金融科技专场 Opportunies for innovaon in FinTech and Cyber-security -Bill Roscoe

Opportuni)esforinnova)oninOxfordUniversityandChie7inLab,Shenzhengesmicroprocessorssecuritymilitarysystemsdevelopment.WorkingonSecuritysinceonFinTechsince.eadofOxfordComputerSciencemakingitintoalargegeneralCSdepartmentrated3rdintheworld.•Recentlytookpar@alre@rementfromOxfordandseTngupChie7inLabhereinShenzhen.Chie<inLab•CentredonFinTech.•BuildingIPthatcanbelicencedorspunout.morejuniorresearchers.•BuildingteamsinPayment,BlockchainandBigData.ncedfourpatentsfromOxfordmiddle.cryptographicsignature.bleHISPseliminanganaackvectorfromaclassofcryptoprotocols.4.AuditablePAKEsandstochas@cfairexchange:anexci@ngnewapproachtomakingtransac@onssafeandsecure.WearedevelopingmuchnewIPappingtechniquesforpostquantumandIoTNovelPQsignatureschemeogynologyeenhonestmistakesandaacks4.Lossofservicefrompasswordguessinga]acksplicableInspira)on•PAKEs:twopar@estryingtobuildasecurechannelontopofapasswordthatdoesnothaveenoughcontenttobeakey.Searchablegiventheopportunity.uldshedoellhavemadeamistakeeitherrememberedwrongpasswordormiss-typed).•Soifsheraisesthealarmforana]ack,shewillo7enberound.•Wewantameansofpreven@ngBobfrommakinghonestmistakes,atleastonesthatwillgetasfarasAliceforchecking.•Giveeachpasswordacriterionbasedonitspurposethatithastosa@sfy,andhelpAliceandBobchooseonethatdoes.onwillbebasedonasignatureforthepurposeforwhichitis“Alice’sinternetbankingpasswordforBarclays”,“Bob’sOxfordSSOpassword”ionforpasswordpwillbesomethinglikehashpsCwhereCisatagivenpercentageofrandomstringswillpasssayiteratedhashing).•Bob’spasswordsfordifferentpurposeswillallbedifferent.akesanhonestmistakesuchastypinginhispasswordforsomethingelseitwillbepubliclydiagnosableasthis,andinaPAKEthecheckingwillnotinvolveAliceBayesianprobabilitytellsusthataguessthatdoesmeetthecriterionismuchmorelikelytocomefromana]acker.Falseposi@vea]ackswillbe1%or0.1%ascommonaswithordinarytechnology.•Inthecaseofadistributedpasswordguessinga]ack,eitheritwillbemuchmoreexpensivetomountoralmostalloftheguesseswillbefilteredoutbeforereachingthecentralpasswordfile.•Weimaginethatuser(s)willenteraprototypepassword,whichwillbeasuitablemeasureofentropyandthenthetoolwillcalculate•Couldbechoosingasecondwordornumbertobeplacedatsomepoint.•Couldbereplacingcharactersinsomeway.•Obviouslyhastobedoneofflineorviaasecureservice.theentropythatwillbetakenawaybythetest,butpossiblymore.Ques)onsoflongerandmorevariedpasswordsstructureeterionmeanslongerpasswordsandlongertoconstructbalanceprototypesincludinghowtheyaffecthumanbehaviour.•Theseareusuallyvaria@onsofthediscretelogarithmproblemandbuildaquantumcomputer.•Wedonotknowwhenonewillbebuilt,butthisisarealproblemnow!•Weneedoursignaturestoremainreliable,andanysymmetrickeykwhichethodswillberevealedandhenceeverythingencryptedunderk.•Itisnotcomfortabletoknowthatyourcommunica@onsandrecordsfromtalldependonthesupposedintractabilityoftalldependonthesupposedintractabilityofcertain•Thismeansameansofsecuritythatwillnotbebrokenbyaquantumcomputer.trapdoors)thoughttobeproofagainstquantumcomputers.•ThebestcandidatescomefromlaTce-basedcryptography.•Cancreateverylargekeys,andno-onereallyunderstandswhatcanbedonewithaquantumcomputer.vulnerabletoquantumcomputersAndiftheyareweareinrealtrouble!)basiccrypto.Wehaveproposalsforbothsignatureandkeyagreement.ureesarecipientreasontobelievethatthemessagewascreatedbyaalteredintransit(integrity).Formally,adigitalsignatureschemeisatripleofprobabilisticpolynomialtimealgorithms,(G,S,V),satisfying:•G(key-generator)generatesapublickey,pk,andacorrespondingprivatekey,sk,oninput1n,wherenisthesecurityparameter.•S(signing)returnsatag,t,ontheinputs:theprivatekey,sk,andastring,x.•V(verifying)outputsacceptedorrejectedontheinputs:thepublickey,pk,astring,x,andatag,t.Forcorrectness,SandVmustsatisfyPr[(pk,sk)←G(1n),V(pk,x,S(sk,x))=accepted]=1.[9]Adigitalsignatureschemeissecureifforeverynon-uniformprobabilisticpolynomialtimeadversary,APr[(pk,sk)←G(1n),(x,t)←AS(sk,·)(pk,1n),x∉Q,V(pk,x,t)=accepted]<negl(n),whereAS(sk,·)denotesthatAhasaccesstotheoracle,S(sk,·),andQdenotesthesetofthequeriesonSmadebyA,whichknowsthepublickey,pk,andthesecurityparameter,n.hatwerequireanyadversarycannotdirectlyquerythestringxonSLet’scallthistheintensionaldefini@on:comeswithacleardefini@onabouthowitistobedone.forexampleLamport’ssignaturescheme.anuseeachpublickeysecretkeypaironlyonceandarefairlyelaborate.•Wewilldispensewiththedifferencebetweenpublicandsecretkeys.cleakeyissecretasuitablehashofitispublicanditselfwithaaboutwhenitwillordidchange.•WhileoneofA’skeysissecretAcansignanythingusingit.•Suchsignaturescanbecheckedoncethekeyispublic.•Akeycer@ficatenowtakestheform(hash(k,A,t),A,t),sign((A,hash(k,A,t),t),A’,t’)eaningthateitherthenodedoingthecheckingcanorthenodesoftheblockchainhasalreadycheck/edit.•WhereAhasreleasedacer@ficateforkeyvwithrelease@met,sign(X,A,t)=hash(X,v)andmustbeplacedontheblockchainbefore@met.ckAddtoconsensusmechanismdeoraCAcanmaintainAskeysbyaddingmorefuturekeysThatwayeachnodecanalwaysmaintainitssetoffuturekeys.•Extremelycheaptoimplement.