In episode 15, we're featuring two more talks from MobileCoin's Crypto Renaissance Conference. Up first is Alexander Rose, the executive director of The Long Now Foundation, an organization devoted to long-term thinking that is best known for building the ten-thousand-year clock. Alexander explains the roots of cryptography and how ledger systems have evolved over the last 5,000 years. Then we feature a talk from isis agora lovecruft, cryptographer and research consultant at MobileCoin. isis agora lovecruft joins to speak about Ristretto, the cryptographic technology that MobileCoin uses to preserve the privacy of its users.
In episode 15, we're featuring two more talks from MobileCoin's Crypto Renaissance Conference. Up first is Alexander Rose, the executive director of The Long Now Foundation, an organization devoted to long-term thinking that is best known for building the ten-thousand-year clock. Alexander explains the roots of cryptography and how ledger systems have evolved over the last 5,000 years. Then we feature a talk from isis agora lovecruft, cryptographer and research consultant at MobileCoin. isis agora lovecruft joins to speak about Ristretto, the cryptographic technology that MobileCoin uses to preserve the privacy of its users.
Speaker 3 (00:06)
Hello, and welcome back to Privacy is the new Celebrity. I'm Brady Forrest. Today on the show, we'd like to highlight two more of the amazing speakers who appeared at the Crypto Renaissance conference we hosted in December. The first person I'd like to introduce is Alexander Rhode. He is the executive director of the Long Now Foundation, an organization devoted to long term thinking that is best known for building the 10,000 year clock. And he joined us to speak about cryptography and ledger systems over the past 5000 years. After that, we'll feature a talk from someone you've heard on this podcast. Before that's, Isis Agora Lovecruft, a highly skilled cryptographer and research consultant here at Mobile Coin. Thanks again for tuning in. I hope you'll enjoy their brilliant ideas as much as I did.
Speaker 1 (00:55)
Here's.
Speaker 3 (00:56)
Alexander Rose.
Speaker 2 (01:00)
Good morning, everybody.
Speaker 1 (01:02)
My mic working. Yes. Awesome. Cool. It's great to see all of you. When Josh called me a couple of months ago, and I think he just texted me and said, hey, can you give a talk about the history of civilization and cryptography in the next several thousand years? I said no. But as many of you who have ever said no to Josh, you then get the call, and then you end up saying yes to Josh. So here we are. So as he said, I'm Alexander Rosen, the director at the longau foundation, and I've been working on basically kind of figuring out kind of threads of history and stories over the last 10,000 years and the next 10,000 years and how those stories really have kept organizations and institutions alive. And we ourselves are trying to create a very long term institution. And I think the interesting thing about this story of cryptography and ledgers and even language is that this is a thread that has really kind of moved both wars and merchants through all of time. So bear with me. I'm going to give you a bit of history of both cryptography and language, and I'll make sure that I will tie it up at the end to something that will hopefully set us on our way today.
Speaker 1 (02:23)
The title of this talk is called confusion of tongues, and this comes from the story of Genesis. After the great flood and Noah's Ark, there was this time in biblical history where everyone spoke the same language, and they started building the tower of Babel all the way up to heaven. And God said, I don't like this. I don't want you this close to heaven. Cast the tower down and cast the people around the world, and they were each speaking a different language, and they could no longer coordinate to build a tower to heaven for the rest of human history. Now, many cultures have stories like this, but I think it's an interesting place to start in that really the first cryptography was language itself. And we even see it in acronyms. We see it even in colloquialisms, even there's a bootling language in Boonville, just north of here that's really about kind of keeping the locals knowing what's going on and the non locals from not knowing what's going on. But if we look at the more scientific version of the story of Babel, we have languages, over 7500 languages in the world that we know of, and about two or 3000 of them currently on Earth.
Speaker 1 (03:33)
That happened by, obviously a very slow 65,000 year diaspora around the world, plus the millions of years before that in Africa. And this first version of cryptography as language has been used as recently in wartime as World War I with the chocolate telephone squad and more famously, the Navajo code talkers in World War II. They were using Navajo language. A very small number of speakers of that language to speak, and they still spoke in code. But the thought was even if the Axis powers were able to decode the code itself, then they would have to now know Navajo. And that was pretty hard for the access powers around that time. And then we see also in language places like this. This is Papua New Guinea. This is a language map of Papua New Guinea. About 20% of the world's language diversity is just in this region of the world. And they also use language as a type of cryptography in that they have a public language that they speak to do trade, they have a private tribal language, and then they have often a magic language that's used to kind of keep the magic safe within that tribe.
