Hey! I'm David, a security engineer at the Blockchain team of Facebook, previously a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

# Messaging Layer Security: A Few Thoughtsposted 2 weeks ago

I've been following the Messaging Layer Security (MLS) standardization a bit. I really appreciate what the people are doing there, and what they are trying to solve. I think group messaging is currently a huge mess, as every application I have seen/audited seemed to invent a new way to implement group chat. A common standard and guidelines would greatly help.

MLS' goal is to provide a solution to end-to-end encryption for group chats. A solution that scales.

If you don't know how the MLS protocol works, I advise you to read Michael Rosenberg's blog post or to watch the Real World Crypto talk on the subject (might not be available at the moment).

Thinking about the standard, I have two questions:

1. Does a group chat loses any notion of privacy/confidentiality after it gets too large? For example, if you are in a Hong Kong group trying to organize a protest and there are more than 1,000 people in the group, what are the odds that one of them is a cop?
2. Would a group chat protocol targeting groups with small numbers of participant (let's say 50 at most) be able to provide better security insurances efficiently?

For example, here are two security properties (taken from SoK: Secure Messaging) that MLS does not provide:

Speaker Consistency: All participants agree on the sequence of messages sent by each participant.

This means that if Alice (who is part of a group chat with Bob and Eve) colludes with the server, she can send "I like cats" to Bob and "I like dogs" to Eve.

Global Transcript: All participants see all messages in the same order. Note that this implies speaker consistency

This means that if Alice sends the following messages:

• you must decide

a server could re-order these messages so that Bob would see them in the same order, but Eve would see:

• you must decide

I have the following open questions:

• Are these attacks important to protect against?
• Is there an efficient protocol to prevent these attacks for groups of reasonable size?
• If we cannot prevent them, can we detect them and warm the users?
• If we are willing to change the protocol when going from 2 participants to 3 participants, would be willing to change the protocol when going from N to N+1 participants (where N is the number of participants threshold where confidentiality/privacy fades away)?
comment on this story

# A history of end-to-end encryption and the death of PGPposted 3 weeks ago

This is were everything starts, we now have an open peer-to-peer protocol that everyone on the internet can use to communicate.

• 1991
• The US government introduces the 1991 Senate Bill 266, which attempts to allow "the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law" from "providers of electronic communications services and manufacturers of electronic communications service equipment". The bill fails to pass into law.
• Pretty Good Privacy (PGP) - released by Phil Zimmermann.
• 1993 - The US Government launches a criminal investigation against Phil Zimmermann for sharing a cryptographic tool to the world (at the time crypto exporting laws are a thing).
• 1995 - Zimmermann publishes PGP's source code in a book via MIT Press, dodging the criminal investigation by using the first ammendment's protection of books.

That's it, PGP is out there, people now have a weapon to fight government surveillance. As Zimmermann puts it:

PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it.

• 1995 - The RSA Data Security company proposes S/MIME as an alternative to PGP.
• 1996
• 1997
• GNU Privacy Guard (GPG) - version 0.0.0 released by Werner Koch.
• PGP 5 is released.

The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997

• 1997 - PGP Inc is acquired by Network Associates
• 1998 - RFC 2440 - OpenPGP Message Format

OpenPGP - This is a definition for security software that uses PGP 5.x as a basis.

• 1999
• GPG version 1.0 released
• Extensible Messaging and Presence Protocol (XMPP) is developed by the open source community. XMPP is a federated chat protocol (users can run their own servers) that does not have end-to-end encryption and requires communications to be synchronous (both users have to be online).
• 2002 - PGP Corporation is formed by ex-PGP members and the PGP license/assets are bought back from Network Associates
• 2004 - Off-The-Record (OTR) is introduced by Nikita Borisov, Ian Avrum Goldberg, and Eric A. Brewer as an extension of the XMPP chat protocol in "Off-the-Record Communication, or, Why Not To Use PGP"

We argue that [...] the encryption must provide perfect forward secrecy to protect from future compromises [...] the authentication mechanism must offer repudiation, so that the communications remain personal and unverifiable to third parties

We now have an interesting development: messaging (which is seen as a different way of communication for most people) is getting the same security treatment as email.

