Privacy - consensys/quorum

Privacy is an important aspect to consider when developing and deploying blockchain solutions. The Quorum project, located at https://github.com/consensys/quorum, is a permissionable blockchain platform that provides various options for maintaining privacy. This explanation will cover the possible privacy options in Quorum and provide examples for each option, using only the code snippets and documentation provided.

Quorum is a permissionable blockchain platform based on Ethereum, with additional privacy features. It utilizes several key technologies and dependencies, including:

• Ethereum
• Tessera
• IBFT
• QBFT
• Raft
• Azure Blob Storage
• TOML
• AWS SDK for Go
• gRPC
• gRPC-Web

The Big Picture and Design Philosophy of Quorum prioritize privacy and permissionability, making it an ideal choice for projects requiring enhanced privacy features. The platform supports multiple programming languages, including Go, C, JavaScript, Solidity, Assembly, Java, Sage, M4, NSIS, Shell, Makefile, HTML, Python, Dockerfile, and Ruby.

The Golang Module name for the Ethereum client is github.com/ethereum/go-ethereum, which impacts the go build output. When running tests, the project has a build constraint defined on certain files when running tests: gofuzz. The Dockerfile exposes Port 8545.

Privacy Options in Quorum

Quorum offers several privacy options, which can be categorized into the following areas:

1. Privacy by Design
2. Privacy-Enhancing Technology
3. Privacy by Default

Privacy by Design

Privacy by Design is a systems engineering approach that takes privacy into account throughout the whole engineering process. Quorum, as a permissionable blockchain platform, incorporates Privacy by Design principles by default. The platform provides various features to ensure privacy, such as:

• Permissioning: Quorum allows you to control who can participate in the network, ensuring that only authorized nodes can join and interact with the blockchain.
• Private Transactions: Quorum supports private transactions using Constellation, a peer-to-peer network that enables off-chain transaction processing and data sharing. Constellation uses the privateFor field in transaction messages to specify the recipients of private transactions.

Here’s an example of a private transaction in Solidity:

pragma solidity ^0.5.16;

contract PrivateTransaction {
address public recipient;

constructor(address _recipient) public {
recipient = _recipient;
}

function sendPrivate(uint256 amount) public {
require(msg.value == amount, "Invalid amount");
(bool success, bytes memory data) = recipient.call{value: amount, privateFor: ["0xRecipientPublicKey"]}(new bytes(0));
require(success, "Transfer failed");
}
}

Replace "0xRecipientPublicKey" with the actual public key of the recipient.

Privacy-Enhancing Technology

Quorum integrates with privacyIDEA, an open-source multi-factor authentication system. privacyIDEA provides a mighty and flexible policy framework that allows you to adapt it to your needs. It plays nicely with other identity and authentication solutions like FreeRADIUS, simpleSAMLphp, Keycloak, or Shibboleth.

Here’s an example of using privacyIDEA with FreeRADIUS:

1. Install privacyIDEA and FreeRADIUS on your system.
2. Configure FreeRADIUS to use privacyIDEA as an authentication backend.
3. Add the following lines to your radiusd.conf file:

privacyidea_server = "http://localhost:5000"
privacyidea_realm = "MyRealm"

Replace "http://localhost:5000" with the actual URL of your privacyIDEA server and "MyRealm" with the desired realm name.

Privacy by Default

Privacy by Default means that the system is configured to respect users’ privacy by default, without requiring additional configuration or user intervention. Quorum achieves Privacy by Default by utilizing encryption for data at rest and in transit.

For example, the Raft cluster in Quorum uses Vault’s barrier to encrypt data that is written to the Raft log and FSM. The Raft cluster must share the same seal configuration, and when an API request arrives at a non-leader server, the request is forwarded to the leader.

Here’s an example of enabling encryption in the Raft cluster using Vault:

1. Install and configure Vault with the Raft storage backend.
2. Enable encryption for the Raft cluster by adding the following lines to your Vault configuration file:

disable_mlock = true
seal "raft" {
address = "http://localhost:8200"
token   = "my_root_token"
path    = "secret/quorum_raft"
}

Replace "http://localhost:8200" with the actual URL of your Vault server, "my_root_token" with your actual root token, and "secret/quorum_raft" with the desired path for the Raft encryption secrets.

Conclusion

Quorum offers several privacy options, including Privacy by Design, Privacy-Enhancing Technology, and Privacy by Default. By utilizing these features, developers can build privacy-focused blockchain solutions that meet their specific needs. The examples provided in this explanation demonstrate how to implement private transactions, integrate privacyIDEA with FreeRADIUS, and enable encryption for the Raft cluster using Vault.

Sources

• AWS re:Invent 2022 - When to use blockchain: Private and public use cases (BLC201)
• AWS re:Invent 2022 - Hear from customers: Private blockchain success stories (BLC202)
• Finding Personally Identifiable Information
• Privacy By Design
• Privacy by Default: It’s What It Sounds Like
• Open Source Multi-Factor Authentication
• A Shoestring Approach to Information Security
• How to increase online privacy with open source tools and best practices
• How internet security works: TLS, SSL, and CA
• Developer | HashiCorp Vault | Integrated Storage