Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
IPFS / IPFS Camp 2022 / 2 Nov 2022
IPFS / IPFS Camp 2022 / 2 Nov 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Vision: Privacy-preserving, P2P communication over libp2p - Will Scott

Description

What does a private peer-to-peer network look like, and how do we get there?

A

My name is Will Scott I'm, going to kick off the lib P2P privacy track this afternoon. This is a intro and vision. Talk around the P2P privacy, um I'll start with a brief introduction of myself.

A

My name is: will uh recently I've been working mostly on content, routing and a little bit in data transfer, so those sort of core layers of what it means to be a peer-to-peer network uh in some ways and then in my 20 time, I guess I've also been helping think about how to to push our our privacy story forward, uh and so this summer we um spun up a blue fund, uh and so there was um a bunch of talks over the last few days around funding the commons and around what PL means when it talks about blue funds, but essentially there's a funding program that came into existence over the last few months, where we're offering money for external uh prototyping and projects that want to think about uh privacy, for contender, address data and for peer-to-peer networks in ways that can lead to us having a better story.

A

So uh this is a fairly brief talk, but I'd want to cover three things: um the first and sort of what I'll spend most of the time on is what what do we mean when we talk about a private peer-to-peer Network? What what is it that we're? What is what are these North Stars or what? What is this like direction?

A

We're heading I'll talk a little bit about tactics to get there and then I'll finish with just a bit of logistical things uh in terms of what what is the schedule for the rest of this afternoon?

A

um Okay, so let's talk about what we mean or or what it, what we could imagine when we're talking about privacy in a peer-to-peer context, there's a few different layers of privacy right I'll start at the at the bottom, which is you could just encrypt your messages right, that's better than not encrypting your messages that gives you a layer of privacy that limits who else can see what you've said because you've taken the other person's identity.

A

Maybe you've exchanged that out of band somehow you encrypt and you limit who can see the actual conversation that we're pretty good we've we've we've we've like we've got end-to-end encryption as a thing. That's like pretty pervasive in a lot of our messaging protocols that one's covered there's a set of things around the communication patterns, and so this metadata question, that's really the heart of the hard part right so can I, understand, communication patterns of who is talking to whom um or or additional access patterns. Maybe the size of the messages.

A

There's just a lot of things that leak Beyond, just the direct encryption and that's sort of the heart of what we end up talking about in wrestling with is how to make that set of leakages uh minimized.

A

There's a final part at the top, which is are you participating in this network or not um I? Think lip b2p is actually like this really interesting answer to that top level.

A

Question in that, it's pretty easy to identify that you are a lib P to P node, but it's harder to distinguish which lib P2P Network you are participating in and so by having well I'm, just a lib P2P participant, that's a lot less scary to people than oh I'm, a tour user or something right, and so by making these General peer-to-peer Network protocols like HTTP, you can gain enough adoption at the top level that you've got the space to protect more sensitive, Communications.

A

Okay. So so, if, if we focus on sort of this middle bit of of being able to protect your actual access patterns and what that means in peer-to-peer, you you've got a whole set of techniques again um and a lot of these, the there's a core trade-off in overhead and and sort of these like well, you know what what is the like set that I'm going to be able to hide in and as I make that set bigger I end up having to do more work or be less efficient.

A

um One way that you can make that trade-off is at a at a network traffic level, so I can either use techniques like mixnets, uh so think think, tour or a full mixed net like like Nim, or something where, where I, send my traffic and indirect it through a few other network hops.

A

In order to have it become sort of mixed with other traffic, that's flowing through the network and so I trade off latency and I trade off the fact that I'm going through multiple computers, instead of directly that's going to take longer I'm going to pay for that bandwidth and as as a longer path. That's more expensive but but I'm growing.

A

This set of other messages that mine could potentially be confused with there's another set of things that that use cover traffic instead and so, instead of thinking about it as well I'm going to like go through this long path. It's that well I'm, going to send out my message, but I'm also going to send out a lot of other decoy messages that don't actually contain the real thing. I care about, and so it'll be harder for. Someone to know which one is the real message, because I've also have a network.

A

That's sending a lot of sort of fake data that looks like it might be a message, but that obscures the real communication patterns in it. So I think uh vuvuzela is a is a paper you can look at and stadium and so forth. There's a line of work on models for cover traffic to hide your communication patterns.

A

The other overhead that we could think about is starting at a cryptographic, computational level um and so you've got a set of cryptographic. Primitives like zero knowledge, uh fully homomorphic encryption, private information retrieval where you're trading off a computational overhead in exchange for having a direct server that that's getting a query from being able to fully understand what that query is asking, and- and these are just a few examples- there's other techniques that play into this.

A

There's things like o Ram there there's a lot of cryptographic uh work in this space and a lot of where that is is trying to figure out. How do you get that to scale up to the sizes of networks that we're looking at in practice? So things like homomorphic encryption are taking Maybe hundreds of milliseconds or seconds to answer a simple query, and so is that is that a latency bound that you're willing to to pay to to you know, evaluate a circuit or do these various things?

A

um Private information retrieval is as practical as any of these I think um and and what it limits is uh uh well, there's a couple different formulations, but the the the one that's maybe.

