-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Powers of Tau Attestation ============================= Round: 57 Date: 2018-02-13 Name: Sean Kelly Location: Galway, Ireland The BLAKE2b hash of `./response` is: 40db756c fdceae76 5472590b c0dd9ec1 7fa70475 f1cc9ef5 fdf99e0d 750cd6a2 ce010c95 b59130c6 d8c12eb2 c7fe5296 8858fca9 d6ba7bcb 67b391cf b1f5401d Methodology ============================= Firstly, thank you for organising this and for the opportunity to participate. In a similar way to Matt in round 4, I decided to leverage a cloud provider's security (this time Microsofts) by running the computation using Azure (https://docs.microsoft.com/en-us/azure/security/azure-security), thus introducing an additional channel that would need to be compromised by an attacker (now Microsofts cloud security will need to have been compromised as well as Google's and all other participants). >From Azure Managent Portal, I created a "Jumpbox" Compute Instance (D2s v3) with public IP for downloading Rust, the Powers of Tau utility and the challenge file. I created 2 additional "Calculation" Compute Instances (E2s v3) without public IP's to perform the computations, these VMs were located in different datacenters (1 in Europe and 1 in the US). I used Ubuntu Server 16.04 as the OS for all VMs. >From Azure Storage Manager, I created an Azure Files share that I would use to transfer the files to the Calculation instances. >From the Jumpbox, I downloaded Rust (v1.23.0), Powers of Tau (from github.com/ebfull/powersoftau commit d47a1d3d1f007063cbcc35f1ab902601a8b3bd91) and the Challenge File (from S3). I transfered these files to the Calculation instances and ran the computation from each instance simultaneously using random keyboard inputs for additional entropy. Once the responses were computed on both instance, I selected one of the 2 response files by the flip of a coin. I copied the file to the Jumpbox and deleted both Calculation instances. I then submitted its hash to the mailing list (above) and uploaded the file to S3. I also posted this hash on Twitter (https://twitter.com/SeanKe11y/status/963592537310203905). Finally, I deleted the Jumpbox compute instance and any other Azure resources that were used to support the process. Sidechannel Defenses ============================= * I used my personal laptop (I'm reasonably confident that it's secure) for connecting to Azure, it didn't leave my sight for the duration of the process. * I used a free Azure subscription I have that had never been used before for any purpose. * I connected to a VPN server in a country that I had never connected to before prior to beginning the process. * I downloded a browser I had never used before and used this for some of the steps (I used PuTTY for everything else). * The computations took place within Azure's datacenters leveraging their security best practices. * I ran the computation on multiple VMs simultaneously in two different datacenters on different continents and randomly chose a response to use. * I deleted all VMs and associated Azure resources after the process was completed. * I didn't tell anyone I know that I was doing this, in case they are spies. Sean Kelly -----BEGIN PGP SIGNATURE----- Version: Mailvelope v2.1.1 Comment: https://www.mailvelope.com wsFcBAEBCAAQBQJag5fYCRCd9XEg9LQ87AAAiSwP/jHtBCVuB8skitvrAl6p IUQrWjsCbeBj878qlqc7ejAu3zUKwTlh9v7BAqDrT71IDzZo9kNbcZGFW9X5 9c2Q7nnpo6Yk5Bf9Be7IoDLcrjPeM9O4aoKHirJlTdGpUmmmfHnDD6Og7DKk ARxDZzy1vliNfVVZ3YhTP/gX/de5E+naV+NZqDksO1wTzkggK+PWxyvTRtM5 c7epzgJN0y7K/Zau0TpCF6pkZEN8FJTF+za8G7/+xF/HhS5u1p9gd/NZBHHf M4UBl0u5Ple8bOJxLfuE52s8O74G9vQ8byRzQJW5xAOAdmB0K4GZNFLeL7pj oVxoqTxzJQsK8g5DINnWwa9ZxoMpdvJ3u31lmFeX9meSOcSZW3z7z+e0rBlS jQ6dtdzGV4QC12lTWLbdBGbbS/smWYquly5Mvrx0rQ2nVwC2V38Hx31GEb7X HStmc3KK4IoaY4ZQ3ktLPkHgpGAdjoeHTWPQPoAwPKHE4pTyeJJAzi3amL6g So/E0X9WRWf2HPMiNqZynRMRIs2sPUGAzn6Yf0phzja/N50fx0nxnPLmKO3t W5EbGJIbVPmY7rzSkXJ/K8vjQ1GEwzaNVi+HedZYYSRSdezc6uP0I/HqxQn2 Wifd6bTkAoR9TbIECQWBhn2+QKOsWX0RHrpMWqMYDd3SaFHTYvQv9xnkWxcZ 6vfi =Cva/ -----END PGP SIGNATURE-----