►
From YouTube: TokenScript Weekly Meeting 20200319
Description
00:11:40 weiwu: https://drive.google.com/file/d/1_I7460FiEtPNG-8ySQ_HnBXWTmBTje5O/view
00:13:47 weiwu: https://projects.invisionapp.com/share/NJWEZI4E2VP#/screens/409351809_1-Setup-settings-
00:28:08 Tore: https://eprint.iacr.org/2019/1470.pdf
00:28:36 weiwu: Password authenticated key exchange
00:31:40 Tore: https://bitbucket.alexandra.dk/projects/OL/repos/pesto
00:32:00 Tore: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
00:32:26 Tore: https://eprint.iacr.org/2018/163.pdf
A
Hello,
hello
yeah,
can
you
hear
me
I
can
hear
you?
Okay,
good,
that's
good!
Sorry!
Sorry,
it's
not
really
bad
about.
It
says
it's
really
bad
thing,
so
I
bought
a
horse
and
then
went
to
to
take
her
to
the
to
Duluth
to
the
forest
and
just
short,
walk
for
thought
for
one
hour
and
I
should
be
back
before
7
p.m.
but
and
she
she
does
not.
She
got
naughty
and
I
took
her,
put
her
back
and
she's
half
a
tongue
so
so.
A
Ok,
so
what
I
want
to
show
you
is
this
document?
Ok,
so
I
know
I
know
you
worked
on
secret
sharing
like
sorry,
a
multi-party
competition
of
RSA
signature
right,
yeah
yeah,
so
so
I
thought
that
in
that,
in
that
set
up
the,
so
there
are
two
things
when
one
is
secret
sharing,
which
is
an
I'm
just
explaining
my
understanding.
Correct
me
if
I'm
wrong,
that
there
are
multi
party
keeping
the
shares
of
keys
and
there's
a
threat,
food
of
keys
to
share
key
shares
to
obtain
not
to
reconstruct
the
secret
and
everybody.
B
So
there's
different
ways
of
doing
it.
This
is
this
is
what
you're
mentioning
is
one
way
of
doing
it,
but
it
it
depends
exactly
on
which
scheme
and
and
what
you're,
using
so
I
mean.
You
can
also
like,
like
how
it's
used
with
RSA
is
usually
that
you
have
shares
in
the
new
constructor
the
shared
signature
or
shared
we
Christian
yeah.
B
A
A
A
B
A
So
so
the
same
assumption
would
have.
Let's
say
there
is
an
old
secret
sharing
method
which
involve
me
sharing
and
there's
new
one
which
never
reconstruct
secret,
but
instead
construct
signature
directly
through
multi-party
computation.
So
let's
say
just
called
a
new
own
method,
a
new
method,
so
the
same
assumption
that
the
kick
is
compromised
in
time
in
odd
method.
Isn't
that
assumption
also
valid
in
new
method
that,
if
I
compromise
this
no
nose
one
by
one
time,
then
I
can
just
reconstruct
the
signature.
Whatever.
B
Yeah
yeah,
if
you
use,
if
you
use
the
same
key
key
I
mean
like
like.
Basically,
if
you
move,
if
you
move
from
from
from
using
old
method
to
using
new
method,
but
without
changing
the
master
key
so
to
say,
then
of
course,
if
the
adversary
compromises
the
shares
of
the
old
method
of
all
the
parties,
then
he
and
he
will
can.
A
He
will
know
the
master
key.
Okay,
let's
suppose
someone
start
afresh
use
a
new
method
like
an
okay
was
generated
in
multi-party
computation,
not
not
used
in
the
secret
sharing
before
so.
Nobody
ever
knows
the
key
now
yeah
in
this
new
setup,
wouldn't
the
Viserys
to
be
able
to
compromise
it
by
slowly
compromising
different
storage
space
of
different
parties.
If
he
does,
he.
B
Normally
you
would
generally
like,
like
the
way
things
work
now
issue.
First
of
all,
you
don't
assume
that
your
key,
even
if
you're,
not
using
pressure,
you
don't
assume
that
your
key
gets.
It
gets
compromised.
I
mean
you
do
still
like,
but
instead
you
do
actually
nowadays
often
or
you
shoot
often
you
know
to
refresh
so
then
the
idea
is
like:
okay,
let's
do
the
fresh
shot.
