►
From YouTube: Decentralized Key-Management System
Description
In this presenation from Day 3 of the #SwarmOrangeSummit, NuCypher’s Michael Negorov presents the whys and hows of their decentralised key management system, using decentralised proxy re-encryption method.
A
Hello,
everyone,
my
name,
is
Michael
I
am
the
CTO
of
new
cypher
and
what
we
do
is
pretty
much
decentralized
key
management
system.
So,
like
imagine
something
like
a
hardware
security
module,
but
instead
of
being
a
hardware,
it's
actually
a
decentralized
network.
And,
of
course,
this
decentralized
network
cannot
decrypt
any
of
your
data,
and
let
me
tell
why
are
we
doing
that
and
how
actually
it
works?
A
So
imagine
some
use
cases
like
like
Daniel
was
explaining
earlier
today
about
sharing,
let's
say,
sharing
files
or
sharing
chunks
in
swarm
or
something
like
that.
How
would
you
normally
do
that
using
a
traditional,
cryptography?
Well,
I
mean
a
naive
way
would
be.
Let's
say
you
want
to
share
data
with
multiple
recipients.
Right,
that's
the
goal,
naively
you
would
encrypt
data
with
public
key
of
every
recipient
and
store.
You
know
how
many
copies
like
recipients.
You
have
that
number
of
copies
of
the
data.
A
That's
not
efficient,
of
course,
and
you
can
do
better
and
that's
exactly
I
guess
what's
happening
in
a
swarm.
You
encrypt
only
the
symmetric
keys
like
the
root
symmetric
key
for
with
the
public
key
of
which
recipient
and
store
that
in
the
ACL
list,
but
the
disadvantages
is,
of
course,
that
if
you
want
forward
secrecy,
you
need
to
change
your
with
the
key
every
time
and
every
time
you
do
the
write
you
need
to
basically
have
an
overhead
of
changing
the
ACL
for
all
your
recipients.
A
So
if
you
have
10,000
recipients,
that's
that
would
be
a
problem.
And
yes,
and
of
course
you
could-
you
could
opt
in
for
our
centralized
solution,
but
that's
kind
of
not
not
we're
doing
what
we
are
doing
here.
Another
example
would
be
about
probably
more
relevant
with
with
tens
of
thousands
of
people
is
enter
an
encrypted
group
chats.
So
you
can
do
the
same
kind
of
thing
for
each
message.
A
Well,
if
you
want
to
be
able
to
revoke
access
to
your
chat,
then
you
would
need
to
change
your
symmetric
key
with
every
message
and
with
traditional
cryptography.
You
would
need
to
override
your
like
symmetric
key
encrypted
with
public
key
of
every
recipient,
every
time
which
is
again
not
not
optimal,
not
scalable
and/or.
It's
the
same
with
like
distributing
video,
so
here
I'm
not
talking
about
transcoding
I'm,
talking
about
only
CDN
here.
So
if
you
want
to
have
kind
of
conditional
delivery
of
encrypted
video
content,
you
kind
of
face
the
same
scalability
problem.
A
Yeah
you
pretty
much.
If
you
split
your
video
into
chunks
and
each
chunk
you
encrypt
with
this
individual
symmetric
key,
you
pretty
much
would
need
to
encrypt
it
all
xima
tricky
for
it
for
every
recipient,
every
time
which
is
again
not
ideal
and
also,
and
also
it
actually
would
like,
when
you
add,
add
or
remove
new
recipient.
You
would
need
the
owner
of
the
data
to
stay
online,
to
kind
of
grant
and
to
be
granting
and
revoke
an
access
every
time
anyway.
A
A
You
know
some
guys,
so
probably
don't
want
to
do
that.
So
what
do
you
do?
What
we
do
we
we
use.
We
combine
something
called
proxy
encryption
with
the
centralization
and
since
tracks
your
encryption
is
not
a
well-known
concept.
I
probably
should
explain
it
first.
So
essentially,
what
proxy
encryption
is
is
the
set
of
encryption
algorithms,
which,
apart
from
encrypting
and
decrypting,
they
also
allow
transforming
texts
or
cipher
texts
from
being
encrypted
under
one
key
to
be
encrypted
under
other
key.
So
imagine
this.
A
You
have
Alice
and
Bob
and
Ellis
originally
didn't
know
which
Bob
she
wants
to
share
data
with.
So
she
encrypted
data
for
herself
with
her
own
public
key
and
stored
somewhere
and
later
on,
Mott,
say
Bob
came
and
said:
oh
well,
Ellis
hi.
Can
you
shared
your
data
with
me
and
she
said
sure.
So
how
does
she
do
that?