• 2006 - GPG version 2.0 released
• 2007 - RFC 4880 - OpenPGP Message Format
• 2010 - Symantec purchases the rights for PGP for $300 million. • 2011 - Cryptocat is released. • 2013 - The TextSecure (now Signal) application is introduced, built on top of the TextSecure protocol with Axolotl (now the Signal protocol with the double ratchet) as an evolution of OTR and SCIMP. It provides asynchronous communication unlike other messaging protocols, closing the gap between messaging and email. • 2014 PGP becomes increasingly criticized, as Matt Green puts it in 2014: It’s time for PGP to die. Another unexpected development: security professionals are now giving up on encrypted emails, and are moving to secure messaging. Is messaging going to replace email, even though it feels like a different mean of communication? Moxie's quotes are quite interesting: In the 1990s, I was excited about the future, and I dreamed of a world where everyone would install GPG. Now I’m still excited about the future, but I dream of a world where I can uninstall it. In addition to the design philosophy, the technology itself is also a product of that era. As Matthew Green has noted, “poking through an OpenPGP implementation is like visiting a museum of 1990s crypto.” The protocol reflects layers of cruft built up over the 20 years that it took for cryptography (and software engineering) to really come of age, and the fundamental architecture of PGP also leaves no room for now critical concepts like forward secrecy. In 1997, at the dawn of the internet’s potential, the working hypothesis for privacy enhancing technology was simple: we’d develop really flexible power tools for ourselves, and then teach everyone to be like us. Everyone sending messages to each other would just need to understand the basic principles of cryptography. [...] The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. [...] Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the “strong set,” and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today’s standards, that’s a shockingly small user base for a month of activity, much less 20 years. • 2018 • the first draft of Messaging Layer Security (MLS) is published, a standard for end-to-end encrypted group chat protocols. • EFAIL releases damaging vulnerabilities against most popular PGP and S/Mime implementations. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. • 2019 - Latacora - The PGP Problem Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away. EFAIL is the straw that broke the camel's back. PGP is officially dead. • 2019 • Matrix is out of beta and working on making end-to-end encryption the default. • Moxie gives a controversial talk at CCC arguing that advancements in security, privacy, censorship resistance, etc. are incompatible with slow moving decentralized protocols. Today, most serious end-to-end encrypted messaging apps use the Signal protocol (Signal, Facebook Messenger, WhatsApp, Skype, etc.) • XMPP's response: Re: the ecosystem is moving • Matrix's response: On privacy versus freedom did you like this? This will part of a book on cryptography! Check it out here. 2 comments # Difference between shamir secret sharing (SSS) vs Multisig vs aggregated signatures (BLS) vs distributed key generation (dkg) vs threshold signaturesposted last month That title is a mouthful! But so is the field. Let me introduce the problem: Alice owns a private key which can sign transactions. The problem is that she has a lot of money, and she is scared that someone will target her to steal all of her funds. Cryptography offers some solutions to avoid this being a key management problem. The first one is called Shamir Secret Sharing (SSS), which is simply about splitting the signing private key into n shares. Alice can then split the shares among her friends. When Alice wants to sign a transaction, she would then have to ask her friends to give her back the shares, that she can use to recreate the signing private key. Note that SSS has many many variants, for example VSSS allows participants to verify that malicious shares are not being used, and PSSS allows participants to proactively rotate their shares. This is not great though, as there is a small timeframe in which Alice is the single point of failure again (the moment she holds all the shares). A logical next step is to change the system, so that Alice cannot sign a transaction by herself. A multi-signature system (or multisig) would require n participants to sign the same transaction and send the n signatures to the system. This is much better, except for the fact that n signatures means that the transaction size increases linearly with the number of signers required. We can do better: a multi-signature system with aggregated signatures. Signature schemes like BLS allow you to compress the n signatures in a single signature. Note that it is currently much slower than popular signature schemes like ECDSA and EdDSA, so there must be a trade off between speed and size. We can do even better though! So far one still has to maintain a set of n public keys so that a signature can be verified. Distributed Key Generation (DKG) allows a set of participant to collaborate on the construction of a key pair, and on signing operations. This is very similar to SSS, except that there is never a single point of failure. This makes DKG a Multi-Party Computation (MPC) algorithm. The BLS