B
A
So,
let's
suppose
it's
a
bank
right,
so
if
the
key,
if
they're,
if
they
own,
if
the
key,
if
there's
no
refreshing
protocol-
and
let's
say
some
party-
suspect
that
the
key-
the
legal
owner
of
the
key
suspect
that
is
already
compromised
and
there's
no
ratio,
then
the
legal
owner
of
the
key
can
usually
approach
the
bank
and
say
now:
I,
don't
want
you
other
authorized
transactions
with
my
old
key.
Let's
start
with
the
new
one
and
the
bank,
we
will
see.
Okay,
your
stock
share,
your
everything
they
don't
have
to
change.
C
A
C
A
A
Yeah
makes
sense.
Yes,
because
if
it's
compromise,
you
cannot
easily
change
the
key
now
in
that
regard
yeah.
So
this
is
copy
number
one
that
is
easier
if
I
needed
or
not,
then
I
just
explained
in
my
analysis
of
this
and
just
confirm
with
you
and
the
other
thing
is
and
ask
colleagues
to
produce
a
so
also.
A
A
A
C
C
C
C
A
Yeah,
so
so
so
that's
the
true
scenario
we
can
use
and
actually
I
have
a
story
for
the
second
way,
which
is
mainly
to
use
secretion
as
a
means
of
backup
where
user
had
the
Fuki
and
does
not
participate
by
sharing
another
participant.
Carry
and
and
the
the
other
parties
are
not
able
to
send
stuff
on
behalf
of
user
unless
they
collide.
B
A
B
A
So
the
story
is
that
one
star
is
straight,
so
we
have
a.
We
have
a
flow
that
might
push
this
technology.
Mobile
phone
and
I
just
want
to
go
through
with
you
to
see.
If
everything
is
practical
and
then
we
and
now
we
enter
the
MVC
method,
a
little
bit-
okay,
yeah
yeah,
so
so
I
just
sent
to
a
Google,
Doc
I,
don't
know
if
you
have
the
right
to
see
it.
I
can
download
it
in
the
shade.
I
can.
B
A
Yes,
I
got
it
okay,
so
I
walk
you
through
this
because
later
there
are
two
things:
if
it
works
and
there
two
things
I
need
your
help
from
one
is:
if
the
processing
to
be
secure,
the
other
is,
can
we
average
existing
software
to
to
make
the
mechanics
work?
Okay,
so
it
starts
from
the
user.
Look
at
the
settings
user
settings
where
the
user
can
do
setup
wallet
recovery
and
where
the
user
is.
A
A
Yeah,
thank
you.
So
this
is
a
live
demonstration
and
I.
Just
sorry-
and
this
is
prototype,
so
there's
set
what
is
recovery.
Let's
click
that,
and
there
is
a
Multi
multi
factor,
vote
yeah.
Okay,
that
and
then
there
are
two
things
to
use.
I
have
to
do
first
user
step,
one
user
choose
to
identify
himself
as
using
email
or
SMS.
You
know
receiving
verification
code
and
this
information
at
the
background.
A
So
this
is
shared
or
between
everybody
and
then
step
two,
let's
go
to
click
any
one
of
them:
email,
email,
for
example,
in
step,
two
Alice
said:
click
the
verification
link
and
then
her
friend
returned
the
app
you're
there.
Yeah.
Now
we
add
step
two
at
step.
Two,
the
user
provides
answers.
Three
security
questions,
answers
to
three
security
questions
and
when
the
user
finically
confirm
these
three
answers
and
questions
will
be
sent
to
three
parties
individually,
not
shared.
A
So
in
the
first
step,
users
have
verified
the
email
address,
mobile
phone,
which
is
shared
between
three
parties
and
second
step
use,
a
set
up
security
question,
and
these
are
not
shared
between
three
parties.
Instead,
the
first
party
gets
the
first
question
answer.
The
second
party
gets
second
question
answer
and
third
party
gets
a
third
question
answer:
yeah,
okay
and
then
the
other
confirm
and
do
the
backup-
and
this
is
the
moment
when
the
key
is
shared
into
three
shares
and
the
three
parties
start
to
the
reserving
every
day
or
something
yeah.
A
So
this
is
a
the
starting
process.
The
recovery
process
is
I
can
just
describe
it
to
you.
The
recovery
process
is
that
the
user
contacts
three
parties
individually
and
for
every
party
last,
a
party
a
first
party,
the
user
reach
out
the
first
party.