A
She
takes
Bob's
public
key,
your
own
private
key
and
calculates
something
called
re
encryption
key,
and
then
she
can
give
this
free
encryption
key
to
the
proxy
to
some
third-party
service,
which
only
like
responsibility
is
to
transform
the
cipher
texts
from
Alice's
to
Bob's
proxy.
Who
has
this
reaction?
Key
cannot
do
anything
else,
only
to
transform
data,
it
cannot
decrypt
the
data.
What's
even
more
important.
Ellis
can
continue
publishing,
updates
to
this
data.
A
Let's
say
adding
new
files
encrypted
with
exactly
the
same
with
your
public
key
and
proxy
still
will
be
able
to
transform
this
data.
This
new
data
to
Bob
well,
of
course,
until
Alice
asks
proxy
to
remove
this
ring
encryption
key
and
well
that's
the
encryption
primitive
we
use.
So
let
me
first
explain
how
we
use
that
using
one
proxy
and
then
how
we
decentralize.
A
That
so
know,
imagine
you
use
just
a
typical
schema
used
for
encrypting
files,
so
you
encrypt
your
file
with
with
a
random
symmetric
key
and
you
encrypt
symmetric
key
with
a
public
key
of
their
sender.
Let's
say
Ellis,
so
this
is
your
encrypted
cipher
text
like
text
encrypted
with
the
block,
cipher
and
encrypted
symmetric
key,
and
you
store
that
in
some
storage
layer,
whatever
that
is
and
now
let's
say,
the
center
grants
access
to
the
receiver,
how
the
heart
works.
A
Let's
say
what
happens
when
the
receiver
reads:
the
data,
the
receiver
fetches,
the
data
which
was
encrypted
for
the
sender
and
the
receiver
sees
that
it
can.
The
raziel
cannot
decrypt
it.
So
what
does
he
do?
He
takes
this
encrypted
symmetric
key
and
sends
it
to
the
proxy
asking
it
to
re-encrypt
proxy
takes
this
ring
encryption
key
and
transforms
encrypted
symmetric,
key
like
which
was
encrypted
for
LS
into
being
encrypted
for
Bob.
A
In
this
like
at
this
moment,
proxy
did
not
see
anything
except
for
the
two
cypher
tags,
like
saff
attacks
in
ciphertext
out
and
then
using
this
encrypted.
Well,
Bob
can
already
decrypt
this
transformed
encrypted
symmetric
key.
He
does
that
he
gets
the
symmetric
key
and
using
that
he
decrypts
the
data.
So
Bob
sees
the
data.
A
So
that's
just
what
you
get
using
normal
proxy
encryption,
but
then,
let's
say:
if
we
run
such
service,
there
is
a
problem.
What
happens
if
proxy,
for
some
reason
refuses
to
process
the
data?
Maybe
the
problem
might
be:
some
collusion
happened,
I,
don't
know
some
some
nation-state
interacted
with
the
hoster
of
the
proxy
and
said:
okay.
We
don't
want
this
guy
to
to
decrypt
data,
let's
ban
him
and
then
this
proxy
refuses
to
work
and
well.
A
Roxy
doesn't
read
the
data,
but
it
can
refuse
to
work,
and
we
kind
of
that
would
I
think
that
would
happen
in
Russia
today
anyway.
So
how
do
we
prevent
that?
Well,
we
try
to
decentralize
things
and
for
that
we
actually
design
something
called
something
which
is
called
threshold,
a
proxy
encryption
scheme.
We
call
this
one
umbrella
and
what
it
does
you
basically
require
M
out
of
n
proxies
to
re-encrypt
data
for
Bob
to
be
able
to
decree.
A
A
A
Well,
we're
actually
quite
agnostic
to
the
block
cipher,
it
can
be
anything
and
we
actually
originally
were
made
it
for
ECL
Gamal
but
see
El
Gamal
has
this
problem
that
it's
only
CPA
secure
and
we
are
kind
of
more
secure
than
that
is
this
scheme
has
CCA
security,
but
you
know
it
can
can
be
done
for
ECL
gamma
also,
and
also
an
interesting
thing.
Is
that
what
happens
if
the
proxy
misbehaves?
What
happens
if
the
proxy
returns
garbage
instead
of
encryption,
SS,
Irene
cryptid
correctly,
trust
me.
A
A
So
that's!
Our
like
encryption
scheme
is
on
github
in
PI
umbrella
and
by
Umbro
repository
in
like
new
ciphers
github,
and
also
there
is
a
formal
specification
in
umbral
doc
repository
on
our
github
and
I.
Guess.
Let
me
show
how
you
could
well,
then,
that
work
itself,
they're
kind
of
decentralized
Network
as
the
truck
as
a
proxy
encryption
service
is
not
up
yet,
but
you
can
play
with
Mach
net
or
and
it
basically,
let
me
show
how
it
looks
like
so.
