HashCloak Newsletter March 2023

What the HashCloak team has been reading and up to in March 2023

Welcome to the March edition of the HashCloak Newsletter! In this month's edition, we'll be sharing our latest insights on privacy and highlighting some of our recent projects and collaborations. We'll also be sharing interesting reads and research that we think will be valuable to our readers. Thank you for joining us on this journey and for your continued support of our work!

Stuff We’ve been reading

• A new series of videos on zero-knowledge proof composition and recursion (part 1)

• SEC554: Blockchain and Smart Contract Security

• Building Secure Smart Contracts

• Audit Hero

• Sarkar and Singh - A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

• ERC 4337 and MPC: Friends or Foes?

• Introducing Pyrometer

• What are Rollups?

• Florian Hess - Pairings

• Reentrancy Guard 2.0

• Introducing Avocado! - Making web3 UX simple

• Systematic Approach to Maintaining EVM Compatibility and Security

• ZenGo uncovers security vulnerabilities in popular Web3 Transaction Simulation solutions: The red pill attack

• “Damn Vulnerable DeFi” Creator Teaches You How To Audit

• Uncloak - Readme

Stuff We’ve been playing with 

Github Links

• GitHub - ZhangZhuoSJTU / Web3Bugs

• GitHub - Ackee-Blockchain / woke

• GitHub - dvyukov / centipede - Blender: Automatic whole-program fuzzing

• GitHub - x676f64 / secureum-mind_map

Stuff We’ve been watching

• Fuzzing Labs - Patrick Ventuzelo: $100,000 in Bug Bounty

• Nigel Smart - 3rd BIU Winter School on Cryptography: The basics of elliptic curves

Interesting HashCloak Research Project of the Month

As part of our working engagement with Fuel Labs, we have been working on implementing various cryptographic primitives in the Sway programming language. We have been implementing NIST standardized cryptographic hash functions, elliptic curves and signature schemes.

You can check out our work in the following repositories:

• https://github.com/hashcloak/fuel-hashes

• GitHub - hashcloak/fuel-crypto: Various Cryptographic Primitives in Sway for the Fuel VM

Special Purpose Cryptography Protocol of the Month

As part of our consulting practice, we notice that many clients try to shoehorn general-purpose cryptography techniques such as ZK-SNARKs into problems for which there are well-studied, understood and implemented special purpose protocols. In this section, every month, we hope to give you a taste of a useful special purpose protocol in order to better educate you on good composable cryptographic design principles.This month, we will provide a short summary of the Signal private group system and anonymous credential protocol used within the Signal Messaging app. 

Signal is a messaging application with millions of users that makes use of end to end encryption in order to enable users to privately communicate with each other. A feature that Signal originally lacked is the ability for its users to create group chats in which members can communicate with each other privately. However, this brings with it a few difficult tradeoffs to make. Many constructions in the literature for creating private groups in which an outside observer cannot discern who the members are rely on a trusted third party. In many of these constructions, the trusted third party handles everything regarding group membership, credentials, etc. In the past decade, many works have come out to improve these constructions by limiting the power of the trusted third party. 

In Signal’s private group messaging system, the server is untrusted and a malicious server can only disrupt service. As such, the protocol doesn’t rely on an honest server to issue credentials, or manage the membership list.

In order to achieve these properties, Signal’s private group system relies on verifiable encryption, zero-knowledge proofs and keyed verification anonymous credentials (KVAC). The use of verifiable encryption allows users to deterministically encrypt/decrypt without relying on the server. The use of zero-knowledge proofs allows users to independently check the validity of IDs and profile keys and to authenticate to the server without revealing sensitive information about their own profiles. KVACs are used to create profile keys and identities such that 

• The issuer and the verifier of a credential is the same entity

• Message authentication codes (MACs) can be used instead of signatures

• A credential owner can show that they have the credential to multiple parties without linking instances of these showings i.e. the KVAC scheme used has multishow unlinkability

If you want to learn more about the protocol and its implementation, you can visit the following resources:

• https://eprint.iacr.org/2019/1416

• https://github.com/signalapp/libsignal/tree/main/rust/zkgroup

• https://github.com/signalapp/libsignal/tree/main/rust/poksho

---

We hope you enjoyed reading the March edition of the HashCloak Newsletter and gained valuable insights into our latest research and projects. Our team is always striving to stay at the forefront of privacy innovation. We're excited to share our latest progress with you and look forward to continuing this important work together.

Subscribe to our newsletter to stay up-to-date with our latest insights and research. 

Follow us on Twitter to find out about any announcements we make on our engagements or internal projects.

Schedule a call with us to engage in R&D, security auditing or any other potential collaborations:  https://calendly.com/d/hhc-dnq-wfd/hashcloak-services-inquiries.