A

The one that's very satisfying, uh it's not necessarily the most practical um ends up doing a very expensive, read uh every time. There's a query: if you can keep your database that you're uh making this set of anonymity fully in memory, you can actually amortize this down to a level where you can make a pretty practical server, but you have to figure out then your broader system question to be able to talk about okay.

A

How do I have each node in my peer-to-peer Network when it gets a query? What is the right set of 10 gigs, like what you've got some memory size that you're willing to have as that memory footprint and that that becomes your anonymity setting? So you have to choose that somewhat carefully um and you have to know ahead of time what that memory looks like to some extent.

A

Okay so there's a few different ways to talk about privacy, probably the the most useful one um in this context of a peer-to-peer network is linkability, which is, can I link the action and the effect on the network with the person creating it. So can I can I, say: okay, there was some end recipient of a message. Can I link that back and so you're? Looking?

A

You can express this in a statistical way and talk about given in adversaries view, as the view changes how much of the network overall traffic can they link um that there's a few different ways that you would construct this but you're, but the the end property that you end up often wanting to be able to describe. Is this um de-anonymizing potential of different levels of an adversary and and the core thing that we end up uh staring at?

A

Is that as you're trying to convolve with a large anonymity set, you have to get all of that stuff to potentially be in the same place, and that ends up being this inefficient thing, because if you're, actually a decentralized peer-to-peer Network, you don't want all of your traffic to go to some choke point. uh And so, if you're staying out on the edges, uh how is there the potential that it's some other far away effect that could be misrepresented as the one that I'm doing?

A

And so you end up with a smaller anonymity Set uh through that decentralization.

A

The the flip side that our adversary models don't do a great job of is taking into account the physical realities of the world. I, guess, which is that when you think about what is the adversary, what does it mean for the adversary to be able to monitor stuff? We often talk about a few different things. One is you've compromised, some subset of the hosts right.

A

So so, if I've got my malware on some nodes, that is an adversary model that is really the same if I've got a centralized service or if I've got a decentralized or a peer-to-peer service, but we also talk about sort of like oh, but what? If the nation state is able to monitor all the traffic in their administrative region or or what you know has some broad view of the network, um but the the interesting thing there is it.

A

When you look at what nation states have built for their surveillance systems to monitor the traffic going through their systems, it's pretty cheap for them to put those monitoring systems at the big internet exchange points in the big cities, where the undersea cables show up at their borders being able to monitor all of the edge traffic.

A

So if I was to send traffic to some other user on the same ISP in Lisbon in the same city, that's maybe getting to the Metro pop the point of presence of this local ISP, um but it may even be getting even sub Regional, depending on how they're doing their load traffic and so getting full monitoring of these uh very sub-regional hyper local communication lines is actually much more expensive to build a surveillance infrastructure over the whole thing and that's something we should be trying to take advantage of, and thinking about, the fact that, if you're able to make Communications, certainly on your Lan but but really within the same ISP or as level topologies, you should think of those as harder to monitor in some sense, by a global adversary.

A

You have to be able to separate your adversary model and talk about this. You know uh nation, state, Global, adversary, uh defenses and how you're going to uh defend against that separately from malware like things but there's a set where we can actually make use of the network but topology and our peer-to-peer Network to to do better um and then finally, I think. The the thing that we should remember with Liberty, especially as a modular toolkit, is that one size is not going to fit all so so add a lip P2P level.

A

Let's have building blocks so that people can build applications that work for their Network, um and so it's not we're going to have the private lib P2P here it is it's well! Okay! Do you want to have onions to connect to each other and have a thing?

A

That's fully private, or do you want to allow some users to connect in without revealing themselves, or do you want to allow some people to post privately there's a whole different realm like a whole different range of communication patterns that people might want to do on a live peer-to-peer uh based Network and we can provide building blocks to allow them to compose that I think we often get scared of what happens if someone leaks something or doesn't compose them correctly, and so we should think about guides to help steer people in good compositions.

A

That we think will not leak things and also have the you know. What are the things to remember or watch out for you know. Okay, if you also just put all of your addresses in a central database, it doesn't matter that you've, you know, made a tour transport, so there are a set of things that we should. You know, have a way for people to audit to make sure they've actually done the thing they want. um But it's not our place to say this is the right.

A

Network, okay, um I'll cover briefly tactics, I think, there's a few different things in the limb P2P ecosystem that we thought about uh that. We'll hear about over the course of today. The first is some direct building things um there there's a bunch of active work on taking especially the content, routing uh subset of the lip P2P problem, so figuring out, who has content and adding a level of derived hashes or blinded hashes such that you can't immediately understand what other people in the network want.

A

That's getting implemented beyond that, there's a bunch of stuff in the ecosystem uh and collaborations that we're doing uh that are making us stronger and letting us experiment with this broader range of of privacy options. uh I've lifted some pictures on the slide, but there's many more and then finally we're trying to increase this.

A

The community and the the focus on this problem um at a broader level, uh primarily through through funding efforts, and so that's taking people who aren't already in lip P2P but are working on problems that are useful to us and making sure that they understand our problems from peer-to-peer and from uh content. Addressing as as a core primitive that we have um and helping helping address. That.