--- tags: pir, meson, tendermint --- # IT-PIR for Tendermint Flow ## Motivation Currently in Tendermint, all queries made by light clients in Tendermint are public. In other words, whenever a light client queries Tendermint for application-specific state, anyone listening on the communication can associated a particular light client with certain application state information. There are several instances in which might want to hide what they are querying about to an outside observer, for example: - A user wanting to query a block explorer may not want the block explorer service to know exactly what they are querying for. - A user wanting to use and interact with a sensitive Tendermint-based application may not want an outside observer to know what they are querying for on that blockchain. ## Proposal This proposal is to add support for various private information retrieval protocols (PIR) in Tendermint. We propose several additions and changes to the light client, full nodes and ABCI components. ### Preliminaries A `PIR` struct represents an instantiation of a private information retrieval protocol. ``` type PIR interface { Client() PIRClient Server() PIRServer Mode() string DB() PIRDatabase Options() PIROptions } ``` where ``` type PIRClient interface { SendRequest() HandleResponse() } ``` and ``` type PIRServer interface { HandleRequest() } ``` `PIRDB` and `PIROptions` are yet to be determined. `PIRDB` handles a storage and bandwidth efficient way to store headers and validator info and `PIROptions` provide a way to determine PIR specific functionality. ### Light Client Modifications Recall ``` type Client interface { // verify new headers VerifyHeaderAtHeight(height int64, now time.Time) (*types.SignedHeader, error) VerifyHeader(newHeader *types.SignedHeader, newVals *types.ValidatorSet, now time.Time) error Update(now time.Time) (*types.SignedHeader, error) // get trusted headers & validators TrustedHeader(height int64) (*types.SignedHeader, error) TrustedValidatorSet(height int64) (valSet *types.ValidatorSet, heightUsed int64, err error) LastTrustedHeight() (int64, error) FirstTrustedHeight() (int64, error) // query configuration options ChainID() string Primary() provider.Provider Witnesses() []provider.Provider Cleanup() error } ``` The changes foreseen to the light client interface are the following: ``` type Client interface { // Verify new headers privately using PIR PrivateVerifyHeaderAtHeight() PrivateVerifyHeader() PrivateUpdate() ... Rest same as before } ``` where - `PrivateVerifyHeaderAtHeight`: Privately verify headers at a specified height. By privately, we mean the request is encoded in such a way that the full node servicing this light client doesn't at which height the header will be at. - `PrivateVerifyHeader`: Privately verify a specified header. Similarly, by privately, we mean that the full node servicing this light client doesn't know which header the light client it requesting. - `PrivateUpdate`: Privately advance the state and verify it. A full node servicing this light client will not know the time at which the light client is trying to attempt an update. Note: All function signatures are a work-in-progress ### Full Client Modifications We make changes to how full clients handle requests from light clients as follows: - TBD ### ABCI Modifications We make the following modifications to the ABCI specification: We change the `Query` and `ABCIQueryWithOptions` methods as defined in [Applications](https://github.com/tendermint/spec/blob/master/spec/abci/apps.md#query) to be `PIRQuery` and `PIRQueryWithOptions` in order to take into account private ABCI queries. Subsequently, we make the changes to the ABCI read endpoints `abci_query` and `abci_info` to `private_abci_query` and `private_abci_info` in order to enable PIR enabled abci information queries. ## Consequences TBD ## TBD How does this affect a light client's functionality with respect to the ABCI? How does this affect a light client's ability to detect and handle fraud? Should we have a separate mode so that Tendermint nodes upon initialization can be able to have a PIR mode? (See https://github.com/tendermint/tendermint/issues/2237) How to change ABCI in order to enable light clients to also get private queries from the ABCI server?