signature scheme can also aggregate public keys into a single key that will verify their aggregated signatures, which allows the construction of a DKG scheme as well. Interestingly, you can do this with schnorr signatures too! The following diagram explains a simplified version of the scheme: Note two things: • All these schemes can be augmented to become threshold schemes: we don't need n signatures from the n signers anymore, but only a threshold m of n. (Having said that, when people talk about threshold signatures, they often mean the threshold version of DKG.) This way if someone loses their keys, or is on holiday, we can still sign. • Most of these schemes assume that all participants are honest and by default don't tolerate malicious participants. More complicated schemes made to tolerate malicious participants exist. Unfortunately all of this is pretty new, and as an active field of study no standard has been decided on one algorithm so far. That's the difference! One last thing: there's been some recent ideas to use zero knowledge proofs (ZKP) to do what aggregated signatures do but for multiple messages (because all the previous solutions all signed the same message). The idea is to release a proof that you have verified all the signatures associated to a set of messages. If the zero knowledge proof is shorter than all the signatures, it did its job! did you like this? This will part of a book on cryptography! Check it out here. EDIT: thanks to Dowhile and bascule for pointing errors in the post. 3 comments # Writing a book is hardposted October 2019 I am now half-way in the writing of my book (I wrote 8 chapters out of 16) and I am already exhausted. It doesn't help that I started writing right before accepting a new position for a very challenging (and interesting) project. But here I am, half-way there, and I think I'm onto something. I can't wait to get there and look at the finished project as a real paper book :) To give you some insight into this process, let me share some thoughts. Writing is hard. I have realized that I need at least a full day to write something. It does take time to get into the zone, and writing in the morning before work just doesn't work for me (and writing after work is even worse). As JP Aumasson put it (about his process of writing Serious Cryptography): I quickly realized that I didn’t know everything about crypto. The book isn’t just a dump of my own knowledge, but rather the fruit of hours of research—sometimes a single page would take me hours of reading before writing a single word. So when I don't have a full day ahead of me, I use my limited time to read articles and do research in topics that I don't fully understand. This is useful, and I make more progress during the week end once I have time to write. Revising is hard. If writing a chapter takes some effort X, revising a chapter takes effort X^3 . After each chapter, several people at Manning, and in my circle, provide feedback. At the same time, I realize that there's much more I want to write about subject Y and I start pilling up articles and papers that I want to read before I revise the chapter. I end up spending a TON of effort revising and re-visiting chapters. Getting feedback is hard. I am lucky, I know a lot of people with different levels of knowledge in cryptography. This is very useful when I want to test how different audiences read different chapters. Unfortunately people are good at providing good feedback, and bad at providing bad feedback. And only the bad feedback ends up being useful feedback. If you want to help, [the first chapters are free to read](https://www.manning.com/books/real-world-cryptography?a_aid=Realworldcrypto&a_bid=ad500e09 ) and I'm ready to buy you a beer for some constructive negative feedback. Laying out a chapter is hard. Writing a blog is relatively easy. It's short, self-contained, and often something I've been thinking about for weeks, months, before I put it into writing. Writing a chapter for a book is more like writing a paper: you want it to be perfect. Knowing a lot about the subject makes this even more difficult: you know you can make something great and not achieving that would be disappointing. One strategy that I wish I would have more time to spend on is the following one: • create a presentation about the subject of a chapter • give the presentation and observe what diagrams need revisiting and what parts are hard for an audience to understand • after many iterations put the slides into writing I'm convinced this is the right approach, but I am not sure how I could optimize for this. If you're in SF and wants me to give you a presentation on one of the chapter of the book, leave a comment here :) 2 comments # Algorand's cryptographic sortitionposted September 2019 There are several cryptocurrencies that are doing really interesting things, Algorand is one of them. Their breakthrough was to make a leader-based BFT algorithm work in a permissionless setting (and I believe they are the first ones who managed to do this). At the center of their system lies a cryptography sortition algorithm. It's quite interesting, so I made a video to explain it! PS: I've been doing these videos for a while, and I still don't have a cool intro, so if you want to make me a cool intro please do :D 1 comment # What's my birthday?posted September 2019 My colleague Mesut asked me if using random