Speaker 1 (04:51)
And so this use of language as cryptography is something that we're going to kind of see through history that I'll show. And as more and more parts of civilization can speak the same language or write the same language, that's when cryptography has to happen because people want to do effectively arbitrage right. They want to know the price of a thing in one end of the world, know how, what they can sell it for on the other end of the world or the other place that we see. The lot of cryptography is obviously in wartime. And so, in fact, the very first writing system that we know Kineiform, was used to write the values of commodities in Samaria. And this is about 500 years ago. And then the very first written cryptography that we know about was in ancient Egypt about 1000 years later with these hieroglyphs. Actually, there was transposed hieroglyphs in here because at this time, more of the masses were learning hieroglyphs, and the kind of elite class wanted to hold information away from them. So they were already doing a kind of a transposition cryptography and hieroglyphs fast forward another couple of thousand years.
Speaker 1 (05:59)
This is the skiddly. This is probably the first physical cipher machine that we know about. So a written papyrus message would be written, and then you'd put it on the stick and you'd wrap the leather around it and you get your transposition cipher from that. And this was used through about the 7th century BC, all the way up into Sparta was using it for wartime communications. Julius Caesar used this by about the turn of the Millennium into Ad. This is a little diagram here on the right of having this. And this is also an additive substitution ciphers started, which is a little bit more advanced than the original than the ones that we were seeing before. And sadly, while Julius Caesar was able to use this to send encrypted information, clearly British was able to also send encrypted information to the demise of Julius. The interesting thing, like all great stories of the history of technology or invention, we often think of the first white people who did it. Of course, as all many of these stories go, that's not really how it went. About 850 Ad, Alkindi wrote a treatise on cryptanalysis in the Islamic world that went all the way up into the 14th century when, as far as we know, it was lost and had to be reinvented in Europe around the time of the Renaissance, which is where we're getting to today.
Speaker 1 (07:23)
Right. And this idea of cryptography and arbitrage, which I know is going to be a pretty important topic for what we're talking about today is just keeps coming up throughout history. And it was happening in the Islamic world when the Islamic world is trying to trade, and they wanted to keep the price of a purchase to a sale secret between a vast distance, but be able to send that through messengers that they may or may not trust. Before that time, the trust agents that we now call ledgers were human beings and they were familial ties. So, like when you were sending something in the Silk Road from China to Europe, all the stations along that way were trusted family members and merchants that had long time relationships, so that each time that passed from one person to another that they could trade the value of something and keep it secret. But there was obviously a lot of holes in that system, and that's why cryptography was really needed for that. And as we get into the Middle Ages, this really horrible thing happened called the Black Plague. It's considered about 50% of the world population at the time, went down to this in the span of literally only about a decade in 1340 to 53.
Speaker 1 (08:41)
And there's also, Incidentally where passports were invented. The very first passports that we know of were actually your health status document. So it's always interesting to me when people get all huffy about passports for health, that's actually what they were invented for around the Black Plague. And so as the Black Plague finally burned its way through Europe, this is when what we now call the historic Renaissance. And as people were reemerging back onto the scene and trade really started coming across the world, and it was happening by boat, by land. This is when a new form of cryptography really had to be invented so that information could get pushed from one end of the known world to the other and only be decrypted by the people that they wanted to the person who invented that, which is an Italian named Alberti, and he invented the Poly alphabetic cipher, which is kind of like the Captain Crunch decoder ring, where if each side has it, it's a little bit more advanced than the kind of cryptography that we had with the skiddali that was later built on by the French cryptographer Virginia Air, and the Visionary Square, which adds another access to the whole encryption process, making it much more difficult.
