Added: incubator/milagro/site/www/docs/milagro-design/index.html URL: http://svn.apache.org/viewvc/incubator/milagro/site/www/docs/milagro-design/index.html?rev=1860997&view=auto ============================================================================== --- incubator/milagro/site/www/docs/milagro-design/index.html (added) +++ incubator/milagro/site/www/docs/milagro-design/index.html Tue Jun 11 00:28:48 2019 @@ -0,0 +1,147 @@ +<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Milagro Design · Apache Milagro</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="<h2><a class="anchor" aria-hidden="true" id="protocols-and-technology"></a><a href="#protocols-and-technology" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25 c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Protocols and Technology</h2> +"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Milagro Design · Apache Milagro"/><meta property="og:type" content="website"/><meta property="og:url" content="https://milagro.apache.org/"/><meta property="og:description" content="<h2><a class="anchor" aria-hidden="true" id="protocols-and-technology"></a><a href="#protocols-and-technology" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Protocols and Technology</h2> +"/><meta name="twitter:card" content="summary"/><link rel="shortcut icon" href="/img/favicon.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"/><link rel="alternate" type="application/atom+xml" href="https://milagro.apache.org/blog/atom.xml"; title="Apache Milagro Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://milagro.apache.org/blog/feed.xml"; title="Apache Milagro Blog RSS Feed"/><script type="text/javascript" src="https://buttons.github.io/buttons.js";></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML";></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/"><img class="logo" src="/img/milagro .svg" alt="Apache Milagro"/><h2 class="headerTitleWithLogo">Apache Milagro</h2></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive"><a href="/docs/milagro-intro" target="_self">Docs</a></li><li class=""><a href="/help" target="_self">Support</a></li><li class="siteNavGroupActive"><a href="/docs/contributor-guide" target="_self">Contributing</a></li><li class=""><a href="/blog/" target="_self">Status</a></li></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="container docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>âº</i><span>About Milagro</span></h2><div class="tocToggler" id="to cToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">About Milagro</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/milagro-intro">Milagro Introduction</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-crypto">Milagro Crypto</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-protocols">Milagro Protocols</a></li><li class="navListItem navListItemActive"><a class="navItem" href="/docs/milagro-design">Milagro Design</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">AMCL Library</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/amcl-overview">AMCL Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/amcl-c-api">AMCL C API</a></li><li class="navListItem"><a class="navItem" href="/docs/amcl-javascript-api">AMCL JavaScript API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCateg oryTitle">D-TA Node</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/d-ta-overview">D-TA Node Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/d-ta-api">D-TA Node API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">ZKP-MFA Clients/Servers</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/zkp-mfa-overview">ZKP-MFA Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/zkp-mfa-api">ZKP-MFA API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Project Info</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/contributor-guide">Contributor's Guide</a></li></ul></div></div></section></div><script> + var coll = document.getElementsByClassName('collapsible'); + var checkActiveCategory = true; + for (var i = 0; i < coll.length; i++) { + var links = coll[i].nextElementSibling.getElementsByTagName('*'); + if (checkActiveCategory){ + for (var j = 0; j < links.length; j++) { + if (links[j].classList.contains('navListItemActive')){ + coll[i].nextElementSibling.classList.toggle('hide'); + coll[i].childNodes[1].classList.toggle('rotate'); + checkActiveCategory = false; + break; + } + } + } + + coll[i].addEventListener('click', function() { + var arrow = this.childNodes[1]; + arrow.classList.toggle('rotate'); + var content = this.nextElementSibling; + content.classList.toggle('hide'); + }); + } + + document.addEventListener('DOMContentLoaded', function() { + createToggler('#navToggler', '#docsNav', 'docsSliderActive'); + createToggler('#tocToggler', 'body', 'tocActive'); + + var headings = document.querySelector('.toc-headings'); + headings && headings.addEventListener('click', function(event) { + var el = event.target; + while(el !== headings){ + if (el.tagName === 'A') { + document.body.classList.remove('tocActive'); + break; + } else{ + el = el.parentNode; + } + } + }, false); + + function createToggler(togglerSelector, targetSelector, className) { + var toggler = document.querySelector(togglerSelector); + var target = document.querySelector(targetSelector); + + if (!toggler) { + return; + } + + toggler.onclick = function(event) { + event.preventDefault(); + + target.classList.toggle(className); + }; + } + }); + </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><h1 class="postHeaderTitle">Milagro Design</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="protocols-and-technology"></a><a href="#protocols-and-technology" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Protocols and Technology</h2> +<h3><a class="anchor" aria-hidden="true" id="identity-based-encryption"></a><a href="#identity-based-encryption" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Identity Based Encryption</h3> +<p>M-Pin and Chow Choo are in the class of Identity Based Encryption protocols, which use pairings in their construction. The M-Pin Protocol is intended to replace the well-known Username/Password authentication mechanism which is widely considered to be effectively broken.</p> +<p>The main problem is the existence of a password file on the server, which is commonly stolen and hacked, revealing most user passwords.</p> +<p>The idea behind Milagro's Zero-Knowledge Proof Multi-Factor Authentication (ZKP-MFA) Server is that each registered client is issued with a secret cryptographic key derived from their identity. They then prove to the Milagro ZKP-MFA Server that they are in possession of this key using a zero-knowledge proof protocol, which can be extended to include authenticated key agreement.</p> +<p>This protocol design eliminates the need for any information related to clients, or their keys, to be kept on the authentication server. Should an attacker penetrate the server, it is impossible to deduct any information about end users because it doesn't exist, at least within the authentication system.</p> +<p>Common to both Chow-Choo and M-Pin is that the keys are issued in shares, not as whole keys, by entities called Decentralized Trust Authorities. Only the clients who receive all of the shares from the D-TA's, will ever know their completed whole keys.</p> +<p>Industry commentators have long advocated a multi-factor solution. The novel feature of M-Pin and Chow-Choo is that the cryptographic secrets issued to clients or peers may be safely split up into any number of independent factors.</p> +<p>Each of these factors has the same form; they are points on an elliptic curve. To recreate the original secret, they are simply added together again -- it's as simple as that.</p> +<p>One factor might be derived from a key unlocked from the biometric login (ex: FaceID) which is available as a PIN input on a successful biometric authentication. This 'biometric based' PIN is, on Apple hardware, stored in the secure element of the device (something you are). Another factor might be the remainder token securely stored in the authenticator app on a smartphone (something you have). Yet a final piece can be a PIN or passphrase (something you know), which is secure as the M-Pin client secret cannot be brute force attacked offline.