identifiers of 128-bit would be enough to avoid collisions. I've been asked similar questions, and every time my answer goes something like this: you need to calculate the number of outputs you need to generate in order to get good odds of finding collisions. If that number is impressively large, then it's fine. The birthday bound is often used to calculate this. If you crypto, you must have heard of something like this: with the SHA-256 hash function, you need to generate at least 2128 hashes in order to have more than 50% chance of finding collisions. And you know that usually, you can just divide the exponent of your domain space by two to find out how much output you need to generate to reach such a collision. Now, this figure is a bit deceiving when it comes to real world cryptography. This is because we probably don't want to define "OK, this is bad" as someone reaching the point of having 50% chance of finding a collision. Rather, we want to say: someone reaching one in a billion chance (or something much lower) to find a collision would be bad. In addition, what does it mean for us? How many identifiers are we going to generate per second? How much time are we willing to keep this thing secure? To truly answer this question, one needs to plug in the correct numbers and play with the birthday bound formula. Since this is not the first time I had to do this, I thought to myself "why don't I create an app for this?" and voila. Thanks to my tool, I can now answer Mesut's question: If you generate one million identifiers per second, in 26 years you will have one in a billion chance to generate a collision. Is this enough? If this is not adversary-controlled, or it is rate-limited, you will probably not generate millions of identifiers per second though, but rather thousands, in this case it will take 265 centuries to get these odds. 3 comments # My book Real World Cryptography is out in pre-accessposted June 2019 Manning Publications reached out to me last year with an opportunity for a book. I had been thinking of a book for quite some time, as I felt that the landscape lacked a book targeted to developers, students and engineers who did not want to learn about the history of cryptography, or have to sort through too many technical details and mathematic formulas, and wanted an up to date survey of modern applied cryptography. In addition, I love diagrams. I don’t understand why most books underuse them. When you think of AES-CTR what do you think about? I bet the excellent diagrams from Wikipedia just flash in your mind. The book Real World Cryptography was released today in pre-access. This means you’ll be able to read new chapters as I write them, and be able to provide feedback on topics you wished I would include and questions you wish I would answer. 4 comments # Libra: a usable cryptocurrencyposted June 2019 At 2am this morning Libra was released. and it seems to have broken the internet (sorry about that ^.^") I've never worked on something this big, and I'm overwhelmed by all this reception. This is honestly pretty surreal from where I'm standing. Libra is a cryptocurrency, which is on-par with other state-of-the-art blockchains. Meaning that it attempts to solve a lot of the problems Bitcoin originally had: • Energy Waste. The biggest reproach that people have on Bitcoin, is that it wastes a lot of our electricity. Indeed, because of the proof of work mechanism people constantly use machines to hash useless data in order to find new blocks. Newer cryptocurrencies, including Libra, make use of Byzantine Fault Tolerance (BFT) consensus protocols, which are pretty green by definition. • Efficiency. Bitcoin is notably slow, with a block being mined every 10 minutes, and a minimum confirmation time of one hour. BFT allows us to "mine" a new block every 3 seconds (in reality it can even go much faster). • Safety. Another problem with Bitcoin (or proof of work-based cryptocurrencies) is that it forks, constantly, and then re-organize itself around the "main chain". This is why one must wait several blocks to confirm that their transaction has been included. This concept is not great at all, as we've seen with Ethereum Classic which was forked (not so long ago) with more than 100 block in the past! BFT protocols never fork once they commit a block. What you see on the chain, is the final chain always. This is why it is so fast (and so sexy). • Stability. This one is pretty self-explanatory. Bitcoin's price has been anything but stable. Gamblers actually strive on that. But for a global currency to be useful, it has to keep a certain rate for people to use it safely. Libra uses a reserve of real assets to back the currency. This is the most conservative way to achieve stability, and it is probably the most contentious point about Libra, but one needs to remember that this is all in order to achieve stability. Stability is required if we want this to be useful for everyone. • Adoption. This final point is the most important in my opinion, and this is the reason I've joined Facebook on this journey. Adoption is the largest problem to all cryptocurrencies right now, even though you hear about them in the news very few people use them to actually transact (and most people use them to speculate instead). The mere size of the association (which is planned to reach 100 members from all around the world) and the user-base of Facebook is