►
Description
What does a private peer-to-peer network look like, and how do we get there?
A
My
name
is
Will
Scott
I'm,
going
to
kick
off
the
lib
P2P
privacy
track
this
afternoon.
This
is
a
intro
and
vision.
Talk
around
the
P2P
privacy,
I'll
start
with
a
brief
introduction
of
myself.
A
My
name
is:
will
recently
I've
been
working
mostly
on
content,
routing
and
a
little
bit
in
data
transfer,
so
those
sort
of
core
layers
of
what
it
means
to
be
a
peer-to-peer
network
in
some
ways
and
then
in
my
20
time,
I
guess
I've
also
been
helping
think
about
how
to
to
push
our
our
privacy
story
forward,
and
so
this
summer
we
spun
up
a
blue
fund,
and
so
there
was
a
bunch
of
talks
over
the
last
few
days
around
funding
the
commons
and
around
what
PL
means
when
it
talks
about
blue
funds,
but
essentially
there's
a
funding
program
that
came
into
existence
over
the
last
few
months,
where
we're
offering
money
for
external
prototyping
and
projects
that
want
to
think
about
privacy,
for
contender,
address
data
and
for
peer-to-peer
networks
in
ways
that
can
lead
to
us
having
a
better
story.
A
So
this
is
a
fairly
brief
talk,
but
I'd
want
to
cover
three
things:
the
first
and
sort
of
what
I'll
spend
most
of
the
time
on
is
what
what
do
we
mean
when
we
talk
about
a
private
peer-to-peer
Network?
What
what
is
it
that
we're?
What
is
what
are
these
North
Stars
or
what?
What
is
this
like
direction?
A
We're
heading
I'll
talk
a
little
bit
about
tactics
to
get
there
and
then
I'll
finish
with
just
a
bit
of
logistical
things
in
terms
of
what
what
is
the
schedule
for
the
rest
of
this
afternoon?
A
Okay,
so
let's
talk
about
what
we
mean
or
or
what
it,
what
we
could
imagine
when
we're
talking
about
privacy
in
a
peer-to-peer
context,
there's
a
few
different
layers
of
privacy
right
I'll
start
at
the
at
the
bottom,
which
is
you
could
just
encrypt
your
messages
right,
that's
better
than
not
encrypting
your
messages
that
gives
you
a
layer
of
privacy
that
limits
who
else
can
see
what
you've
said
because
you've
taken
the
other
person's
identity.
A
Maybe
you've
exchanged
that
out
of
band
somehow
you
encrypt
and
you
limit
who
can
see
the
actual
conversation
that
we're
pretty
good
we've
we've
we've
we've
like
we've
got
end-to-end
encryption
as
a
thing.
That's
like
pretty
pervasive
in
a
lot
of
our
messaging
protocols
that
one's
covered
there's
a
set
of
things
around
the
communication
patterns,
and
so
this
metadata
question,
that's
really
the
heart
of
the
hard
part
right
so
can
I,
understand,
communication
patterns
of
who
is
talking
to
whom
or
or
additional
access
patterns.
Maybe
the
size
of
the
messages.
A
A
Okay.
So
so,
if,
if
we
focus
on
sort
of
this
middle
bit
of
of
being
able
to
protect
your
actual
access
patterns
and
what
that
means
in
peer-to-peer,
you
you've
got
a
whole
set
of
techniques
again
and
a
lot
of
these,
the
there's
a
core
trade-off
in
overhead
and
and
sort
of
these
like
well,
you
know
what
what
is
the
like
set
that
I'm
going
to
be
able
to
hide
in
and
as
I
make
that
set
bigger
I
end
up
having
to
do
more
work
or
be
less
efficient.
A
A
In
order
to
have
it
become
sort
of
mixed
with
other
traffic,
that's
flowing
through
the
network
and
so
I
trade
off
latency
and
I
trade
off
the
fact
that
I'm
going
through
multiple
computers,
instead
of
directly
that's
going
to
take
longer
I'm
going
to
pay
for
that
bandwidth
and
as
as
a
longer
path.
That's
more
expensive
but
but
I'm
growing.
A
This
set
of
other
messages
that
mine
could
potentially
be
confused
with
there's
another
set
of
things
that
that
use
cover
traffic
instead
and
so,
instead
of
thinking
about
it
as
well
I'm
going
to
like
go
through
this
long
path.
It's
that
well
I'm,
going
to
send
out
my
message,
but
I'm
also
going
to
send
out
a
lot
of
other
decoy
messages
that
don't
actually
contain
the
real
thing.
I
care
about,
and
so
it'll
be
harder
for.
Someone
to
know
which
one
is
the
real
message,
because
I've
also
have
a
network.