</p> +<h3><a class="anchor" aria-hidden="true" id="decentralized-identity"></a><a href="#decentralized-identity" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Decentralized Identity</h3> +<p>Milagro applications use these identity based protocols in combination with classical cryptosystems where the endpoint generates a public/private key pair and the private key never leaves the application or device.</p> +<p>An entity running a Milagro application attaches the public keys it has generated upon initialization to a self sovereign identity document (ID Document), that only reveals a unique account code as identifier. This ID document is signed by the Milagro and distributed over a decentralized identity system built upon IPFS<sup class="footnote-ref"><a href="#fn1" id="fnref1">[1]</a></sup>, so each ID Document lives on an immutable, operation-based conflict-free replicated data structure (CRDT), which is accessible to any other Milagro application.</p> +<p><em>For further detail, please see the format specification for ID Documents.</em></p> +<h3><a class="anchor" aria-hidden="true" id="encrypted-envelope"></a><a href="#encrypted-envelope" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Encrypted Envelope</h3> +<p>ID Documents enable messages, called Encrypted Envelopes, containing secrets to be sent between endpoints running Milagro software. This can include clients, servers and peers and Milagro ZKP-MFA Servers, ZKP-MFA clients and Decentralized Trust Authorities. The ID Documents of recipients are available to any endpoint, so their public keys can be used to secure secrets in transit. In the case of digital asset custody, these messages need to be part of a permanent record, available in a decentralized, immutable data structure (like a blockchain). Given the permanence of this data, the privacy design of these immutable records need to account for advances in quantum cryptography.</p> +<p>Messages and immutable records are encrypted with AES-GCM at a 256-bit level with parameters anticipating quantum cryptography. It is necessary to know the recipient's public key, obtained via the ID Document, in order to encapsulate the encryption key for each recipient of the message or entity who has access to the Immutable Record.</p> +<p>SIKE keys pairs are generated locally by endpoints running Milagro software, are not received in shares from D-TAs. SIKE public keys are used by the sender of a message to encapsulate the AES 256-bit key used to create the Encrypted Envelope. An encapsulation takes place once for every recipient and is affixed to the Encrypted Envelope.</p> +<p>BLS signatures handle two jobs. Like SIKE key pairs, BLS signature key pairs are generated locally by endpoints running Milagro software, are not received in shares from D-TAs. The signatures these keys generate enable the non-repudiation of Encrypted Envelopes between endpoints and stored long term as immutable records. This is a classic use case of digital signatures, like PGP signatures over email.</p> +<p><em>For further detail, please see the format specification for Encrypted Envelopes.</em></p> +<p>The other use of BLS signatures is more complex. As described previously, BLS signatures have unique properties. Milagro leverages its own Encrypted Envelope format to enable the BLS ability of splitting signing keys by with a secure mechanism to securely distribute the split BLS signing keys. When delivered securely to the right entities, these part shares of BLS signing keys themselves become signature keys. The thresholds of these signatures can be aggregated securely to produce an aggregated single signature which would have been produced by the original whole signing key prior to the original key being split. This signature can be verified by an aggregated public key.</p> +<p>Another capability is for a public key to be aggregated from multiple public keys in advance of aggregating signatures created by the corresponding private keys. These private keys are generated locally, and never leave the device, vs the method described previously. Signatures made from these keys can themselves be aggregated into a complete signature, verified by the aggregated public key.</p> +<p>These capabilities are well suited to safeguarding secrets with an example in the following section.</p> +<h2><a class="anchor" aria-hidden="true" id="decentralized-trust-authorities-d-ta"></a><a href="#decentralized-trust-authorities-d-ta" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Decentralized Trust Authorities: D-TA</h2> +<p>The Milagro framework protocols rely on Decentralized Trust Authorities for two jobs: Issuing shares of secrets, or safeguarding shares of secrets.</p> +<p>D-TAs can issue shares, or fractions, of Type-3 Pairing private keys to Milagro Applications, such as the Milagro ZKP-MFA Servers or clients or to other D-TAs, which can be any software or hardware applications that have embedded some Milagro code in order derive the functional capabilities.</p> +<p>These clients or peers become the only entities that know the completed whole keys assembled from shares issued by different Decentralized Trust Authorities.</p> +<p>Type-3 pairings were selected as they are the most efficient pairing and will work with non-supersingular pairing-friendly curves.</p> +<p>These operate as \( G_1 \) x \( G_2 \rightarrow G_T \), where \( G_2 \) is a particular group of points, again of the order \( q \), but on a twisted elliptic curve defined over an extension which is a divisor of \( k \).</p> +<p>These curves can be constructed to be a near perfect fit at any required level of security. The pairing protocols within the Milagro framework all work on a Type-3 pairing.</p> +<p>One of the novel aspects of pairing-based cryptography is that deployed secrets are commonly represented as points on an elliptic curve, which are the result of multiplying a known point by a master secret \( s \).</p> +<p>So for example a secret might be of the form \( sP \), where \( P \) is known.</p> +<p>There are a number of interesting things we can do with secrets that have this form, that are not possible with the secrets that arise when using other cryptographic technologies.</p> +<p>For example they can be split into two, into \( s_1P \) and \( s_2P \) where \( s=s_1+s_2 \) and \( sP = s_1P +s_2P \).</p> +<p>In fact they can be just as easily split into multiple parts, just like chopping up a cucumber.</p> +<p>We can also add extra components to create a secret of the form \( s(P_1+P_2) = sP_1+sP_2 \).</p> +<p>It is the flexibility that arises from this form of the secret that allows us to introduce the idea of chopping off a tiny sliver of the secret to support a PIN number.</p> +<p>It also facilitates the concept of <em>Time Permits</em> as discussed in a later section.</p> +<p>Lastly, it enables Decentralized Trust.</p> +<h3><a class="anchor" aria-hidden="true" id="issuing-secrets"></a><a href="#issuing-secrets" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Issuing Secrets</h3> +<p>A Trusted Authority will be in possession of a master secret \( s \), a random element of \( F_q \).</p> +<p>A client secret is of the form \( s.H(ID) \), where ID is the client identity and \( H(.) \) a hash function which maps to a point on \( G_1 \).</p> +<p>From prior art, we assume that \( H \) is modeled as a random oracle where \( H(ID) = r_{ID}.P \)</p> +<p>where \( r_{ID} \in F_q \) is random and \( P \) is a fixed generator of \( G_1 \).</p> +<p>A Milagro ZKP-MFA Server will be issued with \( sQ \), where \( Q \) is a fixed generator of \( G_2 \).</p> +<p>Note that this will be the only multiple of \( s \) in \( G_2 \) ever provided by the TA. Servers will always be associated with their own unique master secrets.</p> +<p>Note that the TA functionality can be trivially decentralized and distributed using a secret sharing scheme, to remove from the overall system a single point of compromise or coercion.</p> +<p>In the simplest possible case there may be two Decentralized Trusted Authorities (D-TAs), each of which independently maintains their own share of the master key.