A
A
It
was
next,
oh
yeah.
Well,
you
instantiate
the
mock
nut
like
what
what
is
kind
of
mocking
the
real
network,
which
will
be
there
and
what's
a
Ellis
encrypts,
some
data
for
yourself,
so
there's
ciphertext
and,
and
you
get
cytotoxic
capsule
ciphertext.
Is
there
the
texts
plaintext
encrypted
by
the
symmetric,
key
and
capsule
is
pretty
much
encrypted
symmetric
key.
It's
not
quite
that,
but
it's
actually
pretty
close,
so
you
can
think
of
it.
A
As
that
and
okay,
then
Alice
produces
the
encryption
keys
which
sends
to
a
bunch
of
proxies
and
you
use
blue
tricky
method
and
produce
something
which
we
call
K
frogs.
So
you
generate
twenty
K
frogs
and
then
grant
permission
basically
upload
this
encryption
keys
to
their
proxies
to
lock
it
in
a
certain
way
and
then,
while
Bob
asks
or
Bob.
Let's
say
it
takes
that
downloads.
A
The
data
the
encrypted
data
which
I
was
produced
and
the
capsule
the
encrypted
symmetric
key,
so
Bob
asks
the
proxy
network
to
encrypt
the
capsule
and
then
and
then
I
guess
he
can
decrypt
the
data
well.
Well,
I!
Guess
he
needs
to
reconstruct
the
actual
like
a
cap,
so
he
can
decrypt
and
then
decrypt
the
actual
data,
so
so
the
actual
decrypted
data
is
like
clear.
On
the
other
hand,
if
Alice
revokes
the
access,
the
rien
Krypton
keys,
are
removed
on
the
proxy
side
and
Bob
wenge
as
Bob
cannot
decrypt
the
data
anymore.
A
So
that's
how
the
network
approximately
will
work
and
we
are
actually
getting
very,
very
close
to
real
tasks
that
which
will
happen,
probably
by
the
end
of
this
month
and
yeah
I,
didn't
touch
how
how
we
use
talk
in
economics
to
incentivize
proxies
to
operate
fairly,
and
basically
the
function
of
this
of
the
talking
here
is
not
to
pay
for
services.
You
pay
for
services
using
ethers.
The
function
of
the
proxy
is
kind
of
the
amount
of
trust
you
put
into
each
proxy
so
how
many
coins
proxy
holds.
A
A
Why
wouldn't
we
use
easier
for
that,
like
in
principle,
you
could
lock
ethers
and
into
that
right
and
basically,
this
would
trust
proportional
to
amount
of
ethers.
If
you
did
that,
then
this
kind
of
attack
would
have
would
be
possible
to
happen.
Imagine
someone
acquired
a
lot
of
easier,
like
well
kind
of
bought
your
ethers
in
like
on
credit
right
and
put
that
ethers
as
as
a
stake
and
then
required
more
than
50%
of
the
network
compromised
the
network.
A
The
network
value
went
to
zero,
but
the
guy
who
compromised
it
didn't
suffer
because
he
used
there's
a
to
stake
and
the
ether.
Well,
you
didn't
drop.
So
that's
why
you
cannot
use
ethers
for
staking
and
you
need
to
use
actually
there
well,
you
need
to
use
actual
like
new
cipher
tokens,
so
yeah.
It's
important
that
you
know
the
value
of
the
token
goes
to
zero
if
you
compromised
the
network,
so
it's
very
expensive
to
actually
attack
the
network
yeah
and
well.
A
Also,
when
you
put
either
put
our
tokens
and
produce
the
work
well,
this
also
produces
the
new
coins
according
to
inflation
schedule
and
also
they're,
the
node
gets
slashed.
If
it's
caught
in
misbehavior,
that's
why
we
needed
to
include
these
proofs
of
misbehavior
into
proxy
or
encryption
algorithm
and
binding,
rewards.
Well,
I
guess
instead
of
this,
I
will
probably
just
show
this.
The
reward
rate
is
exponentially
decreasing
and
if
you
commit
to
taking
about,
if
you
commit
to
two
holding
policies
for
a
long
time,
your
reward
rate
rate
is
higher.
A
Oh,
you
can
retake
it
and
if
you
take
it
apparently
there
what
you
get
after
years
will
be
much
larger
well,
so
who
are
the
users
that
kind
of
future
users
for
how
a
network
when
it's
up
well?
Interestingly
enough,
a
very
very
large
proportion
of
companies
are
actually
medical
data
companies.
So
actually
one
of
them
is
he
and
Vanna
iro
network,
but
the
kind
of
a
bunch
of
others,
and
also
like
it's
pretty
useful
for
decentralized
market
places
and
different
sorts
of
things.