Gnosis

Forum URL: https://forum.gnosis.io/t/gip-80-should-gnosisdao-fund-p2pandas-off-chain-solution-for-secure-group-encryption/6541

Category

Funding - Rewards

Executive Summary

Hello Gnosis community!

We would like to realize a prototype for a decentralized, off-chain, encrypted group chat where Ethereum addresses can serve as the receiver’s identifiers.

To achieve this we want to improve and build on top of the Messaging Layer Security Protocol (MLS) and the p2panda protocol. This technology fills a need in the Gnosis community for a generic and encrypted off-chain data layer.

This technology fills a need in the Gnosis community for a generic and encrypted off-chain data layer. The group chat will also be a proof of concept and template for future applications serving the Gnosis community using the same infrastructure.

Specification

p2panda is a new protocol and ecosystem for building decentralised applications with authenticated and encrypted data which is automatically stored and synced between computers.

Some of the building blocks of p2panda are a permission system, conflict-free replicated data types, multi-key identities, data schemas, multi-writer documents, local deletion, sparse replication, dynamic GraphQL queries, hybrid network topologies and more.

While p2panda aims at being a low-barrier framework to enter the p2p space without worrying too much about the technical challenges coming with it, we also want to offer a toolbox to build radical applications which work locally, offline and both in the browser and on low-energy devices like a smartphone or embedded computer.

Data is encrypted with the help of the MLS protocol providing Double-Ratchet-based group encryption. MLS assures Post-Compromise Security (PCS) and Forward Secrecy (FS) and still stays performant for large groups. While MLS is capable of working in a decentralised environment it hasn’t been explicitly specified for it. With p2panda we have all the building blocks to realize MLS in a fully decentralised setting.

For all of this to play nicely together, the following implementation steps are planned:

Secret Groups

Secret Groups is the data schema that p2panda uses to handle data encryption for groups in a decentralised setting and it builds on MLS as its underlying layer.

p2panda already contains a low-level API for MLS that we implemented as a precursor for the more high-level Secret Groups. This low-level API supports two basic usage scenarios: Double-Ratchet-based encryption (the MLS default) and a so called “Long Term Secret” encryption on top of that. The latter allows group members to still decrypt past data after entering the group, which is practical for building applications like Wikis. Double-Ratchet-based encryption offers Forward Secrecy instead (FS), which can be used for secure chat applications and other use cases where new group members should not access past data.

The next step will be building an elegant high-level API that makes this system easily accessible for developers that want to integrate Secret Groups in their applications. This involves additions to our GraphQL API, p2panda’s built-in data schemas and replication data format, which are all part of our core protocol specification.

Further Links

• “OpenMLS” MLS implementation in Rust which is used by p2panda: https://github.com/openmls/openmls
• MLS integration in p2panda: https://github.com/p2panda/p2panda/tree/main/p2panda-rs/src/secret_group
• Draft “Secret Group” specification in p2panda: https://p2panda.org/specification/encryption

Rust and TypeScript libraries

Developers will use our Rust and TypeScript libraries to integrate p2panda in their applications.

To persist MLS group state we will implement interfaces for some known storage backends developers can choose from (SQL, IndexedDB, LocalStorage). To account for forks of diverging group state (due to network fragmentation) we need to extend our persistence system with an additional layer. This layer keeps past group states for a while to be able to decrypt messages from “forked” group states. This temporarily weakens Forward Secrecy the more fragmented the group state gets.

Further Links

• MLS specification (Version 9 February 2023) addressing forked group states: https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#section-14
• OpenMLS Rust crate allowing handling past group epochs w. max_past_epochs option: https://openmls.tech/book/user_manual/group_config.html
• Diagram: Handling concurrent updates in Secret Groups: https://whimsical.com/concurrent-updates-in-secret-groups-MZdGMKmMJ25zxrDAzuoXGG
• p2panda-rs Rust crate: https://crates.io/crates/p2panda-rs
• p2panda-js npm package: https://www.npmjs.com/package/p2panda-js

Key Groups

The MLS specification does not have a concept of “moderators” or “administrators” in a group. Theoretically all members of the group can mutate its state. p2panda Key Groups are a permission layer on top of MLS which allows for decentralised permission handling of multi-writer data. Next to permissions they also enable multi-device identities.

As part of this effort we will create an implementation of our specification of the Key Groups system, which will be able to model a permission system on top of any encrypted group.

Further Links

• Draft “Key Group” specification: https://p2panda.org/specification/authorisation

External Keys

p2panda uses Ed25519 as the Digital Signature Algorithm. To allow other DSAs we need to implement a handshake process where external identity systems such as an Ethereum key can authorise an MLS group member. This will involve adding another data schema to p2panda.

Further Links

• Diagram: External keys in p2panda: https://whimsical.com/digital-signature-algorithms-EgAkzR7mVDj4BQb7xySahh
• Schema specification: https://p2panda.org/specification/data-types/schemas#system-and-application-schemas

POC: Group chat in Circles client

As a proof-of-concept (POC) we will integrate p2panda with MLS into an existing Ethereum application in the Gnosis community. Since our team partly consists of the original developers of the Circles ecosystem we want to use the current Circles web client to show how Ethereum addresses (Gnosis Safe contracts) can be used as receiver addresses for an encrypted MLS chat group.