A
That's
sending
a
lot
of
sort
of
fake
data
that
looks
like
it
might
be
a
message,
but
that
obscures
the
real
communication
patterns
in
it.
So
I
think
vuvuzela
is
a
is
a
paper
you
can
look
at
and
stadium
and
so
forth.
There's
a
line
of
work
on
models
for
cover
traffic
to
hide
your
communication
patterns.
A
The
other
overhead
that
we
could
think
about
is
starting
at
a
cryptographic,
computational
level
and
so
you've
got
a
set
of
cryptographic.
Primitives
like
zero
knowledge,
fully
homomorphic
encryption,
private
information
retrieval
where
you're
trading
off
a
computational
overhead
in
exchange
for
having
a
direct
server
that
that's
getting
a
query
from
being
able
to
fully
understand
what
that
query
is
asking,
and-
and
these
are
just
a
few
examples-
there's
other
techniques
that
play
into
this.
A
There's
things
like
o
Ram
there
there's
a
lot
of
cryptographic
work
in
this
space
and
a
lot
of
where
that
is
is
trying
to
figure
out.
How
do
you
get
that
to
scale
up
to
the
sizes
of
networks
that
we're
looking
at
in
practice?
So
things
like
homomorphic
encryption
are
taking
Maybe
hundreds
of
milliseconds
or
seconds
to
answer
a
simple
query,
and
so
is
that
is
that
a
latency
bound
that
you're
willing
to
to
pay
to
to
you
know,
evaluate
a
circuit
or
do
these
various
things?
A
A
The
one
that's
very
satisfying,
it's
not
necessarily
the
most
practical
ends
up
doing
a
very
expensive,
read
every
time.
There's
a
query:
if
you
can
keep
your
database
that
you're
making
this
set
of
anonymity
fully
in
memory,
you
can
actually
amortize
this
down
to
a
level
where
you
can
make
a
pretty
practical
server,
but
you
have
to
figure
out
then
your
broader
system
question
to
be
able
to
talk
about
okay.
A
How
do
I
have
each
node
in
my
peer-to-peer
Network
when
it
gets
a
query?
What
is
the
right
set
of
10
gigs,
like
what
you've
got
some
memory
size
that
you're
willing
to
have
as
that
memory
footprint
and
that
that
becomes
your
anonymity
setting?
So
you
have
to
choose
that
somewhat
carefully
and
you
have
to
know
ahead
of
time
what
that
memory
looks
like
to
some
extent.
A
Okay
so
there's
a
few
different
ways
to
talk
about
privacy,
probably
the
the
most
useful
one
in
this
context
of
a
peer-to-peer
network
is
linkability,
which
is,
can
I
link
the
action
and
the
effect
on
the
network
with
the
person
creating
it.
So
can
I
can
I,
say:
okay,
there
was
some
end
recipient
of
a
message.
Can
I
link
that
back
and
so
you're?
Looking?
A
You
can
express
this
in
a
statistical
way
and
talk
about
given
in
adversaries
view,
as
the
view
changes
how
much
of
the
network
overall
traffic
can
they
link
that
there's
a
few
different
ways
that
you
would
construct
this
but
you're,
but
the
the
end
property
that
you
end
up
often
wanting
to
be
able
to
describe.
Is
this
de-anonymizing
potential
of
different
levels
of
an
adversary
and
and
the
core
thing
that
we
end
up
staring
at?
A
Is
that
as
you're
trying
to
convolve
with
a
large
anonymity
set,
you
have
to
get
all
of
that
stuff
to
potentially
be
in
the
same
place,
and
that
ends
up
being
this
inefficient
thing,
because
if
you're,
actually
a
decentralized
peer-to-peer
Network,
you
don't
want
all
of
your
traffic
to
go
to
some
choke
point.
And
so,
if
you're
staying
out
on
the
edges,
how
is
there
the
potential
that
it's
some
other
far
away
effect
that
could
be
misrepresented
as
the
one
that
I'm
doing?
A
And
so
you
end
up
with
a
smaller
anonymity
Set
through
that
decentralization.
A
The
the
flip
side
that
our
adversary
models
don't
do
a
great
job
of
is
taking
into
account
the
physical
realities
of
the
world.
I,
guess,
which
is
that
when
you
think
about
what
is
the
adversary,
what
does
it
mean
for
the
adversary
to
be
able
to
monitor
stuff?
We
often
talk
about
a
few
different
things.
One
is
you've
compromised,
some
subset
of
the
hosts
right.
A
So
so,
if
I've
got
my
malware
on
some
nodes,
that
is
an
adversary
model
that
is
really
the
same
if
I've
got
a
centralized
service
or
if
I've
got
a
decentralized
or
a
peer-to-peer
service,
but
we
also
talk
about
sort
of
like
oh,
but
what?