Speaker 1 (09:59)
And this actually is pretty close to what we get into all the way up into the 20th century types of cryptography. And the other thing that happened right around this time is the conversation that I had with Josh. That was the thread that I had not really picked up on, is that at that time, it was the time where a new ledger system was invented and the ledger system was double entry accounting. So basically, it's the way that you still use QuickBooks. This is the way that QuickBooks works, or any accounting system that you have an entry for an input and an output. And what this did that was really important was that it helped decentralize trade, and it allowed for a decentralized organization to use a ledger that everybody understood and make that work. And the Medici family, who was really a large crime syndicate of a bunch of criminal activity, originally they use this as a way to keep track of all of their various economic doings. And then later they became one of the largest banking families. They didn't invent the double entry accounting, but they were the ones who use it most effectively early on and started putting it out there.
Speaker 1 (11:12)
So this is the first ledger system. And as we know how ledgers work is used to be with people, this started to become a non people based ledger. And just like that, just as that went from people to a more mechanized system, so did computation. Computation was originally computers were people, and they would compute things. But then as we get into the age of the kind of mid 18 hundreds, you have Charles Babbage building fairly complex mechanical computers and was a good mathematician himself. And he actually invented, as far as we know, or at least discovered, the statistical analysis method to attack the Visionary Square. And both those things are still in use today in a way, and up until the most modern cryptography. And he was actually using this during the Crimean War. He didn't document it very well because it was during wartime. I think he didn't want that secret to get out. So Kasiski was the one who we often credit with figuring out this method of attacking the visionary square. And so now you have this problem of your cryptography not really working very well. Right. And that problem had to be solved as we get into the modern era, as computers started getting better and better.
Speaker 1 (12:29)
That's how we started doing much deeper encryption that way. And then we get into the modern era. Right. So the modern era is another pandemic. It's clearly not half the world population we hope is going to be affected by this. But we are here, and we've definitely been in a lockdown similar to the time of the Black Plague. And we are emerging from it. And we also have a new ledger system, just like they did coming out of the Renaissance. But this ledger system makes it so that the trust agents don't have to be people again, moving from people to non people based systems. And that's the blockchain. So we have the blockchain that allows us to have a distributed ledger system that everybody trusts, that a thing happened at a certain time. And then, of course, currencies have been built on this system and new forms of arbitrage. And that's why you guys are all here today. As I said, I was going to wrap this all the way up into the present moment and also think a little bit about the future. I think it's worth thinking about what is going to happen next if we're building a system that might be in place for hundreds of years or a thousand years.
Speaker 1 (13:41)
Do we think that I don't know. This is a picture of one of the most advanced computers in the world, which I think is hilarious what that looks like now. It looks like something from the original Dune movie, but it's a quantum computer. And it seems like there's an arguable position that quantum computing may both break modern cryptography and have to create a new form of cryptography. And there's going to be a time in between, just like there was in the past, where cryptography is out of sync with the information. And I think it's just worth us all thinking about that deep future of cryptography ledgers and how it affects society and arbitrage and war as we move forward to the rest of the day. Thank you.
Speaker 3 (14:24)
That was Alexander Rose, the executive director of the Long Now Foundation, speaking about cryptography throughout the history of the world. Now I want to turn it over to ISIS. Adora Lovecraft ISIS is a cryptographer who works as a core developer on Tour, is a contributor to Signal Messenger, and consults on research at MobileCoin. Isis joined the Crypto Renaissance Conference to speak of Outbreaks, a cryptographic technology that MobileCoin uses to preserve the Privacy of its users. Here's ISIS.
Speaker 2 (15:01)
Hi, I guess you can all hear me. We have a slight diversion from the very pretty well designed slides because mine have a lot of math, so they're written in Latek, and they're very academic looking. I apologize for that. Hi, my name is ISIS. My pronouns are they them. I work half my time at Mobile Coin, and the other half of my time for my own company, where I consult a bunch of places on Twitter. If you want to find me, I'm at ISIS Lovecraft. I was a Core Tour developer for ten years, and I've been a contributor to Signal since 2012. I've made a number of other contributions, including to EFF, Rise Up, Zed Cash, and numerous other Privacy preserving protocols, and I've been consulting to Mobile Kind since 2018, since I believe they had seven or eight people employed at that time, and they've grown enormously since then. It's been really impressive to watch, and I have also done security and cryptographic consulting to a number of Fortune 500 companies since 2007, including work that led me to find security vulnerabilities in the cryptographic libraries used by Bitcoin and Gnomepg. So today I'm going to be talking about Restrato, which is an underlying cryptographic construction that Mobile Coin uses in a lot of pieces of its infrastructure.