going to be a big factor in adoption. That's the most exciting thing about the project. On top of that, it is probably one of the most interesting projects in cryptography right now. The codebase is in Rust, it uses the Noise Protocol Framework, it will include BLS signatures and formally verified smart contracts. And there's a bunch of other exciting stuff to discover! If you're interested you should definitely check the many papers we've published: I've read many comments about this project, and here's how I would summarize my point of view: this is a crazy and world-scale project. There are not many projects with such an impact, and we'll have to be very careful about how we walk towards that goal. How will it change the world? Like a lot of global projects, it will have its ups and downs, but I believe that this is a positive net worth project for the world (if it works). We're in a unique position to change the status quo for the better. It's going to be exciting :) If you're having trouble understanding why this could work, think about it this way. You currently can't transact money easily as soon as you're crossing a border, and actually, for a lot of countries (like the US) even intra-border money transfers are a pain. Currently the best banks in the world are probably Monzo and Revolut, and they're not available everywhere. Why? Because the banking system is very complex. By using a cryptocurrency, you are skipping decades of progress and setting up a interoperable network. Any banks and custody wallets can now use this network. You literally get the same thing you would get with your normal bank (same privacy, same usability, etc.) except that now banks themselves have access to a cheap and global network. The cherry on top is that normal users can bypass banks and use it directly, and you can monitor the total amount of money on the network. No more random printing of money. A friend compared this project to nuclear energy: you can debate about it long and large, but there's no doubt it has advanced humanity. I feel the same way about this one. This is a clear improvement. 2 comments # A book in preparationposted June 2019 I've started writing a book on applied cryptography at the beginning of 2019, and I will soon release a pre-access version. I will talk about that soon on this blog! (picture taken from the book) The book's audience is for students, developers, product managers, engineers, security consultants, curious people, etc. It tries to avoid the history of cryptography (which seems to be unavoidable in any book about cryptography these days), and shy away from mathematical formulas. Instead, it relies heavily on diagrams! A lot of them! As such, it is a broad introduction to what is useful in cryptography and how one can use the different primitives if seen as black boxes. It attempts to also serve the right amount of details, to satisfy the reader's curiosity. I'm hopping for it to be a good book for quickly getting introduced to different concepts going from TLS to PAKE. It will also include more modern topics like post-quantum cryptography and cryptocurrencies. I don't think there's anything like this yet. the classic Applied Cryptography is quite old now and did not do much to encourage best practices or discourage rolling your own. The excellent Serious Cryptography is more technical and has more depth than what I'm aiming for. My book will rather be something in between, or something that would (hopefully) look like Matthew Green's blog if it was a book (minus a lot of the humor, because I suck at making jokes). More to come! comment on this story # Why 2f+1posted May 2019 Have you ever wondered why byzantine agreement protocols seem to all start with the assumptions that less than a third of the participants can be malicious? This axiom is useful down the line when you want to prove safety, or in other words that your protocol can't fork. I made a diagram to show that, an instance of the protocol that forks (2 proposals have been committed with 2f+1 votes from the participants) is absurd. comment on this story # New Job, New Designposted April 2019 As I'm transitioning to the Blockchain team of Facebook, I decided it would be a good time to give this place a bit of a refresh :) I've started blogging here in 2013: I quickly found out a layout I liked and sticked with it. In 2014 it looked like this: In 2018 it looked a bit different: And finally the new re-design which should be brighter: Hope you like it :) 1 comment # Disco: whitepaperposted February 2019 I already wrote a lot about Disco: Today, I released the white paper that introduces the construction. Check it out on ePrint. It's a combination of everything I've talked about, plus: • some experimental results on embedded devices done by Matteo Bocchi and Ruggero Susella • some preliminary results on formal verification with Tamarin Prover I unfortunately did not have the time to complete the formal verification of several important lemmas. But I am hopping that I can achieve this in a later paper. The formal verification code is on github and anybody is welcome to help :) comment on this story # Bits and Bytes ordering in 5 minutesposted February 2019 ## 1. Bits and Their Encoding Imagine that I generate a key to encrypt with AES. I use AES-128, instead of AES-256, so I need a 128-bit key. I use whatever mechanism my OS gives me to generate a