</p> +<p>So \( s=s_1+s_2 \), and each D-TA issues a part-client key to the client \( s_1 H(ID) \) and \( s_2 H(ID) \), which the client, after receiving the shares, adds together to form their full key.</p> +<p>Now even if one D-TA is compromised, the client key is still safe.</p> +<p>In the age of self sovereign identity, any entity can be a Decentralized Trust Authority as long as its Beneficiary trusts it to securely issue shares of secrets, or hold them for safekeeping.</p> +<h3><a class="anchor" aria-hidden="true" id="safekeeping-secrets"></a><a href="#safekeeping-secrets" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Safekeeping Secrets</h3> +<p>A D-TA may act as a Fiduciary over secrets where it can participate in a process to enable a Beneficiary to recover the secret. Using aggregated BLS signatures in a simple example, an entity running Milagro software may engage multiple D-TAs to act as Fiduciaries over its seed value used to generate and back up a cryptocurrency HD Wallet.</p> +<p>As described in<sup class="footnote-ref"><a href="#fn1" id="fnref1:1">[1]</a></sup> the first step is for each D-TA to generate a key pair by choosing \( s k \stackrel{s}{\leftarrow} \mathbb{Z}_{q} \) to compute:</p> +<p>$$ p k \leftarrow g_{2}^{s k}$$</p> +<p>which outputs the \( (p k, s k) \).</p> +<p>The Beneficiary would select which D-TA service providers (acting in concert) it would use to help it generate a secret. Assume a Beneficiary is also a participant in this protocol, it also runs a D-TA and acts as the designated combiner in the protocol.</p> +<p>In advance of creating the HD Wallet seed, a Beneficiary would elicit the services of Decentralized Trust Authorities to act as Fiduciaries in a decentralized secret recovery protocol. The Beneficiary's next step calculates the aggregate public key by running protocol \( \text { KAg }\)({\( p k_{1}, \ldots, p k_{n} \)}) using the D-TA's known public keys as input (who have agreed to act as Fiduciaries to this process) and also its own public key.</p> +<p>The Beneficiary then requests a signature \( \sigma \) on a message \( m \) from each of the D-TAs acting as Fiduciaries, including itself. For each D-TA, singing is a single round protocol.</p> +<p>To finalize setup, each D-TA transmits its signature \( \sigma \) to the Beneficiary (acting as designated combiner). The Beneficiary generates its own signature and combines it with the received D-TA signatures for the final aggregated signature of \( \sigma \leftarrow \prod_{j=1}^{n} s_{j} \).</p> +<p>The final signature is verified against the aggregated public key if the verifier function outputs 1. Assuming so, the setup completes by hashing the aggregated signature where \( H(\tilde{\sigma}) \) is the seed of the HD Wallet.</p> +<p>Assuming the Beneficiary has backed up their BLS signature key, recovering the HD Wallet seed from multiple Fiduciaries becomes as simple as re-running the setup protocol again. It is easy to envision Fiduciary services running D-TAs, responding and authenticating requests for recovering secrets.</p> +<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Summary</h2> +<h3><a class="anchor" aria-hidden="true" id="pairing-and-pq-cryptography"></a><a href="#pairing-and-pq-cryptography" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Pairing and PQ Cryptography</h3> +<p>Milagro leverages a combination of pairing and post-quantum algorithms to distribute cryptographic operations and split cryptographic parameters, providing a level of security and functionality that is a step forward in when compared to the certificate backed cryptosystems in service today. With pairing cryptography, security systems such as multi-factor authentication using zero knowledge protocols, certificate-less authenticated key agreement with perfect forward secrecy and decentralized secret recovery can be deployed in real world scenarios. AES-256 bit encryption and post-quantum key encapsulation ensure that long-lived data is safe from intrusion, even in the face of a post-quantum adversary.</p> +<h3><a class="anchor" aria-hidden="true" id="decentralized-cryptosystem"></a><a href="#decentralized-cryptosystem" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Decentralized Cryptosystem</h3> +<p>Bitcoin's blockchain provides an alternative distributed approach to managing a currency without the need for a central bank. With bitcoin, the ledger is distributed, not centralized. Milagro's cryptosystem is decentralized to create the same advantages as a distributed ledger. While architecturally different to the blockchain, Milagro's cryptosystem and the applications built on it are compatible with and can add significant value to cryptocurrencies and other decentralized networks.</p> +<p>Milagro envisions a new class of cryptographic service providers called Decentralized Trust Authorities, or D-TAs for short. The purpose of a D-TA is to independently issue shares, or fractions, of cryptographic keys to Milagro clients and servers and application endpoints which have embedded Milagro cryptographic libraries. D-TA's also operate as 'Fiduciaries', to enable their 'Beneficiaries' to recover secrets in a decentralized manner, without keeping a share of the secret itself. D-TAs operate independently from each other, are isolated in totality, and completely unaware of the existence of other D-TAs.</p> +<h3><a class="anchor" aria-hidden="true" id="no-single-point-of-compromise"></a><a href="#no-single-point-of-compromise" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>No Single Point of Compromise</h3> +<p>Milagro entities receive issued shares cryptographic keys or signatures and combine them to create the whole completed key or signature, thus becoming the only audience who possess knowledge of the entire key or signature. If D-TAs are under separate organizational controls, current root key compromises and key escrow threats inherent in PKI systems are an order of magnitude harder to achieve in a Milagro cryptosystem. An attacker would need to subvert all independent parties.</p> +<p>In other words, all D-TAs used to generate shares, or fractions, of keys for Milagro clients and servers must be compromised to create the equivalent of a PKI root key compromise. All D-TAs under the threshold needed to recreate a signature would need to be compromised (including the Beneficiary) in order to generate a final signature.</p> +<hr> + + <div class="admonition admonition-note"> + <div class="admonition-heading"> + <h5><div class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg"; width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"/></svg></div> See an error in this documentation?</h5> + </div> + <div class="admonition-content"> + <p>Submit a pull request on the development branch of <a href="https://github.com/apache/incubator-milagro";>Milagro Website Repo</a>.</p> +</div></div><!-- +Supported admonition types are: caution, note, important, tip, warning. +--><hr class="footnotes-sep"> +<section class="footnotes"> +<ol class="footnotes-list"> +<li id="fn1" class="footnote-item"><p><a href="https://eprint.iacr.org/2018/483";>Compact Multi-Signatures for Smaller Blockchains</a> <a href="#fnref1" class="footnote-backref">â©</a> <a href="#fnref1:1" class="footnote-backref">â©</a></p> +</li> +</ol> +</section> +</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/milagro-protocols"><span class="arrow-prev">â </span><span>Milagro Protocols</span></a><a class="docs-next button" href="/docs/amcl-overview"><span>AMCL Overview</span><span class="arrow-next"> â</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#protocols-and-technology">Protocols and Technology</a><ul class="toc-headings"><li><a href="#identity-based-encryption">Identity Based Encryption</a></li><li><a href="#decentralized-identity">Decentralized Identity</a></li><li><a href="#encrypted-envelope">Encrypted Envelope</a></li></ul></li><li><a href="#decentralized-trust-authorities-d-ta">Decentralized Trust Authorities: D-TA</a><ul class="toc-headings"><li><a href="#issuing-secrets">Issuing Secrets</a></li><li><a href="#safekeeping-secrets">Safekeeping