Speaker 2 (16:32)
Restrato. Some people would call it an Elliptic curve. It's not technically an Elliptic curve, and I'll get into that later, but it was something I designed, along with Mike Hamburg and Henry Devalence. Mobilecoin uses regretto internally for ring signatures, which are used to sign transactions without revealing the identity of the signing party. We also use Restrato for Bulletproofs, which are how MobileCoin is able to create private transactions which do not reveal the transaction amount or account balances, while at the same time proving that the amounts were valid and no new coins were generated or lost. Facebook is also using Restrato for signatures and serial knowledge proofs within its Navy and Libra cryptocurrency. Salana is using Restrato within its Berkeley packet filter format, and other primitives. Tari Labs is using it as well in their Asset protocol, which draws upon Mimble, Wimble, and Interstellar, as well as using Restrato for Bulletproof. And Signal is also using Restricted for the anonymous credentials used to implement the access control schemes within Signal Group chat, which is work that I did with Moxie and Trevor Parent. So the history of restricto, you might ask why we already have Elliptic curves.
Speaker 2 (17:47)
They're already fast. We have a bunch of libraries that support them. Why would I go off and make a new one? Restrada was designed in the context of doing research for a project which I called Hyphae, which is a censorship resistant mechanism for distributing shared secrets in the presence of actively malicious adversaries. So the context for this was while working on Tour, there are these things called Tour bridges. There are secret entrances into the Tor network, and it was my job to make sure places like the FBI, the NSA and the government of China didn't get access to these. Only people who wanted to use Tor could have access to these, because if the government got them they would get blocked. So I need a way to not only know that I'm giving something to a human and not a bot, but I need to know it's a good human, which is pretty hard to do. So Hyphae used anonymous credentials to convey two things, one humanness, which the intuition here was why fill out a capture if a bot can do that? Why pay money? If someone richer than you has more money and can pay for more resources?
Speaker 2 (18:48)
Why do a bunch of computation and waste CPU time when you can prove humanness by showing who your friends are? But obviously I also don't want to know who your friends are. So I designed a way to create an anonymous social graph and that would be used for proof of humanness. The other thing that it did was it used an anonymous reputation system built on top of a microcurrency where users earn points for good behavior and spend points for access to resources. For example, if you wanted to add someone to your social graph anonymously, you'd spend some of the points you earned using these secret entrances to the network and you would get a token which you could give to your friend and they'd get invited into the system and start earning points as well. And so for this we need a lot of complicated zero knowledge proofs, and there were some problems with trying to do these with Elliptic curves, which I'll get into. So first basic intro to cryptography. I'm sure a lot of this is not going to be new to anyone here. So cryptography is the science and art of utilizing mathematics to hide and or authenticate information in the presence of adversarial parties.
Speaker 2 (19:55)
Modern day cryptography, as Josh mentioned earlier, began with the introduction of the Diehlman protocol in 1976. This is a manner for two parties in plain view of an adversary to establish a secure channel. So to recap two party Elliptic curve Diffie Hillman, Alice generates her secret key Little A as being randomly sampled from the set of integers, mod some usually large prime queue. And to produce her public key she takes G, a generator of the group which both I'll get into what that means in a second, which both parties have agreed upon. And she simply multiplies her private key by the generator and gets big A. Her public key, which she then sends across to Bob. Bob generates his private key little B and public key big B in the same manner, and again sends big B across to Alice. Alice computes the shared secret as her secret key little A times Bob's public key, which is equal to little A times little B times the generator without her knowing little B. And again Bob does the same thing, but in reverse. He takes his secret key, multiplies it by Alice's public, and arrives at the same shared secret.