• Users can associate their Gnosis Safe address (“Circles profile”) with a p2panda key
• Users can create and manage groups to communicate with a set of other Safe addresses
• Users can access their chats from all of their devices simultaneously

Further Links

• Circles website: https://joincircles.net/
• Circles client: https://circles.garden/

Security Audit

The OpenMLS team which partly consists of the IETF standard editors consulted us already with the correct integration of MLS into p2panda. We will continue with this collaboration. To verify our work and gather feedback we want to work with Least Authority for a security audit.

• OpenMLS: https://openmls.tech/
• Least Authority: https://leastauthority.com/

Rationale

Scaleable data encryption for large groups in a decentralised network is hard and has always involved a trade-off between UX and security. We believe that MLS is the first Internet Engineering Task Force (IETF) standard to tackle some of these challenges. p2p applications of all kinds, for example the Gnosis Safe Apps, will benefit from an off-chain protocol that gives them a distributed, strongly encrypted database stack.

One goal of p2panda’s protocol design has been enabling both usage from native apps, independent of a stable connection to the internet, and immediate access from a plain web browser, without having to install any additional software. Additionally, p2panda keeps data portable instead of locking it to a specific application or server. Our design works in both federated network topologies and fully decentralised systems, both of which can be configured depending on the needs of the software and the communities that are operating it.

Ethereum addresses (EOA and Contract account, for example of a Gnosis Safe) are ideal identifiers for applications like a distributed messaging platform. They are already established in the community, simplify onboarding and enable cross-validation of identities through previous usage of those keys. Protocols with centralised registries like PGP/GPG failed here and we believe that Ethereum addresses that are native to decentralised networks are much more suitable for this task. We want to enable any holder of an Ethereum key to bring their identity and access additional tools for the community.

Budget

• 172.800 DAI - Salary for 3x half-time developers over ~12 months (8h / day, 3 days / week, 48 weeks, 50 DAI / hour)
• 10.000 DAI - Security Audit Fee
• 5.000 DAI - Administration
• 12.200 DAI - Contingency

Total: 200.000 DAI

Milestones

Proposed timeline: 12 months

Final goal: Implementation and realisation of specified items (see “Specification” above)

Timeline and Success metrics

• Phase 1 - Research & Specification Success Metrics - Publicly published Secret Group, Key Group and External Keys specification on p2panda.org website and GitHub repository Time and Price Estimate - 2 month, 28.800 DAI
• Phase 2 - Implementation Secret Groups Success Metrics - p2panda-js package release on npm with Secret Group encryption API and storage provider API Time and Price Estimate - 3 months, 43.200 DAI
• Phase 3 - Implementation Key Groups Success Metrics - p2panda-rs crate release on crates.io with Key Group data types. aquadoggo node implementation release on crates.io handling key groups in materialization logic Time and Price Estimate - 3 months, 43.200 DAI
• Phase 4 - Implementation External Keys Success Metrics - Package release on npm (either p2panda-js or external package) with External Keys feature Time and Price Estimate - 1 month 14.400 DAI
• Phase 5 - POC: Circles Chat Success Metrics - Release of encrypted Group-Chat in Circles Wallet (either in official circles.garden Website or fork) Time and Price Estimate - 1 month 14.400 DAI
• Phase 6 - Security Audit Success Metrics - Shared results of audit in p2panda GitHub repository, report on required refactorings / changes in codebase Time and Price Estimate - 1 month 10.000 DAI (audit) + 14.400 DAI (development)
• Phase 7 - Documentation + Tutorials Success Metrics - Published tutorials on how to use Secret Groups, Key Groups and External Keys feature on p2panda.org website Time and Price Estimate - 1 month 14.400 DAI

Evaluation

A security audit and implementation of a POC in a widely-used context like Circles will evaluate the success of this undertaking.

Team & Organisation

p2panda is a not-for-profit organisation founded in 2021 with the mission to bring an easy to use but radical p2p stack to app developers. We received the NGI Pointer grant in 2021/22 and NGI Assure in 2022/23.

The team behind p2panda are experts in p2p, Rust and TypeScript development. The founding members are:

• adz has been the core developer next to isthisa developing the first version of the Circles UBI community currency, both of them founded later the bitspossessed developer collective which still maintains the Circles project
• sandreae is a Rust developer with experience across the landscape of offline-first protocols
• cafca is part of the Decent Patterns library team, currently working on the JavaScript SDK of ditto

Conclusion

Secure encryption for large groups is a complex problem which gets even harder in a decentralised setting. With the new Messaging Layer Security Protocol (MLS) and p2panda as the decentralisation layer we want to introduce a solution that can account for a range of community-, threat- and networking models. At the same time we want to provide accessible and well-documented APIs for developers to easily build their solutions on top.