Secrets</a></li></ul></li><li><a href="#summary">Summary</a><ul class="toc-headings"><li><a href="#pairing-and-pq-cryptography">Pairing and PQ Cryptography</a></li><li><a href="#decentralized-cryptosystem">Decentralized Cryptosystem</a></li><li><a href="#no-single-point-of-compromise">No Single Point of Compromise</a></li></ul></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="sitemap"><a href="/" class="nav-home"><img src="/img/milagro.svg" alt="Apache Milagro" width="50" height="100"/></a><div><h5>Docs</h5><a href="/docs/milagro-intro.html">Milagro Intro</a><a href="/docs/amcl-overview.html">Apache Milagro Crypto Library</a><a href="/docs/d-ta-overview.html">Decentralized Trust Authority</a><a href="/docs/zkp-mfa-overview.html">Zero Knowledge Proof MFA</a></div><div><h5>Community</h5><a href="../help">Support</a><a href="../docs/contributor-guide">Contributing</a><a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=115529045"; target="_blank" rel="noreferrer noopener">Developer Wiki</a><a href="https://twitter.com/apachemila gro?lang=en" target="_blank" rel="noreferrer noopener">Twitter</a></div><div><h5>More</h5><a href="/blog">Status</a><a href="https://github.com/apache/incubator-milagro-crypto";>GitHub</a><a class="github-button" href="https://github.com/apache/incubator-milagro"; data-icon="octicon-star" data-count-href="/apache/incubator-milagro-crypto/stargazers" data-show-count="true" data-count-aria-label="# stargazers on GitHub" aria-label="Star this project on GitHub">Star</a></div></section><a href="https://apache.org"; target="_blank" rel="noreferrer noopener" class="fbOpenSource"><img src="/img/oss_logo.png" alt="Apache Incubator" width="170" height="45"/></a><section class="copyright">Copyright © 2019 The Apache Software Foundation. Apache Milagro, Milagro, Apache, the Apache feather, and the Apache Milagro project logo are either registered trademarks or trademarks of the Apache Software Foundation.</section></footer></div></body></html> \ No newline at end of file
Added: incubator/milagro/site/www/docs/milagro-intro.html URL: http://svn.apache.org/viewvc/incubator/milagro/site/www/docs/milagro-intro.html?rev=1860997&view=auto ============================================================================== --- incubator/milagro/site/www/docs/milagro-intro.html (added) +++ incubator/milagro/site/www/docs/milagro-intro.html Tue Jun 11 00:28:48 2019 @@ -0,0 +1,128 @@ +<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Milagro Introduction · Apache Milagro</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="<p>Apache Milagro is core security infrastructure and crypto libraries purpose-built for decentralized networks and distributed systems, while also providing value to cloud-connected app-centric software and IoT devices that require Internet scale.</p> +"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Milagro Introduction · Apache Milagro"/><meta property="og:type" content="website"/><meta property="og:url" content="https://milagro.apache.org/"/><meta property="og:description" content="<p>Apache Milagro is core security infrastructure and crypto libraries purpose-built for decentralized networks and distributed systems, while also providing value to cloud-connected app-centric software and IoT devices that require Internet scale.</p> +"/><meta name="twitter:card" content="summary"/><link rel="shortcut icon" href="/img/favicon.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"/><link rel="alternate" type="application/atom+xml" href="https://milagro.apache.org/blog/atom.xml"; title="Apache Milagro Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://milagro.apache.org/blog/feed.xml"; title="Apache Milagro Blog RSS Feed"/><script type="text/javascript" src="https://buttons.github.io/buttons.js";></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML";></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/"><img class="logo" src="/img/milagro .svg" alt="Apache Milagro"/><h2 class="headerTitleWithLogo">Apache Milagro</h2></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive siteNavItemActive"><a href="/docs/milagro-intro" target="_self">Docs</a></li><li class=""><a href="/help" target="_self">Support</a></li><li class="siteNavGroupActive"><a href="/docs/contributor-guide" target="_self">Contributing</a></li><li class=""><a href="/blog/" target="_self">Status</a></li></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="container docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>âº</i><span>About Milagro</span></h2><div class=" tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">About Milagro</h3><ul class=""><li class="navListItem navListItemActive"><a class="navItem" href="/docs/milagro-intro">Milagro Introduction</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-crypto">Milagro Crypto</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-protocols">Milagro Protocols</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-design">Milagro Design</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">AMCL Library</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/amcl-overview">AMCL Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/amcl-c-api">AMCL C API</a></li><li class="navListItem"><a class="navItem" href="/docs/amcl-javascript-api">AMCL JavaScript API</a></li></ul></div><div class="navGroup"><h3 cl ass="navGroupCategoryTitle">D-TA Node</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/d-ta-overview">D-TA Node Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/d-ta-api">D-TA Node API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">ZKP-MFA Clients/Servers</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/zkp-mfa-overview">ZKP-MFA Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/zkp-mfa-api">ZKP-MFA API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Project Info</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/contributor-guide">Contributor's Guide</a></li></ul></div></div></section></div><script> + var coll = document.getElementsByClassName('collapsible'); + var checkActiveCategory = true; + for (var i = 0; i < coll.length; i++) { + var links = coll[i].nextElementSibling.getElementsByTagName('*'); + if (checkActiveCategory){ + for (var j = 0; j < links.length; j++) { + if (links[j].classList.contains('navListItemActive')){ + coll[i].nextElementSibling.classList.toggle('hide'); + coll[i].childNodes[1].classList.toggle('rotate'); + checkActiveCategory = false; + break; + } + } + } + + coll[i].addEventListener('click', function() { + var arrow = this.childNodes[1]; + arrow.classList.toggle('rotate'); + var content = this.nextElementSibling; + content.classList.toggle('hide'); + }); + } + + document.addEventListener('DOMContentLoaded', function() { + createToggler('#navToggler', '#docsNav', 'docsSliderActive'); + createToggler('#tocToggler', 'body', 'tocActive'); + + var headings = document.querySelector('.toc-headings'); + headings && headings.addEventListener('click', function(event) { + var el = event.target; + while(el !== headings){ + if (el.tagName === 'A') { + document.body.classList.remove('tocActive'); + break; + } else{ + el = el.parentNode; + } + } + }, false); + + function createToggler(togglerSelector, targetSelector, className) { + var toggler = document.querySelector(togglerSelector); + var target = document.querySelector(targetSelector); + + if (!toggler) { + return; + } + + toggler.onclick = function(event) { + event.preventDefault(); + + target.classList.toggle(className); + }; + } + }); + </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><h1 class="postHeaderTitle">Milagro Introduction</h1></header><article><div><span><p>Apache Milagro is core security infrastructure and crypto libraries purpose-built for decentralized networks and distributed systems, while also providing value to cloud-connected app-centric software and IoT devices that require Internet scale.</p> +<p>Milagro's purpose is to provide a secure and positive open source alternative to centralized and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.