--- --- # NuCypher | Status Meeting 02-10-2018 Agenda: - intros - potential functionality in status - proxy re-encryption - potential implementation ideas Questions: - metadata leaks - real-time communication support Needs: - multi-device operation - "MacLane" Good use case as well Participants: - Corey | Status - Andrea | Status - Jacek | Status - Arjun Hassard | NuCypher - MacLane Wilkenson | NuCypher - Michael Egorov | NuCypher - Tux | NuCypher Acronyms: - PR - Proxy re-encrpytion - PFS - perfect forward secrecy Notes: - MacLane: whats up - Andrea: one to one chats - paired wise encryption for multiparty - tux: what is our threat model, similar to signal - Andrea: for one-to-one, yes. Group, we haven't decided. - Tux: that's fine, there's room for a lot, particularly with PR - PFS with PR - highly customized. - Jacek: before details, two things: 1. censorship resistance - excluding server based solutions 2. minimize metadata leaks - gossip protocols for hiding routing and other such - tradeoffs will always follow - Tux: nucypher solves decentralized portion of this - users can re-encrypt entire history - Tux: what have you guys thought of so far? - Jacek: Before that, quick into to how this group chat works - What is it that's being re-encrypted exactly - Andrea: I'll try and explain it in our own words - MacLane: mostly accurate description - also revocation potential - similar to PGP (shows slides **PLEASE INCLUDE IF POSSIBLE**) https://github.com/nucypher/slides/blob/master/slides.pdf - Jacek: what kind of online capability is possible: - how often does a user need to perform things in order to chat? membership changes, ever message, etc - Michael: the party does this, not individuals - in pricincple, you can do it once for new members, but more beneficial for every message - for PFS, you need every message - as well as history of group chat - Arjun: this is potentially an intersting input for customization (per user vs. per message type settings) - Andrea: if we have PFS, we can't allow users to decrypt previous messages - Michael: PFS for every message, not as bad performance-wise becasue PR is fast enough (milliseconds at most) - slowest part is the request to a network to do it - for performance optimizations, in principle, you could change symmetric keys less often. This has potential security trade-offs - Corey: security implications of less often: - Michael: how granularly you can revoke access and previous information - Arjun: what do you guys invisage with the main goals? - Jacek: we're providing access to the Ethereum network and allowing users to do whatever they want. - we care more deeply about use cases in maybe communication aspect, but need generality. - we'll be focusing on chat part and then make it as good of a secure messager as possible. - Arjun: de-prioitize telegram-style chat - Status: probably a good idea - Andrea: how long does it take to do the PR process - Michael: you generate key yourself, the time is the distribution of the key. Probabaly on the order of a second, mainly node communication time - Corey: can the underlying existing network be leveraged? - Michael: not good to combine flooding type messaging with specific delivery system like PR - Jacek: Requirements for running a re-encryption node - Michael: not that heavy. Biggest requirements would be if you need to run someting like the full ethereum state on your node. Re-encryption itself is fairly lightweight. - minimal node - raspi could cope with this - Jacek: how many per second with rPI - Michael: approximation 20 ms/re-encrypt/core - ~100 re-encrypt per sec for rPi - Tux: re-encrypt is techically similar to sig verify, and less of a load - pretty much a bignum multiply - Jacek: Node discovery, how stable do you imagine the network to be and how much bandwidth to stay a participant in the network. - Michael: we expect # nodes to be $O(10^3)$ - you can expect initial sync to involve couple MB - doesn't need to run like that on mobile - mobile is more sense to have lightclient approach where you don't have actual mobile to talk to decentralized network, but route through larger nodes - Jacek: also curious about ongoing traffic: - Michael: nodes should not come and go too often because they commit to uptime. Incentivized - Jacek: what do we need to deploy to get a minimal MVP out? - Michael: initially, we have python implementation - need to do key-generation / re-encryption on side of client - NuCypher needs to create a JS implementation - we run golang everywhere - Michael: do you have openssl available - only thing client-side is re-encryption key-generation - Tux: openssl bit - Go library is not full with PR part - currently a binding to openssl go library - Andrea: we'll look at it - TODO FOLLOW-UP - Jacek: how much is open source - Tux: pretty much everything except more recent research work not related to PR. - Michael: PR good for controlling access, not necessarily computation - Corey: how much do we break if you break? - Jacek: What needs to go down for NuCypher to go down - Tux: re-encryption key sent to N nodes, need response for M nodes. For PR to fail, you need to have more than M nodes to go offline - Jacek: no central point of failure, - Tux: correct, our organization is decentralized, completely. - Michael: mechanism to request PR is more vulnerable than actual PR process.