The
first
party
will
ask
user
to
verify
the
email
address
or
SMS,
send
a
code
and
we'll
answer
that
and
the.
C
A
First
party
will
ask
this
first
security
question
and
the
user
will
give
it
answers
the
first
security
question,
and
this
is
done
for
the
purse
purse
party
and
the
user
do
the
same
for
the
second
party
for
third
party.
Once
the
user
have
done
two
or
three
parties.
The
three
parties
gets
the
it's
considered
that
the
user
authorizes
three
parties
to
enter
a
key
recovery
protocol.
Then
they
will
do
a
key
recovery
and
then
send
the
private
key
to
the
users.
Mobile
phone
and
users
use
a
mobile
phone
to
do
this
all
time,
okay
yeah.
A
B
That's
right,
see
that's
just
something
to
keep
in
mind,
so
I
think
the
email
is.
It's
definitely
definitely
the
better.
The
better
way.
Oh.
A
B
B
A
Email
email
is
something
you
have
and
which,
because
because
it's
not
sharing
a
secret,
you
know
sharing
the
email
password
you
are
sharing,
you
are
validating
you
only
email
address,
so
it's
something
I
have
yeah
better,
better
would
be
a
security,
a
keyhole
key
holding
device,
but
the
users
already
lost
his
wallet.
So
you
know
is
what
you
have.
A
A
A
Which
means
sorry,
let
me
finish,
and
actually
I
really
saw
one
sentence,
which
means,
if
you
use
any
of
what
you
know,
method
knowledge
method,
then
the
three
parties
need
to
learn
different
moment.
Knowledge
is
so
whatever
you
configure
password
the
pin
or
secret
hand.
Thing
has
to
be
three
different
ones.
Now
finished:
okay,
okay,
so
not
only.
B
A
A
It
can
be
done
because,
maybe
because
the
process
started
with
mobile
phone,
the
mobile
phone
has
simply
sent
the
hash
to
them
and
then,
but
if
the
process
start
from
the
mobile
phone,
the
mobile
phone
masts
in
the
setup
phase
send
the
hash
to
all
three
parties
and
in
the
recovery,
planning
phase,
lots
and
hash
to
every
party.
But
instead
ask
the
user
to
individually
talk
to
it.
Three
parties.
B
B
Yes
on
distributed
password,
authentication,
okay,
so
so
basically,
the
idea
behind
behind
this
is
that
you
again
user.
You
use
the
threshold
scheme
to
to
basically
verify
that
that
that
the
user
knows
the
password-
and
this
is
done
in
such
a
way
that
each
of
the
the
paddies
cannot
brute-force
cannot
even
brute-force
the
password
individually.
B
B
B
B
B
A
B
They
will
not
be
able
to
brute
force
it
so
like
in
the
classic,
which
is
known
as
pay
password,
authenticated,
casing:
okay
agreement,
a
they
in
a
non
distributed
way
on
the
non
threshold
way
they
they
can
put
force
the
password
to
try
to
impersonate
the
the
user
was
in
a
new
paper.
They
can't
so
I'm
just
gonna.
Send
you
just
gonna,
send
your
link
to
this
this
new
paper,
so.
A
B
A
B
B
A
So
if
I
you're-
sorry
you
don't
want
it
to
you
thought
you
wanted
to
also
that's
a
that's
followed
parties
to
enter
key
recovery
process.
We
want
to
validate
every
part
it
very
validate
the
users
email
as
well
as
the
password,
but
if
one
of
the
parties
wants
to
refer
for
yes
and
see
if
the
one
that
party
wants
to
impersonate
the
user
to
enter
key
recovery
protocol
with
the
other
party
he's
doing
subjective
email
address.
Yes,
that's
right!
Yes,
that's
right!
Okay,
sorry.
B
A
B
But
then
so
the
simplest
of
these
Paik
protocols
is
the
SLP
protocol.
I'll,
send
you
a
link
to
it,
but
it's
I
would
recommend
I
would
recommend
hold
on.
Let
me
find
the
link
a
newer,
a
newer
one
because
the
SRP
protocol-
it's
not
provably,
secure
and
it
had
a
lot
of
weaknesses
and
have
been
updated
a
bunch
of
time.
So
it's
it's
ability.