</p> +<h2><a class="anchor" aria-hidden="true" id="pairing-cryptography"></a><a href="#pairing-cryptography" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Pairing Cryptography</h2> +<p>Over the last decade, pairings on elliptic curves have been a very active area of research in cryptography, particularly within decentralized networks and distributed systems.</p> +<p>A pairing is a kind of the bilinear map defined over an elliptic curve. Examples include Weil pairing, Tate pairing, optimal Ate pairing and so on.</p> +<p>Pairings map pairs of points on an elliptic curve into the multiplicative group of a finite field. Their unique properties have enabled many new cryptographic protocols that had not previously been feasible.</p> +<p><a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography";>Pairing-Based Cryptography (PBC)</a> is emerging as a solution to complex problems that proved intractable to the standard mathematics of Public-Key Cryptography such as Identity-Based Encryption, whereby the identity of a client can be used as their public key.</p> +<p>In certain use cases, this removes the need for a PKI infrastructure eliminates the root key 'single point of compromise' weakness, as the main reason to issue certificates is used to bind a public / private key pair to an identity.</p> +<p>Removing the certificate management burden enables the identity management and key lifecycle to take place within the decentralized cryptosystem itself.</p> +<p>As a result, Milagro's decentralized cryptosystem design goals seek to deliver products that are easier to scale and manage that traditional PKI, and are a seamless fit for today's decentralized networks and distributed systems.</p> +<h2><a class="anchor" aria-hidden="true" id="pairings-go-mainstream"></a><a href="#pairings-go-mainstream" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Pairings Go Mainstream</h2> +<p>Pairings are key building blocks in Apache Milagro's crypto libraries and products. As examples, BLS signatures feature prominently in Milagro Decentralized Trust Authorities (D-TA), while the M-Pin protocol used in the Milagro ZKP-MFA clients and servers.</p> +<p><a href="https://en.wikipedia.org/wiki/Boneh-Lynn-Shacham";>BLS signatures</a> are widely recognized within the cryptocurrency space for their signature aggregation abilities. BLS signatures are now going through an IETF submission review<sup class="footnote-ref"><a href="#fn1" id="fnref1">[1]</a></sup> standardization process.</p> +<p>The <a href="https://eprint.iacr.org/2002/164";>M-Pin protocol</a><sup class="footnote-ref"><a href="#fn2" id="fnref2">[2]</a></sup>, which is a multi-factor authentication protocol built upon zero-knowledge proofs, is widely deployed across cloud infrastructures and in public facing deployments by the UK Government<sup class="footnote-ref"><a href="#fn3" id="fnref3">[3]</a></sup>.</p> +<p>Zcash implements their own zero-knowledge proof algorithm named zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)<sup class="footnote-ref"><a href="#fn4" id="fnref4">[4]</a></sup>. zk-SNARKs is used for protecting privacy of transactions of Zcash. Pairings are a key ingredient for constructing zk-SNARKS.</p> +<p>Cloudflare introduced Geo Key Manager<sup class="footnote-ref"><a href="#fn5" id="fnref5">[5]</a></sup> to restrict distribution of customers' private keys to the subset of their data centers. To achieve this functionality, attribute-based encryption is used and pairings again are a key building block.</p> +<p>The Trusted Computing Group (TCG) specifies ECDAA (Elliptic Curve Direct Anonymous Attestation) in the specification of Trusted Platform Module<sup class="footnote-ref"><a href="#fn6" id="fnref6">[6]</a></sup>. ECDAA is a protocol for proving the attestation held by a Trusted Platform Module (TPM) to a verifier without revealing the attestation held by that TPM. Pairing cryptography is used for constructing ECDAA. FIDO Alliance<sup class="footnote-ref"><a href="#fn7" id="fnref7">[7]</a></sup> and W3C<sup class="footnote-ref"><a href="#fn8" id="fnref8">[8]</a></sup> have also published ECDAA algorithms similar to TCG.</p> +<p>In 2015, NIST <a href="http://www.theregister.co.uk/2014/05/26/congress_divorces_nist_from_nsa/";>(<strong><em>the 'post-NSA' NIST</em></strong>)</a> goes so far as to recommend standardization of pairing based cryptography in their publication, <a href="http://nvlpubs.nist.gov/nistpubs/jres/120/jres.120.002.pdf";>Report on Pairing-Based Cryptography</a>.</p> +<blockquote> +<p>"Based on the study, the report suggests an approach for including pairing-based cryptography schemes in the NIST cryptographic toolkit. As we have seen, pairing-based cryptography has much to offer. Pairing-based schemes, such as IBE, provide special properties which cannot be provided through traditional PKI in a straightforward way. Therefore, pairing-based cryptographic schemes would make a nice addition to NISTâs cryptographic toolkit. In particular, we have focused attention on IBE. IBE simplifies key management procedures of certificate-based public key infrastructures. IBE also offers interesting features arising from the possibility of encoding additional information into a userâs identity. It has been a decade since the first IBE schemes were proposed. These schemes have received sufficient attention from the cryptographic community and no weakness has been identified."</p> +<pre><code class="hljs"> --- NIST, Report on Pairing-Based Cryptography +</code></pre> +</blockquote> +<h2><a class="anchor" aria-hidden="true" id="the-move-to-post-quantum"></a><a href="#the-move-to-post-quantum" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>The Move to Post-Quantum</h2> +<p>The security of almost all public-key cryptosystems in use today rely on computational assumptions such as the Integer Factorization (IF) and Discrete Logarithm (DL) problems as the foundation of their security. These are problems that today's classical computers cannot solve. In 1994, Shor<sup class="footnote-ref"><a href="#fn9" id="fnref9">[9]</a></sup> showed that both IF and DL problems are easy to solve on a quantum computer, based on the laws of quantum physics. As a consequence, almost all currently deployed public-key cryptosystems will become completely insecure if quantum computers become a practical reality.</p> +<p>According to NIST in its Report on Post-Quantum Cryptography<sup class="footnote-ref"><a href="#fn10" id="fnref10">[10]</a></sup>, "It will take significant effort to ensure a smooth and secure migration from the current widely used cryptosystems to their quantum computing resistant counterparts. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing."</p> +<p>Most experts have a range of quantum computing being strong enough to crack today's cryptosystems being on the horizon anywhere from five to twenty years. It should also be stated that quantum computation only speeds up a brute-force keysearch by a factor of a square root, so any symmetric algorithm can be made secure against a quantum computer by doubling the key length, i.e., take AES from 128 bits to 256.</p> +<p>Milagro has begun implementing post-quantum algorithms into its code base, beginning with the Supersingular Isogeny Key Encapsulation<sup class="footnote-ref"><a href="#fn11" id="fnref11">[11]</a></sup> protocol. Why?</p> +<p>Obviously, data that is transient and that does not retain a long term value doesn't require a level of protection against a post-quantum adversary. It becomes an issue when data is retained for the long term. If data is harvested and stored, and has retained value even after decades, then it should be protected to a post-quantum degree. In short, you are protecting the data for the day <em>WHEN</em> a working quantum computer comes online.</p> +<hr> +<p><strong>It is hoped that Apache Milagro will become a safe, IPR free island of innovation for cryptographers interested in pairing protocols that deliver much needed core security infrastructure for the advancement of decentralized networks and distributed systems.</strong></p> +<p><strong>We hope you join us and become part of this journey.