Speaker 2 (21:04)
So in cryptographic constructions we frequently make use of finite cyclic fields, also known as Gala fields. Finite fields have two operations, both addition and multiplication. This implies their inverse operations, namely subtraction and division, respectively. On top of this, I guess I should give an example of finite field arithmetic. So normally I said Q is usually some big prime here for the sake of simplicity. So you can just see the numbers and actually do the math in your head. We'll just take Q to be five. So we have the set of integers mod five. We call each thing within the set and element. So in this group we have five elements. The number of elements is also known as the order of the group. In this case they are 0123 and four. One element is always the additive identity, in this case zero, which means that when added to any other element P, the result will simply be P. So obviously, taking two, adding zero, we still get two. Taking three add zero, we still get three. So in the case of finite fields of prime order, every element of the group is what is called a generator, which is something that I mentioned before in the previous slide.
Speaker 2 (22:14)
The G that Alice and Bob were multiplying their secrets by any generator in a group added to itself. The reason it's called a generator, because if you add it to itself repeatedly, it can generate every other element of the group except for the identity element. So if we're taking two here from this group above, we add it to itself, we get four, we add two again, and we wrap back around because it's mod five. So we get one, we add two again, and we get three, and thus we've generated one, two, three, and four. Every element but the identity so important properties of these groups. Again, they're cyclic. There's this wrapping around behavior, and they're finite. The order of the group, the number of elements in the group is countable. As I said previously, we generally want that order to be prime, which I will get into more in a second. So on top of finite fields, we build these other mathematical structures in cryptography, or at least an Elliptic curve cryptography, which are called Elliptic curves. These are defined by a multivariate equation which is used to define a collection of points, also called group elements.
Speaker 2 (23:18)
For example, the curve equation for twisted Edwards curve in afine form. And so this is the type of curve 25519, which I'm sure a lot of you have heard of. It's given as X squared plus y squared minus one equals D times X squared times y squared, where D is simply a curve parameter constant, it controls the shape of the curve. It's not really important in this context. Again, it's defined over a finite field, and the arithmetic of these mathematical structures have only one operation, namely the group operation, and it's usually modeled for simplicity as addition between the elements or addition of Elliptic curve points. Elliptic curves also, like finite fields, have order, but in this case it's a count of the number of valid points defined by that curve equation. And in cryptography, especially for signatures within digital assets and ledger transactions, as well as within zero knowledge proofs like those used in signal and those used in the design for Hyphae, especially in Privacy preserving protocols where auditability might be more difficult, we usually want the order of the Elliptic curve to be prime. So what happens if it's not prime? A lot of Elliptic curves used in practice, like Ed Four Four Eight and Curve Two 5509 have this thing called a cofactor.
Speaker 2 (24:32)
When it's not prime, usually there is a large prime order subgroup. So pick this big number Q, this large prime number. There's another number that is actually the total number of points on the group, and we call that a cofactor. So you can visualize the prime order subgroup as if you're imagining like an analog clock. So we have 12 hours on this clock, and we have maybe a naively written program that's simply checking if the time is 230, it's not checking if the time is 02:30 A.m. Or 02:30 P.m., because it wasn't well written code. And so you have two times that can satisfy this restraint, which may not be the intended behavior for a lot of applications. Instead, in this case, the curves we were working with, modifying and creating restrato over have cofactor eight. So if you can imagine a clock with only 3 hours zero one and two, and then 03:00 is obviously zero again, and instead of having a M and P M, we have like A-M-P-M-B GM, it's a mess. There's eight of them. And so if I have again a naively written program that's asking is the time to 30, there is now eight different times that it could be when your alarm could go off, which sounds pretty bad.
Speaker 2 (25:47)
In the case of digital signatures, especially, this can result in two signatures, or in some cases eight signatures where group elements are comprised partially within the prime order subgroup, but also contain this torsion component due to the cofactor. So this is awful because it's incredibly dangerous. It's also a pain to check for. It requires a cryptographer, basically to sit there and look at your math and look at your code and carefully decide when things might need to be multiplied by the cofactor and then checked for the identity element. Mistakes in these checks have resulted in numerous real world bugs, including how many people are familiar with the concept of a double spend bug. Okay, so they've resulted in octopuspend bugs, where given one valid transaction, I can create seven other transactions, which is great if you want to steal or print money, but other than that, it's not super ideal. The check is also exorbitantly computationally expensive, often increasing the time for a cryptographic algorithm to complete by several orders of magnitude. So while you could use these older lifted curves and you could do the checks in the right places, and hopefully you got that right, your code is still going to be way slower than using a group that was designed for a general cryptographic use case.