So
this
one
I
just
sent
your
link
to
another
paper
which
is.
C
A
So
what
we
need
to
do
is
to
write
down
all
of
the
candidates
methods
we
have
and
then
I
will
do
this
in
a
long
email.
And
then
we
start
talking
about
advantages
and
disadvantages.
We
are
looking
at
2/3,
expects
easy
to
use,
which
means
the
user
has
to
do
not
something
very
different.
Kind
of
user
normally
do
with
mobile
phone
and
then
then
the
second
thing
is
implementable
in
the
predictable
tight,
because
if
we,
if
we
lower
the
product
out,
we
can
we
need
to
have
a
estimation,
and
third
is
security.
A
B
A
A
The
core
thinking
is
that
there's
a
sacred
sharing
protocol,
which
is
already
known
and
working-
and
there
is
the
authentication
against
the
party
which
is
a
new
problem.
We
need
to
solve
yeah
yeah,
exactly
new
problem,
but
it's
an
issue
when
you
recovered
how
do
because
you
don't
have
the
key
anymore.
How
do
you.
A
Every
kitchen
party
to
recognize
you
yeah
so
so
back
to
the
NPC
chain.
We
said
that
let's
talk
about
it
in
the
end,
so
the
the
thing
I'm
thinking
is
like
the
user
cannot
participate.
We
sharing,
because
using
on
a
mobile
illness,
every
other
party
can
follow
the
timeline
of
the
user.
I
said
users
mobile
phone
door
sharing
one
so
once
a
day,
and
whenever
the
user
decide
to
do
that,
everybody
else
have
to
say:
hey,
let's
go
to
work,
yeah.
B
A
A
C
A
Let's
say:
don't
participate
the
Kishin
protocol,
the
user
simply
ask
this
your
importable
to
give
me
the
same
stuff
right.
Let's
say
we
use
this
method,
then
users,
you
need
to
authenticate
against
everyone
in
order
to
for
them
to
enter
the
signing
process
and
to
convince
everyone,
the
users
to
neutral
indicate
and
okay.
A
B
B
B
A
Let
me
ask
a
question
so,
let's
say:
there's
a
multi-party
NPC
signing
algorithm
and
there
are
three
parties.
So
when
one
part
one
one
party
enters
the
protocol
does
he
has
to
authenticate
against
other
parties
with,
for
example,
keychain
in
response
first,
or
does
he
just
entered
a
protocol
and
just
straight
into
it,
and
if
he
doesn't
have
the
right
like
right
knowledge,
he
can
simply.
The
process
process
can
simply
cannot
go
on.
B
A
B
B
A
B
I,
don't
know
if
it's,
if
it's,
if
it's,
if
it's
typical
or
not
or
if
it's,
if
it's
pressure
or
if
it's
like
you
need
meet
everyone
to
to
take
part
I'm,
not
sure,
there's
a
there's
known.
Okay,
you
can
do
you
can
do
either
you
can
do
either
there's
not
a
problem.
The
simplest,
the
simplest
implementations,
the
simplest
realizations,
and
this
is,
of
course,
if
all
if
all
parties
need
to
collaborate
in
order
to
construct
a
signature.
A
Okay,
so
the
reason
I'm
asking
about
whether
or
not
the
user
can
participate
MPC
with
a
mobile
phone
directly.
You
didn't
ask
this
is
because
if
the
user
don't
do
this,
the
user
will
still
need
the
key
and
the
users.
Do
you
need
to
convince
every
party
that
he
intends
to
sign
something
with
that
authentication
key
and-
and
that's
that's
actually
still
pretty
weak,
because
you
know
anyone
else
who
obtained
you.
A
This
mobile
phone
probably
can
use
this
same
key
and
same
key,
but
the
same
goes
for
same
goes
for
yeah,
it's
actually
easier,
because
the
user
can
often
it
can
somehow,
let's
say
verify,
email
address
or
something
to
contact
the
parties
to
revoke
the
authentication
key.
But
if
it,
the
user,
have
the
secret
sharing
key
is
easy
to
revoke.
A
B
I'm
not
necessarily
necessarily
saying
that
I
mean
it's
a
it's
of
course
it's
a
different.
It's
it's
a
different
different
setting.
It's
a
different
use
case
than
the
back
up
setting,
so
it
needs
to
be
be
tackled
and
you
know
with
different
considerations
in
what
exactly
we're
trying
to
do
and
protect
against.