</strong></p> +<hr> + + <div class="admonition admonition-note"> + <div class="admonition-heading"> + <h5><div class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg"; width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"/></svg></div> See an error in this documentation?</h5> + </div> + <div class="admonition-content"> + <p>Submit a pull request on the development branch of <a href="https://github.com/apache/incubator-milagro";>Milagro Website Repo</a>.</p> +</div></div><!-- +Supported admonition types are: caution, note, important, tip, warning. +--><hr class="footnotes-sep"> +<section class="footnotes"> +<ol class="footnotes-list"> +<li id="fn1" class="footnote-item"><p><a href="https://datatracker.ietf.org/doc/draft-boneh-bls-signature/";>IETF BLS Signature Internet Draft</a> <a href="#fnref1" class="footnote-backref">â©</a></p> +</li> +<li id="fn2" class="footnote-item"><p><a href="https://tools.ietf.org/html/draft-scott-mpin-00";>IETF M-Pin Informational Draft</a> <a href="#fnref2" class="footnote-backref">â©</a></p> +</li> +<li id="fn3" class="footnote-item"><p><a href="https://www.computerweekly.com/news/4500260479/Experian-chooses-UK-authentication-startup-for-GovUK-Verify";>UK Government selects M-Pin protocol based authentication provider</a> <a href="#fnref3" class="footnote-backref">â©</a></p> +</li> +<li id="fn4" class="footnote-item"><p><a href="https://z.cash/technology/zksnarks.html";>Lindemann, R., "What are zk-SNARKs?", July 2018</a> <a href="#fnref4" class="footnote-backref">â©</a></p> +</li> +<li id="fn5" class="footnote-item"><p><a href="https://blog.cloudflare.com/geo-key-manager-how-it-works";>Geo Key Manager: How It Works</a> <a href="#fnref5" class="footnote-backref">â©</a></p> +</li> +<li id="fn6" class="footnote-item"><p><a href="https://trustedcomputinggroup.org/resource/tpm-library-specification/";>TPM 2.0 Library Specification", September 2016</a> <a href="#fnref6" class="footnote-backref">â©</a></p> +</li> +<li id="fn7" class="footnote-item"><p><a href="https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-ecdaa-algorithm-v2.0-rd-20180702.html";>FIDO ECDAA Algorithm - FIDO Alliance Review Draft 02</a> <a href="#fnref7" class="footnote-backref">â©</a></p> +</li> +<li id="fn8" class="footnote-item"><p><a href="https://www.w3.org/TR/webauthn";>Web Authentication: An API for accessing Public Key Credentials Level 1 - W3C Candidate Recommendation</a> <a href="#fnref8" class="footnote-backref">â©</a></p> +</li> +<li id="fn9" class="footnote-item"><p><a href="https://pdfs.semanticscholar.org/6902/cb196ec032852ff31cc178ca822a5f67b2f2.pdf";>Algorithms for quantum computation: discrete logarithms and factoring</a> <a href="#fnref9" class="footnote-backref">â©</a></p> +</li> +<li id="fn10" class="footnote-item"><p><a href="https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf";>Report on post-quantum cryptography</a> <a href="#fnref10" class="footnote-backref">â©</a></p> +</li> +<li id="fn11" class="footnote-item"><p><a href="https://sike.org/";>SIKE</a> <a href="#fnref11" class="footnote-backref">â©</a></p> +</li> +</ol> +</section> +</span></div></article></div><div class="docs-prevnext"><a class="docs-next button" href="/docs/milagro-crypto"><span>Milagro Crypto</span><span class="arrow-next"> â</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#pairing-cryptography">Pairing Cryptography</a></li><li><a href="#pairings-go-mainstream">Pairings Go Mainstream</a></li><li><a href="#the-move-to-post-quantum">The Move to Post-Quantum</a></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="sitemap"><a href="/" class="nav-home"><img src="/img/milagro.svg" alt="Apache Milagro" width="50" height="100"/></a><div><h5>Docs</h5><a href="/docs/milagro-intro.html">Milagro Intro</a><a href="/docs/amcl-overview.html">Apache Milagro Crypto Library</a><a href="/docs/d-ta-overview.html">Decentralized Trust Authority</a><a href="/docs/zkp-mfa-overview.html">Zero Knowledge Proof MFA</a></div><div><h5>Community</h5><a href="../help">Support</a><a href="../docs/contrib utor-guide">Contributing</a><a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=115529045"; target="_blank" rel="noreferrer noopener">Developer Wiki</a><a href="https://twitter.com/apachemilagro?lang=en"; target="_blank" rel="noreferrer noopener">Twitter</a></div><div><h5>More</h5><a href="/blog">Status</a><a href="https://github.com/apache/incubator-milagro-crypto";>GitHub</a><a class="github-button" href="https://github.com/apache/incubator-milagro"; data-icon="octicon-star" data-count-href="/apache/incubator-milagro-crypto/stargazers" data-show-count="true" data-count-aria-label="# stargazers on GitHub" aria-label="Star this project on GitHub">Star</a></div></section><a href="https://apache.org"; target="_blank" rel="noreferrer noopener" class="fbOpenSource"><img src="/img/oss_logo.png" alt="Apache Incubator" width="170" height="45"/></a><section class="copyright">Copyright © 2019 The Apache Software Foundation. Apache Milagro, Milagro, Apache, the Apache fea ther, and the Apache Milagro project logo are either registered trademarks or trademarks of the Apache Software Foundation.</section></footer></div></body></html> \ No newline at end of file Added: incubator/milagro/site/www/docs/milagro-intro/index.html URL: http://svn.apache.org/viewvc/incubator/milagro/site/www/docs/milagro-intro/index.html?rev=1860997&view=auto ============================================================================== --- incubator/milagro/site/www/docs/milagro-intro/index.html (added) +++ incubator/milagro/site/www/docs/milagro-intro/index.html Tue Jun 11 00:28:48 2019 @@ -0,0 +1,128 @@ +<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Milagro Introduction · Apache Milagro</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="<p>Apache Milagro is core security infrastructure and crypto libraries purpose-built for decentralized networks and distributed systems, while also providing value to cloud-connected app-centric software and IoT devices that require Internet scale.</p> +"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Milagro Introduction · Apache Milagro"/><meta property="og:type" content="website"/><meta property="og:url" content="https://milagro.apache.org/"/><meta property="og:description" content="<p>Apache Milagro is core security infrastructure and crypto libraries purpose-built for decentralized networks and distributed systems, while also providing value to cloud-connected app-centric software and IoT devices that require Internet scale.</p> +"/><meta name="twitter:card" content="summary"/><link rel="shortcut icon" href="/img/favicon.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"/><link rel="alternate" type="application/atom+xml" href="https://milagro.apache.org/blog/atom.xml"; title="Apache Milagro Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://milagro.apache.org/blog/feed.xml"; title="Apache Milagro Blog RSS Feed"/><script type="text/javascript" src="https://buttons.github.io/buttons.js";></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML";></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/"><img class="logo" src="/img/milagro .svg" alt="Apache Milagro"/><h2 class="headerTitleWithLogo">Apache Milagro</h2></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive siteNavItemActive"><a href="/docs/milagro-intro" target="_self">Docs</a></li><li class=""><a href="/help" target="_self">Support</a></li><li class="siteNavGroupActive"><a href="/docs/contributor-guide" target="_self">Contributing</a></li><li class=""><a href="/blog/" target="_self">Status</a></li></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="container docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>âº</i><span>About Milagro</span></h2><div class=" tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">About Milagro</h3><ul class=""><li class="navListItem navListItemActive"><a class="navItem" href="/docs/milagro-intro">Milagro Introduction</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-crypto">Milagro Crypto</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-protocols">Milagro Protocols</a></li><li class="navListItem"><a class="navItem" href="/docs/milagro-design">Milagro Design</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">AMCL