Speaker 2 (27:02)
So this is why we designed Rosto, which is an abstraction layer over non prime order Elliptic curves. Using practice, Restrato provides cryptographic engineers with the expected API, a prime order group using fast Elliptic curve arithmetic under the hood, where they don't need to worry about doing these checks. This provides a safe and efficient API for numerous recently developed constructions, including zero knowledge proofs such as Bulletproofs, which are used in mobile coin and a bunch of other places, and Privacy preserving means of authentication such as ring signatures. Again, technology that MobileCoin uses threshold signatures and anonymous credentials such as those in signal restricto, again is significantly faster than performing the previously required safety checks. Internally, Restrato group elements are represented as Elliptic curve points. Although it is very important in our design that the Elliptic curve must never be exposed through the external API, as Restrato is actually just curve agnostic, it's dealing with this cofactor problem. It's not specific to any curve. So another mathematical construct which is important internally to Restrato, and I promise I will only touch upon this briefly is the concept of anisogyny, which is a beautiful subfield of mathematics. So isogeny is a bijective mapping between the set of points on Tuliptic curves.
Speaker 2 (28:19)
Visually. If you want to understand this, if you could imagine, like my hand is isomorphic, my left hand is isomorphic to my right, there's a point on the tip of my thumb here which maps to this point here, and vice versa. So the same for these curves. One point on one curve will map to one point on another curve. Restrato uses isogenes in another construct called a Coset internally to map the Elliptic curves between points to another curve, and thus reduce the cofactor. Because internally what we actually do is map to a structure called the Jacobi Cortic, where it's Cortic in nature, like that political Compass meme and we choose the lower left Quadrant of course to canonicalize to, and thus we're able to cut four out of the cofactor of eight. And then again we isogenised to the Montgomery form of the curve, which we use to eliminate the final factor of two and produce a prime order group. So more details and write up on our construction is available at our website at Restrato group. In addition, we are also working on an IETF draft. At the moment on standardizing our work, there are numerous restricto implementations.
Speaker 2 (29:30)
These are not all of them, these are just some that the team has looked at and contributed to and approve of. So the first was in Rust in Mine and Henry's library Curve Two five five $9 in Java by myself and Jack Grigg who is at the Zed Cash Foundation. Another in C by Frank Dennis, another in portable C by myself which I will get into more in a second and another in Go by George Tankersley, Philip Alsourta and Henry Devalance. An assembly script again by Frank Dennis, TypeScript by Paul Miller and JavaScript by my colleagues at Facebook Lara Nicolenko and Kevin Louis. So if you want to support any of these projects which are using Restrato and you want to also use hardware tokens or hardware security models for securing your infrastructure such as you want to use like a hardware wallet to secure the coins that you own or you want to use an HSM to do offload the cryptographic operations of say like a blockchain validator node that you're running somewhere, you'll need to support restrato most of these hardware solutions that I've seen use a library called Ed 25519 Donna for curve 25519 support.
Speaker 2 (30:44)
This is written by my colleague Freddie Berry so I've created Restrato Donna as a dropin set of patches which provides Restrato support without altering the API of this library that's in use on most of these in the firmware of most of these devices such that you don't actually need to change any of your code. You drop in a set of patches and magically you have restrated support. You can now do things like have a mobile coin wallet in hardware. It's open source and freely licensed and it's available here.
Speaker 3 (31:29)
That was ISIS Agora Lovecraft speaking about cryptography at Mobile Club and before that you heard Alexander Rose on cryptography throughout history. Both of the talks on today's episodes were originally featured at the Crypto Renaissance conference hosted by MobileCoin in December 2021. That's it for today's episode. Don't forget to subscribe to Privacy is the new celebrity on Apple or Spotify or wherever you get your podcast. And check out Mobilecoinradio.com where you can find our radio show every Wednesday at 06:00 P.m.. Pacific Time. That's also where you can find the full archive of podcast episodes. I'm Brady Forrest. Our producer is Sam Anderson and our theme music was composed by David Westpalm. And as we like to say at MobileCoin, Privacy is a choice we deserve.