Please sign up on the Luma page to get access to the this and future events
Paper: Reflections on trusting distributed trust
Abstract
Many systems today distribute trust across multiple parties such that the system provides certain security properties if a subset of the parties are honest. In the past few years, we have seen an explosion of academic and industrial cryptographic systems built on distributed trust, including secure multi-party computation applications (e.g., private analytics, secure learning, and private key recovery) and blockchains. These systems have great potential for improving security and privacy, but face a significant hurdle on the path to deployment. We initiate study of the following problem: a single organization is, by definition, a single party, and so how can a single organization build a distributed-trust system where corruptions are independent? We instead consider an alternative formulation of the problem: rather than ensuring that a distributed-trust system is set up correctly by design, what if instead, users can audit a distributed-trust deployment? We propose a framework that enables a developer to efficiently and cheaply set up any distributed-trust system in a publicly auditable way. To do this, we identify two application-independent building blocks that we can use to bootstrap arbitrary distributed-trust applications: secure hardware and an append-only log. We show how to leverage existing implementations of these building blocks to deploy distributed-trust systems, and we give recommendations for infrastructure changes that would make it easier to deploy distributed-trust systems in the future.
Video
Chat Log
00:13:39 Jack Park: reflections paper: https://arxiv.org/abs/2210.08127
00:14:24 Eleanor: https://wasl.uwaterloo.ca/projects/nifty/ Partial Network Partitioning from Waterloo
00:15:25 Zeeshan Lakhani: Very cool
00:17:46 Brian: Post paper and theme ideas for the group here: https://talk.fission.codes/t/paper-and-or-theme-ideas-for-distributed-systems-reading-group-epoch-2023
00:27:01 Marc-Antoine Parent: Correct, and apologies for the misreference
00:27:12 Paul Borrill: This paper (reference) https://arxiv.org/pdf/2210.08127.pdf
00:33:46 Eleanor: That is an aspect of the paper I forgot - it sort of implies "can't change code" means "can't be hacked" when truly it means "locked into rotting" (gradual discovery of bugs)
00:35:36 Marc-Antoine Parent: @Eleanor fair, but did I get it right that they try to limit that issue to updating the update framework?
00:36:26 Eleanor: Right. They support code updates for that reason. I didn't read it correctly at first but they do say "Code updates are necessary to fix security-critical bugs"
00:36:45 Marc-Antoine Parent: Thanks for confirming!
00:38:33 Paul Borrill: The Zig Language: https://www.youtube.com/watch?v=zFELcHTki9U
00:40:40 Marc-Antoine Parent: ACLs vs… Capabilities?
00:41:17 Blaise Pabon: Defense-in-Depth
00:41:36 Blaise Pabon: Means the graph should include a description of the privileges.
00:41:53 Marc-Antoine Parent: Ah that’s actually helping me understand, thank you!
00:42:19 Blaise Pabon: Forward secrecy, etc
00:46:47 Paul Borrill: We have a new company and building our team. Contact me on paul@daedaelus.com if you are interested in what we are up to
00:46:49 Blaise Pabon: Oh ad the other thing is that ops data tends to get dropped in someone else’s control plane
00:47:11 Blaise Pabon: So the web guys needs the ops people to get their web access logs.
00:47:45 Blaise Pabon: And the ops guys don’t care about the web traffic so they let it log-rotate out of /var/log/httpd/.....
00:48:51 Blaise Pabon: @Jon this is a really friendly group, I’m not an academic either
00:48:53 Eleanor: That extra friction is a killer as well. I like that the paper provides a way to independently audit as it sidesteps that issue
00:49:28 Blaise Pabon: BTW, I have a great idea for someone to do a PhD in finance.
00:49:44 Jon Forsyth: thanks Blaise!
00:50:07 Marc-Antoine Parent: I strongly believe in independent audits. That said, making verification everyone’s responsibility makes it no one’s responsibility, and that’s socially an anti-pattern…
00:50:09 Blaise Pabon: To justify investment in security, we have to get the finance people to stop recording investments as an expense.
00:51:23 Zeeshan Lakhani: Great point marc-antoine
00:51:42 Blaise Pabon: The assumption that the person building the box also has access to the content is obsolete.
00:51:59 Marc-Antoine Parent: So the next step is to make the act of having done an audit visible :-)
00:52:00 Eleanor: Step 1: independent audit. Step 2: Build a system for automating the check for it. If it's not easy to do, no one will verify. Same thing with checksums for downloads
00:52:14 Marc-Antoine Parent: @Eleanor +1
00:52:14 Blaise Pabon: +1
00:52:23 Eleanor: auditable audits. Also a good addition
00:52:52 Brian: Oxide and Friends podcast: https://oxide.computer/podcasts/oxide-and-friends
00:54:22 Blaise Pabon: Brian +1
00:54:52 Blaise Pabon: Chainguard et.
00:57:32 Blaise Pabon: https://www.osohq.com/academy/authorization-academy
00:57:56 Blaise Pabon: (For abstractions of authorization)
01:02:35 Blaise Pabon: @Paul what was that name “Abasho” ?
01:02:40 Alejandro Ramallo: Ha, I am a Riak Core developer, developed a distributed graph DB on top of it, Curreenyl a Riak KV user. Currently maintaining Partisan, the Erlang distributed programming lib created by Chris Meiklejohn (former Basho and friend)
01:02:51 Alejandro Ramallo: :-)
01:02:56 Aesa Kamar: Y’all are a lovely bunch! Thanks again for sharing all of your expertise and knowledge this month!
01:03:02 Marc-Antoine Parent: https://en.wikipedia.org/wiki/Basho_Technologies
01:03:20 Blaise Pabon: @Marc thanks
01:04:06 Paul Borrill: Here’s the paper https://dl.acm.org/doi/abs/10.1145/3576192