Library</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/amcl-overview">AMCL Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/amcl-c-api">AMCL C API</a></li><li class="navListItem"><a class="navItem" href="/docs/amcl-javascript-api">AMCL JavaScript API</a></li></ul></div><div class="navGroup"><h3 cl ass="navGroupCategoryTitle">D-TA Node</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/d-ta-overview">D-TA Node Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/d-ta-api">D-TA Node API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">ZKP-MFA Clients/Servers</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/zkp-mfa-overview">ZKP-MFA Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/zkp-mfa-api">ZKP-MFA API</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Project Info</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/contributor-guide">Contributor's Guide</a></li></ul></div></div></section></div><script> + var coll = document.getElementsByClassName('collapsible'); + var checkActiveCategory = true; + for (var i = 0; i < coll.length; i++) { + var links = coll[i].nextElementSibling.getElementsByTagName('*'); + if (checkActiveCategory){ + for (var j = 0; j < links.length; j++) { + if (links[j].classList.contains('navListItemActive')){ + coll[i].nextElementSibling.classList.toggle('hide'); + coll[i].childNodes[1].classList.toggle('rotate'); + checkActiveCategory = false; + break; + } + } + } + + coll[i].addEventListener('click', function() { + var arrow = this.childNodes[1]; + arrow.classList.toggle('rotate'); + var content = this.nextElementSibling; + content.classList.toggle('hide'); + }); + } + + document.addEventListener('DOMContentLoaded', function() { + createToggler('#navToggler', '#docsNav', 'docsSliderActive'); + createToggler('#tocToggler', 'body', 'tocActive'); + + var headings = document.querySelector('.toc-headings'); + headings && headings.addEventListener('click', function(event) { + var el = event.target; + while(el !== headings){ + if (el.tagName === 'A') { + document.body.classList.remove('tocActive'); + break; + } else{ + el = el.parentNode; + } + } + }, false); + + function createToggler(togglerSelector, targetSelector, className) { + var toggler = document.querySelector(togglerSelector); + var target = document.querySelector(targetSelector); + + if (!toggler) { + return; + } + + toggler.onclick = function(event) { + event.preventDefault(); + + target.classList.toggle(className); + }; + } + }); + </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><h1 class="postHeaderTitle">Milagro Introduction</h1></header><article><div><span><p>Apache Milagro is core security infrastructure and crypto libraries purpose-built for decentralized networks and distributed systems, while also providing value to cloud-connected app-centric software and IoT devices that require Internet scale.</p> +<p>Milagro's purpose is to provide a secure and positive open source alternative to centralized and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.</p> +<h2><a class="anchor" aria-hidden="true" id="pairing-cryptography"></a><a href="#pairing-cryptography" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Pairing Cryptography</h2> +<p>Over the last decade, pairings on elliptic curves have been a very active area of research in cryptography, particularly within decentralized networks and distributed systems.</p> +<p>A pairing is a kind of the bilinear map defined over an elliptic curve. Examples include Weil pairing, Tate pairing, optimal Ate pairing and so on.</p> +<p>Pairings map pairs of points on an elliptic curve into the multiplicative group of a finite field. Their unique properties have enabled many new cryptographic protocols that had not previously been feasible.</p> +<p><a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography";>Pairing-Based Cryptography (PBC)</a> is emerging as a solution to complex problems that proved intractable to the standard mathematics of Public-Key Cryptography such as Identity-Based Encryption, whereby the identity of a client can be used as their public key.</p> +<p>In certain use cases, this removes the need for a PKI infrastructure eliminates the root key 'single point of compromise' weakness, as the main reason to issue certificates is used to bind a public / private key pair to an identity.</p> +<p>Removing the certificate management burden enables the identity management and key lifecycle to take place within the decentralized cryptosystem itself.</p> +<p>As a result, Milagro's decentralized cryptosystem design goals seek to deliver products that are easier to scale and manage that traditional PKI, and are a seamless fit for today's decentralized networks and distributed systems.</p> +<h2><a class="anchor" aria-hidden="true" id="pairings-go-mainstream"></a><a href="#pairings-go-mainstream" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Pairings Go Mainstream</h2> +<p>Pairings are key building blocks in Apache Milagro's crypto libraries and products. As examples, BLS signatures feature prominently in Milagro Decentralized Trust Authorities (D-TA), while the M-Pin protocol used in the Milagro ZKP-MFA clients and servers.</p> +<p><a href="https://en.wikipedia.org/wiki/Boneh-Lynn-Shacham";>BLS signatures</a> are widely recognized within the cryptocurrency space for their signature aggregation abilities. BLS signatures are now going through an IETF submission review<sup class="footnote-ref"><a href="#fn1" id="fnref1">[1]</a></sup> standardization process.</p> +<p>The <a href="https://eprint.iacr.org/2002/164";>M-Pin protocol</a><sup class="footnote-ref"><a href="#fn2" id="fnref2">[2]</a></sup>, which is a multi-factor authentication protocol built upon zero-knowledge proofs, is widely deployed across cloud infrastructures and in public facing deployments by the UK Government<sup class="footnote-ref"><a href="#fn3" id="fnref3">[3]</a></sup>.</p> +<p>Zcash implements their own zero-knowledge proof algorithm named zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)<sup class="footnote-ref"><a href="#fn4" id="fnref4">[4]</a></sup>. zk-SNARKs is used for protecting privacy of transactions of Zcash. Pairings are a key ingredient for constructing zk-SNARKS.</p> +<p>Cloudflare introduced Geo Key Manager<sup class="footnote-ref"><a href="#fn5" id="fnref5">[5]</a></sup> to restrict distribution of customers' private keys to the subset of their data centers. To achieve this functionality, attribute-based encryption is used and pairings again are a key building block.</p> +<p>The Trusted Computing Group (TCG) specifies ECDAA (Elliptic Curve Direct Anonymous Attestation) in the specification of Trusted Platform Module<sup class="footnote-ref"><a href="#fn6" id="fnref6">[6]</a></sup>. ECDAA is a protocol for proving the attestation held by a Trusted Platform Module (TPM) to a verifier without revealing the attestation held by that TPM. Pairing cryptography is used for constructing ECDAA. FIDO Alliance<sup class="footnote-ref"><a href="#fn7" id="fnref7">[7]</a></sup> and W3C<sup class="footnote-ref"><a href="#fn8" id="fnref8">[8]</a></sup> have also published ECDAA algorithms similar to TCG.</p> +<p>In 2015, NIST <a href="http://www.theregister.co.uk/2014/05/26/congress_divorces_nist_from_nsa/";>(<strong><em>the 'post-NSA' NIST</em></strong>)</a> goes so far as to recommend standardization of pairing based cryptography in their publication, <a href="http://nvlpubs.nist.gov/nistpubs/jres/120/jres.120.002.pdf";>Report on Pairing-Based Cryptography</a>.</p> +<blockquote> +<p>"Based on the study, the report suggests an approach for including pairing-based cryptography schemes in the NIST cryptographic toolkit. As we have seen, pairing-based cryptography has much to offer. Pairing-based schemes, such as IBE, provide special properties which cannot be provided through traditional PKI in a straightforward way. Therefore, pairing-based cryptographic schemes would make a nice addition to NISTâs cryptographic toolkit. In particular, we have focused attention on IBE. IBE simplifies key management procedures of certificate-based public key infrastructures. IBE also offers interesting features arising from the possibility of encoding additional information into a userâs identity. It has been a decade since the first IBE schemes were proposed. These schemes have received sufficient attention from the cryptographic community and no weakness has been identified."