long string of bits. For example in python: >>> import os; >>> random_number = os.urandom(16) >>> print(bin(int(random_number, 16))[2:]) 11111010110001111100010010101111110101101111111011100001110000001000010100001000000010001001000110111000000111101101000000101011 These bits, can be interpreted as a large number in base 2. Exactly how you would interpret 18 as "eighteen" in base 10. This is the large number in base 10: >>> print(int(random_number, 16)) 333344255304826079991460895939740225579 According to wolframalpha it reads like so in english: 333 undecillion 344 decillion 255 nonillion 304 octillion 826 septillion 79 sextillion 991 quintillion 460 quadrillion 895 trillion 939 billion 740 million 225 thousand 579. This number can be quite large sometimes, and we can make use of letters to shorten it into something more human readable. Let's try base 16 which is hexadecimal: >>> print(random_number.encode('hex')) fac7c4afd6fee1c085080891b81ed02b You often see this method of displaying binary strings to a more human readable format. Another popular one is base64 which is using, you guessed it, base 64: >>> import base64 >>> print(base64.b64encode(random_number)) +sfEr9b+4cCFCAiRuB7QKw== And as you can see, the bigger the base, the shorter the string we get. That is quite useful to keep something human readable and short. ## 2. Bytes and Bit-wise Operations Let's go back to our bitstring 11111010110001111100010010101111110101101111111011100001110000001000010100001000000010001001000110111000000111101101000000101011 this is quite a lot of bits, and we need to find a way to store that in our computer memory. The most common way, is to pack these bits into bytes of 8 bits (also called one octet): 11111010 11000111 11000100 10101111 11010110 11111110 11100001 11000000 10000101 00001000 00001000 10010001 10111000 00011110 11010000 00101011 As you can see, we just split things every 8 bits. In each bundle of 8 bits, we keep the bit-numbering with the most significant bit (MSB) first. We could have had the least significant bit (LSB) first instead, but since our larger binary string already had MSB first, it makes sense to keep it this way. It's also more "human" as we are used to read numbers from left to right (at least in English, French, Chinese, etc.) Most programming languages let you access octets instead of bits directly. For example in Golang: a := []byte{98, 99} // an array of bytes b := a[0] // the byte represented by the base 10 number '98' To act on a specific bit, it's a bit more effort as we need to segregate it via bitwise operations like NOT, AND, OR, XOR, SHIFTs, ROTATIONs, etc. For example in Golang: a := byte(98) firstBit := a >> 7 // shifting 7 bits to the right, leaving the MSB intact and zero'ing the others So far, all of these things can be learned and anchored in your brain by writing code for something like cryptopals for example. ## 3. Memory OK. How do we store these octets in memory? Unfortunately, because of historical reasons, we have two ways of doing this: 1. Big-Endian: from low memory address (00000....) to high memory address (999999...) in that order. 2. Little-Endian: from high memory address (9999999...) to lower memory address (0000000...) in that order. We call this Endianness. I'm sorry, but to understand the rest of this article, you are going to have to parse this small snippet of C first: #include <stdlib.h> #include <stdio.h> #include <stdint.h> int main(){ uint8_t a[] = {1, 255}; // storing [1, 255] printf("%p: x\n", a, *a); // 0x7ffdc5e78a70: 01 printf("%p: x\n", a+1, *(a+1)); // 0x7ffdc5e78a71: ff } As we can see, everything works as expected: • a points to an address in memory (0x7ffdc5e78a70) containing$1$• the next address (0x7ffdc5e78a71) points to the value$255$(displayed in hexadecimal) The number 0x01ff (the 0x is a nice way to indicate that it is hexadecimal) represents the number$1 \times 16^2 + 15 \times 16^1 + 15 \times 16^0 = 511$(remember, f represents the number 15 in hexadecimal). So let's try to store that number in a different way in C: #include <stdlib.h> #include <stdio.h> #include <stdint.h> int main(){ uint16_t b = 0x01ff; // storing [1, 255] ? //uint16_t b = 511 // these two lines are equivalent uint8_t *a = (uint8_t*)&b; // getting octet pointer on b printf("%p: x\n", a, *a); // 0x7ffd78106986: ff printf("%p: x\n", a+1, *(a+1)); // 0x7ffd78106987: 01 } Wait what? Why is the order of 01 and ff reversed? This is because the machine I used to run this uses little-endianness to map values to memory (like most machines nowadays). If you didn't know about this, it should freak you out. But relax, this weirdness almost NEVER matters. Because: 1. in most languages, you do not do pointer arithmetic (what I just did when I incremented a) 2. in most scenarios, you do not convert back and forth between bytestrings and number types (like int or uint16_t). And this is pretty much why most systems don't care too much about using little-endian instead of big-endian. ## 4. Network Networking is usually the first challenge someone unfamiliar with endianness encounters. When receiving bytes from a TCP socket, one usually stores them into an array. Here is a simple example in C where we receive a string from the network: char *a = readFromNetwork() // [104, 101, 108, 108, 111, 0] printf("%s\n", a); // hello Notice that we do not necessarily know in which order (endianness) the bytes were