A
B
A
So,
let's,
let's
open
two
separate
discussion
when
is
about
key
recovery,
mostly
focus
on
key
recovery
and
that's
about
different
way
to
authenticate
parties
to
use
to
to
to
to
enter
a
clear
recovery
protocol
using
the
traditional
screen
sharing
protocol
and
the
other
is.
Is
it
possible
to
use
n
piece
MPC
ECDSA
signing
entirely
so
that
the
users
local
device
does
not
have
the
private
key
at
all?
And
so
these
two
things
and
separately,
because
getting
yeah.
B
A
A
Good,
so
so
so
listen
I
will
write
two
emails
and
second
email.
When
we
talk
about
that,
can
you
reply
me
with
the
information
you
know?
Yes,
awareness
which
companies
doing
that
and
whether
or
not
they
have
a
product
and
whether
that's
open
source,
yes
and
and
the
first
edition
is
Christian
and
same
what
Accord?
Is
it
Schmidt,
Schmidt
method.
B
Like
the
one
you
would
use
for,
backup
is
probably
just
it's
probably
just
a
mere
secretary
or
actually
in
this
case,
in
a
key.
In
this
case,
you
mentioned
where
all
we
expect
all
parties
to
take
part.
It's
even
simpler.
It's
just
additive
secret
sharing,
basically
just
the
sum
of
values,
modulo,
some
number
no.
A
No,
we
actually
need
for
us
food
because
we
cannot.
We
cannot
guarantee
the
availability
of
parties,
so
okay,
so
yeah.
So,
although
the
users
are
no
longer
a
party,
that
means
we
should
we
should.
We
should
not
mean
threshold,
but
we
are
sharing
the
key
between
a
few
organizations
and
one
of
them
will
bankrupt.
That's
different,
because
the
blocks
are
worse,
every
complete
bankruptcy
once
in
a
while.
So
it's
a
different
word.
A
B
A
The
way
oh
yeah,
I'm,
good
I,
think
I,
don't
know
if
my
sleep
has
improved
because
I
still
sleep
in
an
hour,
another
habitual
capital
er.
If
the
operation
actually
didn't
work,
so
I
bought
a
watch
which
is
called
sleep
monitoring
watch
and
now
we
will
not
read
out
soon
because
and
every
night,
when
I
sleep,
I
forgot
to
put
it
down.
So
ok,
so
I
will
find
out.
If
my
sleep
has
improved
in
few
weeks.
All.
B
A
A
C
A
A
A
A
C
C
A
A
A
A
Yeah,
so
if
they
think
more
acceptable
not
for
their
benefit,
then
then,
then
it's
really
really
at
different
times.
People
say
different
things.
Previously
we
got
a
message
saying
that
our
process
was
too
simple,
so
the
user
think
that
we
didn't.
We
didn't
secure
stuff,
so
so
actually
sometimes
in
Cebu,
but
sometimes
it's
a
bonus,
but
but
I
will
not
give
any
opinion
here.
It's
just
I'm,
not
on
the
unless
front
I
just
wanted
to
just
want
to.
A
This
is,
is
still
considered
too
secure,
because
normally
you
have
what
you
know
and
what
you
have
and
in
both
cases
is
what
you
have,
but
Facebook
and
Google
independently
did
a
lot
of
work
to
secure
their
account
as
much
as
they
could,
and
so
they
are
already
considered
higher
than
the
higher
security
than
just
username
password.
So
if
you,
if
you,
if
your
user
decided
to
share
his
Facebook
ID
and
the
Google
ID
to
parties
equally,
like
everybody,
have
this
knowledge
and
then
he
starts
recovered
process.
A
A
Yeah
that
I
guess
yeah,
yeah,
okay,
sorry,
I,
guess.
The
way
we
work
is
that
and
you
bounce
these
things.
Different
designs
are
different
processed
with
the
users
and
then
bounce
back
to
me
and
I
will
simply
be
examined
whether
or
not
it's
still
technically
possible
without
too
much
overhead
development
and
cacnea
and
securely
not
worse
than
then,
for
example,
storage
based
solution.
It
has
to
be
higher
than
that.
But
then,
as
long
as
a
in,
but
this
works
and
you
yeah
just
use
your
creativity
or
whatever
app
idea
is
acceptable.