If
the
nation
state
is
able
to
monitor
all
the
traffic
in
their
administrative
region
or
or
what
you
know
has
some
broad
view
of
the
network,
but
the
the
interesting
thing
there
is
it.
A
So
if
I
was
to
send
traffic
to
some
other
user
on
the
same
ISP
in
Lisbon
in
the
same
city,
that's
maybe
getting
to
the
Metro
pop
the
point
of
presence
of
this
local
ISP,
but
it
may
even
be
getting
even
sub
Regional,
depending
on
how
they're
doing
their
load
traffic
and
so
getting
full
monitoring
of
these
very
sub-regional
hyper
local
communication
lines
is
actually
much
more
expensive
to
build
a
surveillance
infrastructure
over
the
whole
thing
and
that's
something
we
should
be
trying
to
take
advantage
of,
and
thinking
about,
the
fact
that,
if
you're
able
to
make
Communications,
certainly
on
your
Lan
but
but
really
within
the
same
ISP
or
as
level
topologies,
you
should
think
of
those
as
harder
to
monitor
in
some
sense,
by
a
global
adversary.
A
You
have
to
be
able
to
separate
your
adversary
model
and
talk
about
this.
You
know
nation,
state,
Global,
adversary,
defenses
and
how
you're
going
to
defend
against
that
separately
from
malware
like
things
but
there's
a
set
where
we
can
actually
make
use
of
the
network
but
topology
and
our
peer-to-peer
Network
to
to
do
better
and
then
finally,
I
think.
The
the
thing
that
we
should
remember
with
Liberty,
especially
as
a
modular
toolkit,
is
that
one
size
is
not
going
to
fit
all
so
so
add
a
lip
P2P
level.
A
Let's
have
building
blocks
so
that
people
can
build
applications
that
work
for
their
Network,
and
so
it's
not
we're
going
to
have
the
private
lib
P2P
here
it
is
it's
well!
Okay!
Do
you
want
to
have
onions
to
connect
to
each
other
and
have
a
thing?
A
That's
fully
private,
or
do
you
want
to
allow
some
users
to
connect
in
without
revealing
themselves,
or
do
you
want
to
allow
some
people
to
post
privately
there's
a
whole
different
realm
like
a
whole
different
range
of
communication
patterns
that
people
might
want
to
do
on
a
live
peer-to-peer
based
Network
and
we
can
provide
building
blocks
to
allow
them
to
compose
that
I
think
we
often
get
scared
of
what
happens
if
someone
leaks
something
or
doesn't
compose
them
correctly,
and
so
we
should
think
about
guides
to
help
steer
people
in
good
compositions.
A
That
we
think
will
not
leak
things
and
also
have
the
you
know.
What
are
the
things
to
remember
or
watch
out
for
you
know.
Okay,
if
you
also
just
put
all
of
your
addresses
in
a
central
database,
it
doesn't
matter
that
you've,
you
know,
made
a
tour
transport,
so
there
are
a
set
of
things
that
we
should.
You
know,
have
a
way
for
people
to
audit
to
make
sure
they've
actually
done
the
thing
they
want.
But
it's
not
our
place
to
say
this
is
the
right.
A
Network,
okay,
I'll
cover
briefly
tactics,
I
think,
there's
a
few
different
things
in
the
limb
P2P
ecosystem
that
we
thought
about
that.
We'll
hear
about
over
the
course
of
today.
The
first
is
some
direct
building
things
there
there's
a
bunch
of
active
work
on
taking
especially
the
content,
routing
subset
of
the
lip
P2P
problem,
so
figuring
out,
who
has
content
and
adding
a
level
of
derived
hashes
or
blinded
hashes
such
that
you
can't
immediately
understand
what
other
people
in
the
network
want.
A
That's
getting
implemented
beyond
that,
there's
a
bunch
of
stuff
in
the
ecosystem
and
collaborations
that
we're
doing
that
are
making
us
stronger
and
letting
us
experiment
with
this
broader
range
of
of
privacy
options.
I've
lifted
some
pictures
on
the
slide,
but
there's
many
more
and
then
finally
we're
trying
to
increase
this.
A
The
community
and
the
the
focus
on
this
problem
at
a
broader
level,
primarily
through
through
funding
efforts,
and
so
that's
taking
people
who
aren't
already
in
lip
P2P
but
are
working
on
problems
that
are
useful
to
us
and
making
sure
that
they
understand
our
problems
from
peer-to-peer
and
from
content.
Addressing
as
as
a
core
primitive
that
we
have
and
helping
helping
address.
That.