sent, but protocols usually agree to use network byte order which is big-endian. This works pretty well for strings, but when it comes to number larger than 8-bit, you need to know how to re-assemble it in memory depending on your machine. Let's see why this is a problem. Imagine that we want to transmit the number$511$. We need two bytes: 0x01 and 0x0ff. We transmit them in this order since it is big-endian which is the prefered network-byte order. On the other side, here is how we can receive the two bytes, and convert them back into a number type: uint8_t a1[] = {1, 255}; // storing the received octets as-is (from left to right) uint8_t a2[] = {255, 1}; // storing the octets from right to left after reversing them uint16_t *b1 = (uint16_t*)a1; uint16_t *b2 = (uint16_t*)a2; printf("%"PRIu16"\n", *b1); // 65281 printf("%"PRIu16"\n", *b2); // 511 In this case, we see that to collect the correct number$511$on the other end of the connection, we had to reverse the order of the bytes in memory. This is because our machine is little-endian. This is what confuses most people! In reality, it shouldn't. And this should re-assure you, because trying to figure out the endianness of your machine before converting a series of bytes received from the network into a number can be daunting. Instead, we can rely on bitwise operations that are always emulating big-endianness! Let's take a deep look at this short snippet of code: uint8_t* a[] = {1, 255}; // the number 511 encoded in network byte-order uint16_t b = (a[0] << 8) | a[1]; printf("%"PRIu16"\n", b); // 511 Here, we placed the received big-endian numbers in the correct big-endian order via the left shift operation. This code works on any machine. It is the key to understanding why endianness doesn't matter in most cases: bit-wise operations are endianness-independent. Unless your job is to implement low-level stuff like cryptogaphy, you do not care about endianness. This is because you will almost never convert a series of bytes to a number, or a number to a series of bytes. If you do, because of networking perhaps, you use the built-in functions of the language (see Golang or C for example) and endianness-independent operations (like left shift), but never pointer arithmetic. 3 comments # [paper review] A faster, more efficient cryptocurrencyposted February 2019 MIT Computer Science & Artificial Intelligence Lab just released some new research. The paper is called Vault: Fast Bootstrapping for Cryptocurrencies. From a high level, it looks like a new cryptocurrency. But it is written as a set of techniques to improve Algorand and other cryptocurrencies are encouraged to adopt them, which leads me to think this will probably not become another cryptocurrency. It is very well written and I thought I would write a summary here. After installing a cryptocurrency client, you usually sync it with the network in order to be able to participate or see the latest state of the blockchain. This whole concept of joining a cryptocurrency as a client is costly. For example, to join Bitcoin you need to download the whole blockchain which is more than 150 GB at the moment. It can take days and lot of bandwidth. The whole point of Vault (the paper) is about reducing this bootstrapping process, and the space needed after to keep using the blockchain. It includes three techniques which I will briefly summarize below: First technique: balance pruning. Ethereum got rid of Bitcoin's UTXOs and keeps track of all the account balances instead. This method already saves a lot of space. Once you do that though, you are required to keep track of a nonce per account. This is to prevent transactions replay. How does the Ethereum nonce works: when you sign a transaction, you also sign the nonce. Once it gets accepted in a block the nonce of your account gets incremented, and the next transaction will need to sign the new nonce to get accepted. Vault doesn't keep a nonce, instead it tracks the hashes of all the transactions that were applied. This way, If you try to replay a transaction, it will be detected. That's too costly though, we don't want to store ALL of the transactions ever. So the first technique is to force transactions to expire. Once a transaction is expired, a client can get rid of it in its storage, as it cannot be replayed (it is not valid anymore). Another issue with Ethereum are zero-balance accounts. Our analysis of the Ethereum state indicates that around 38% of all accounts have no funds and no storage/contract data (i.e., only an address and a nonce) These zero-balance accounts still need to be tracked because of the nonce that is still useful to prevent future transaction replays. In Vault, once all transactions applied on a zero-balance account have expired, you can prune the account. This first technique allows a lot of useless data to be cleaned out. A client only stores accounts that have a balance greater than zero, zero-balance accounts if they still have transactions that could be replayed, and recent committed/pending transactions that haven't expired yet. Second technique: balance sharding. Keeping track of all the accounts is costly for one client... We can do better. Vault uses a sparse Merkle tree where the leaves represent all the possible accounts. It's quite a large tree... so we can split it in shards! The first$X$bits of someone's public key could indicate what shard they should