</p> +<pre><code class="hljs"> --- NIST, Report on Pairing-Based Cryptography +</code></pre> +</blockquote> +<h2><a class="anchor" aria-hidden="true" id="the-move-to-post-quantum"></a><a href="#the-move-to-post-quantum" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>The Move to Post-Quantum</h2> +<p>The security of almost all public-key cryptosystems in use today rely on computational assumptions such as the Integer Factorization (IF) and Discrete Logarithm (DL) problems as the foundation of their security. These are problems that today's classical computers cannot solve. In 1994, Shor<sup class="footnote-ref"><a href="#fn9" id="fnref9">[9]</a></sup> showed that both IF and DL problems are easy to solve on a quantum computer, based on the laws of quantum physics. As a consequence, almost all currently deployed public-key cryptosystems will become completely insecure if quantum computers become a practical reality.</p> +<p>According to NIST in its Report on Post-Quantum Cryptography<sup class="footnote-ref"><a href="#fn10" id="fnref10">[10]</a></sup>, "It will take significant effort to ensure a smooth and secure migration from the current widely used cryptosystems to their quantum computing resistant counterparts. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing."</p> +<p>Most experts have a range of quantum computing being strong enough to crack today's cryptosystems being on the horizon anywhere from five to twenty years. It should also be stated that quantum computation only speeds up a brute-force keysearch by a factor of a square root, so any symmetric algorithm can be made secure against a quantum computer by doubling the key length, i.e., take AES from 128 bits to 256.</p> +<p>Milagro has begun implementing post-quantum algorithms into its code base, beginning with the Supersingular Isogeny Key Encapsulation<sup class="footnote-ref"><a href="#fn11" id="fnref11">[11]</a></sup> protocol. Why?</p> +<p>Obviously, data that is transient and that does not retain a long term value doesn't require a level of protection against a post-quantum adversary. It becomes an issue when data is retained for the long term. If data is harvested and stored, and has retained value even after decades, then it should be protected to a post-quantum degree. In short, you are protecting the data for the day <em>WHEN</em> a working quantum computer comes online.</p> +<hr> +<p><strong>It is hoped that Apache Milagro will become a safe, IPR free island of innovation for cryptographers interested in pairing protocols that deliver much needed core security infrastructure for the advancement of decentralized networks and distributed systems.</strong></p> +<p><strong>We hope you join us and become part of this journey.</strong></p> +<hr> + + <div class="admonition admonition-note"> + <div class="admonition-heading"> + <h5><div class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg"; width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"/></svg></div> See an error in this documentation?</h5> + </div> + <div class="admonition-content"> + <p>Submit a pull request on the development branch of <a href="https://github.com/apache/incubator-milagro";>Milagro Website Repo</a>.</p> +</div></div><!-- +Supported admonition types are: caution, note, important, tip, warning. +--><hr class="footnotes-sep"> +<section class="footnotes"> +<ol class="footnotes-list"> +<li id="fn1" class="footnote-item"><p><a href="https://datatracker.ietf.org/doc/draft-boneh-bls-signature/";>IETF BLS Signature Internet Draft</a> <a href="#fnref1" class="footnote-backref">â©</a></p> +</li> +<li id="fn2" class="footnote-item"><p><a href="https://tools.ietf.org/html/draft-scott-mpin-00";>IETF M-Pin Informational Draft</a> <a href="#fnref2" class="footnote-backref">â©</a></p> +</li> +<li id="fn3" class="footnote-item"><p><a href="https://www.computerweekly.com/news/4500260479/Experian-chooses-UK-authentication-startup-for-GovUK-Verify";>UK Government selects M-Pin protocol based authentication provider</a> <a href="#fnref3" class="footnote-backref">â©</a></p> +</li> +<li id="fn4" class="footnote-item"><p><a href="https://z.cash/technology/zksnarks.html";>Lindemann, R., "What are zk-SNARKs?", July 2018</a> <a href="#fnref4" class="footnote-backref">â©</a></p> +</li> +<li id="fn5" class="footnote-item"><p><a href="https://blog.cloudflare.com/geo-key-manager-how-it-works";>Geo Key Manager: How It Works</a> <a href="#fnref5" class="footnote-backref">â©</a></p> +</li> +<li id="fn6" class="footnote-item"><p><a href="https://trustedcomputinggroup.org/resource/tpm-library-specification/";>TPM 2.0 Library Specification", September 2016</a> <a href="#fnref6" class="footnote-backref">â©</a></p> +</li> +<li id="fn7" class="footnote-item"><p><a href="https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-ecdaa-algorithm-v2.0-rd-20180702.html";>FIDO ECDAA Algorithm - FIDO Alliance Review Draft 02</a> <a href="#fnref7" class="footnote-backref">â©</a></p> +</li> +<li id="fn8" class="footnote-item"><p><a href="https://www.w3.org/TR/webauthn";>Web Authentication: An API for accessing Public Key Credentials Level 1 - W3C Candidate Recommendation</a> <a href="#fnref8" class="footnote-backref">â©</a></p> +</li> +<li id="fn9" class="footnote-item"><p><a href="https://pdfs.semanticscholar.org/6902/cb196ec032852ff31cc178ca822a5f67b2f2.pdf";>Algorithms for quantum computation: discrete logarithms and factoring</a> <a href="#fnref9" class="footnote-backref">â©</a></p> +</li> +<li id="fn10" class="footnote-item"><p><a href="https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf";>Report on post-quantum cryptography</a> <a href="#fnref10" class="footnote-backref">â©</a></p> +</li> +<li id="fn11" class="footnote-item"><p><a href="https://sike.org/";>SIKE</a> <a href="#fnref11" class="footnote-backref">â©</a></p> +</li> +</ol> +</section> +</span></div></article></div><div class="docs-prevnext"><a class="docs-next button" href="/docs/milagro-crypto"><span>Milagro Crypto</span><span class="arrow-next"> â</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#pairing-cryptography">Pairing Cryptography</a></li><li><a href="#pairings-go-mainstream">Pairings Go Mainstream</a></li><li><a href="#the-move-to-post-quantum">The Move to Post-Quantum</a></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="sitemap"><a href="/" class="nav-home"><img src="/img/milagro.svg" alt="Apache Milagro" width="50" height="100"/></a><div><h5>Docs</h5><a href="/docs/milagro-intro.html">Milagro Intro</a><a href="/docs/amcl-overview.html">Apache Milagro Crypto Library</a><a href="/docs/d-ta-overview.html">Decentralized Trust Authority</a><a href="/docs/zkp-mfa-overview.html">Zero Knowledge Proof MFA</a></div><div><h5>Community</h5><a href="../help">Support</a><a href="../docs/contrib utor-guide">Contributing</a><a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=115529045"; target="_blank" rel="noreferrer noopener">Developer Wiki</a><a href="https://twitter.com/apachemilagro?lang=en"; target="_blank" rel="noreferrer noopener">Twitter</a></div><div><h5>More</h5><a href="/blog">Status</a><a href="https://github.com/apache/incubator-milagro-crypto";>GitHub</a><a class="github-button" href="https://github.com/apache/incubator-milagro"; data-icon="octicon-star" data-count-href="/apache/incubator-milagro-crypto/stargazers" data-show-count="true" data-count-aria-label="# stargazers on GitHub" aria-label="Star this project on GitHub">Star</a></div></section><a href="https://apache.org"; target="_blank" rel="noreferrer noopener" class="fbOpenSource"><img src="/img/oss_logo.png" alt="Apache Incubator" width="170" height="45"/></a><section class="copyright">Copyright © 2019 The Apache Software Foundation. Apache Milagro, Milagro, Apache, the Apache fea ther, and the Apache Milagro project logo are either registered trademarks or trademarks of the Apache Software Foundation.</section></footer></div></body></html> \ No newline at end of file
