi?erencebetweenpublicandsecretkeys.cleakeyissecretasuitablehashofitispublicanditselfwithaaboutwhenitwillordidchange.?WhileoneofA’skeysissecretAcansignanythingusingit.?Suchsignaturescanbecheckedoncethekeyispublic.?Akeycer@?catenowtakestheform(hash(k,A,t),A,t),sign((A,hash(k,A,t),t),A’,t’)eaningthateitherthenodedoingthecheckingcanorthenodesoftheblockchainhasalreadycheck/edit.?WhereAhasreleasedacer@?cateforkeyvwithrelease@met,sign(X,A,t)=hash(X,v)andmustbeplacedontheblockchainbefore@met.ckAddtoconsensusmechanismdeoraCAcanmaintainAskeysbyaddingmorefuturekeysThatwayeachnodecanalwaysmaintainitssetoffuturekeys.?Extremelycheaptoimplement.