store. For example if we want to have 4 shards, the first 2 bits would indicate the path in the tree (0 is left, 1 is right). Instead of storing all the leaves, you would store all the leaves that belong to your "subroot" (specified by the first bits of your public key). By doing this we can't verify transactions anymore though... To solve this, every transaction now ships with a proof of membership (a witness) for both the sender and recipient addresses. This proof of membership is a typical merkle tree concept, it contains the neighbor nodes of the leaf's path up to the root as well as the leaf itself (account balance). This way anyone can verify a transaction! Furthermore, once a transaction is committed to a block, the merkle tree is updated and its root are updated as well (because an account balance (a leaf) has changed). So pending transactions in the mempool (the pool of pending transactions) need to have their membership proofs updated. Anybody has enough information to do this so it is not a problem. (By the way this is why transactions carry the recipient address' witness (the membership proof)l: because that leaf gets affected by a transaction as well.) These two proofs are quite long though, and they accompany every transactions being broadcasted on the network! One way to reduce that is to decrease the length of the membership proof. To do this, every client stores a level of subroots of the balance merkle tree, this way a proof doesn't need to go up to the root, but up to the level that the client has stored. The rest can be calculated from what is on disk. Thanks to this second technique, one only needs to keep track of his own leaf (account balance) as well as the balance merkle root. And one can still verify new blocks. If one wants to help storing part of the network, one can keep track of a shard instead of the whole list of accounts. I think the sharding thing here is actually less important than the transactions shipping with the balance proofs. But it is still a neat way of making sure that all nodes can participate in conserving the full blockchain and its balances. Third technique: stamping certificates. Vault is built on top of Algorand. The Algorand protocol is so elegant, I can see why they would want to make use of it. Algorand's byzantime agreement BA* produces a "certificate" for each block committed to the blockchain. A certificate is a bundle containing more than 2/3rd signatures of the block from a randomly selected committee. Such a certificate is quite large (lots of signatures, public keys, and proof that the public key could participate in BA*). In addition, Algorand "mines" a new block every 2-3 seconds, so it has quite a large blockchain and a new client needs to download and verify a huge number of blocks to join the network. To speed this up, Vault has nodes create additional "stamped certificates" at larger intervals (one every thousand blocks or so). From one stamped certificate, you can fast forward thousands of blocks ahead (~2 days of history) to the next stamped certificate. To create these stamped certificates, they use the same cryptographic sortition technique that Algorand uses but with a smaller number of participants to reduce the size of the stamped cert. (No, BLS and aggregate signatures won't help because as I've said a certificate contains a lot of distinct objects). This way, to join the network, a client can validate blocks and certificates until it finds its first stamped certificate, then the client can jump thousands of blocks ahead from stamped certificate to stamped certificate until it reaches the most up-to-date block. There are more optimizations and details to it addressed in the paper. I the end these stamped certificates are some kind of checkpoints. I find that it is not as elegant as Coda's protocol solution which only contains one zero-knowledge proof of the whole chain, but ZK-SNARKS being quite complicated I can see how one would want to avoid them. comment on this story # What is the BLS signature scheme?posted February 2019 BLS is a digital signature scheme being standardized. Its basis is quite similar to other signature schemes, it has a key generation with a generator$P2\$:

The signature is a bit weird though, you pretend the hashed message is the generator (using a hash_to_G1 function you hash the message into a point on a curve) and you do what you usually do in a key generation: you make it a public key with your private key

Verification is even weirder, you use a bilinear pairing to verify that indeed, pairing([secret_key]hashed_msg, P2) = pairing([secret_key]P2, hashed_msg).

This weird signing/verifying process allows for pretty cool stuff. You can compress (aggregate) signatures of the same msg in a single signature!

To do that, simply add all the signatures together! Easy peasy right?

Can you verify such a compressed signature? Yes you can.

Simply compress the public key, the same way you compressed the signature. And verify the sig_compressed with the public_key_compressed. Elegant :)

But what if the different signatures are on different messages? Well, just add them together as well.

The process to verify that is a bit more complicated. This time you multiply a bunch of pairing([secret_key]P2, hashed_msg) together, and you verify that it is equal to another pairing made out of the compressed signature. Pairings are magical!

1 comment