oib/aitbc

Files

oib c8be9d7414 feat: add marketplace metrics, privacy features, and service registry endpoints

- Add Prometheus metrics for marketplace API throughput and error rates with new dashboard panels
- Implement confidential transaction models with encryption support and access control
- Add key management system with registration, rotation, and audit logging
- Create services and registry routers for service discovery and management
- Integrate ZK proof generation for privacy-preserving receipts
- Add metrics instru

2025-12-22 10:33:23 +01:00

12 KiB

Raw Blame History

AITBC Threat Modeling: Privacy Features

Overview

This document provides a comprehensive threat model for AITBC's privacy-preserving features, focusing on zero-knowledge receipt attestation and confidential transactions. The analysis uses the STRIDE methodology to systematically identify threats and their mitigations.

Document Version

Version: 1.0
Date: December 2024
Status: Published - Shared with Ecosystem Partners

Scope

In-Scope Components

ZK Receipt Attestation System
- Groth16 circuit implementation
- Proof generation service
- Verification contract
- Trusted setup ceremony
Confidential Transaction System
- Hybrid encryption (AES-256-GCM + X25519)
- HSM-backed key management
- Access control system
- Audit logging infrastructure

Out-of-Scope Components

Core blockchain consensus
Basic transaction processing
Non-confidential marketplace operations
Network layer security

Threat Actors

Actor	Motivation	Capability	Impact
Malicious Miner	Financial gain, sabotage	Access to mining software, limited compute	High
Compromised Coordinator	Data theft, market manipulation	System access, private keys	Critical
External Attacker	Financial theft, privacy breach	Public network, potential exploits	High
Regulator	Compliance investigation	Legal authority, subpoenas	Medium
Insider Threat	Data exfiltration	Internal access, knowledge	High
Quantum Computer	Break cryptography	Future quantum capability	Future

STRIDE Analysis

1. Spoofing

ZK Receipt Attestation

Threat	Description	Likelihood	Impact	Mitigations
Proof Forgery	Attacker creates fake ZK proofs	Medium	High	✅ Groth16 soundness property ✅ Verification on-chain ⚠️ Trusted setup security
Identity Spoofing	Miner impersonates another	Low	Medium	✅ Miner registration with KYC ✅ Cryptographic signatures
Coordinator Impersonation	Fake coordinator services	Low	High	✅ TLS certificates ⚠️ DNSSEC recommended

Confidential Transactions

Threat	Description	Likelihood	Impact	Mitigations
Key Spoofing	Fake public keys for participants	Medium	High	✅ HSM-protected keys ✅ Certificate validation
Authorization Forgery	Fake audit authorization	Low	High	✅ Signed tokens ✅ Short expiration times

2. Tampering

ZK Receipt Attestation

Threat	Description	Likelihood	Impact	Mitigations
Circuit Modification	Malicious changes to circom circuit	Low	Critical	✅ Open-source circuits ✅ Circuit hash verification
Proof Manipulation	Altering proofs during transmission	Medium	High	✅ End-to-end encryption ✅ On-chain verification
Setup Parameter Poisoning	Compromise trusted setup	Low	Critical	⚠️ Multi-party ceremony needed ⚠️ Secure destruction of toxic waste

Confidential Transactions

Threat	Description	Likelihood	Impact	Mitigations
Data Tampering	Modify encrypted transaction data	Medium	High	✅ AES-GCM authenticity ✅ Immutable audit logs
Key Substitution	Swap public keys in transit	Low	High	✅ Certificate pinning ✅ HSM key validation
Access Control Bypass	Override authorization checks	Low	High	✅ Role-based access control ✅ Audit logging of all changes

3. Repudiation

ZK Receipt Attestation

Threat	Description	Likelihood	Impact	Mitigations
Denial of Proof Generation	Miner denies creating proof	Low	Medium	✅ On-chain proof records ✅ Signed proof metadata
Receipt Denial	Party denies transaction occurred	Medium	Medium	✅ Immutable blockchain ledger ✅ Cryptographic receipts

Confidential Transactions

Threat	Description	Likelihood	Impact	Mitigations
Access Denial	User denies accessing data	Low	Medium	✅ Comprehensive audit logs ✅ Non-repudiation signatures
Key Generation Denial	Deny creating encryption keys	Low	Medium	✅ HSM audit trails ✅ Key rotation logs

4. Information Disclosure

ZK Receipt Attestation

Threat	Description	Likelihood	Impact	Mitigations
Witness Extraction	Extract private inputs from proof	Low	Critical	✅ Zero-knowledge property ✅ No knowledge of witness
Setup Parameter Leak	Expose toxic waste from trusted setup	Low	Critical	⚠️ Secure multi-party setup ⚠️ Parameter destruction
Side-Channel Attacks	Timing/power analysis	Low	Medium	✅ Constant-time implementations ⚠️ Needs hardware security review

Confidential Transactions

Threat	Description	Likelihood	Impact	Mitigations
Private Key Extraction	Steal keys from HSM	Low	Critical	✅ HSM security controls ✅ Hardware tamper resistance
Decryption Key Leak	Expose DEKs	Medium	High	✅ Per-transaction DEKs ✅ Encrypted key storage
Metadata Analysis	Infer data from access patterns	Medium	Medium	✅ Access logging ⚠️ Differential privacy needed

5. Denial of Service

ZK Receipt Attestation

Threat	Description	Likelihood	Impact	Mitigations
Proof Generation DoS	Overwhelm proof service	High	Medium	✅ Rate limiting ✅ Queue management ⚠️ Need monitoring
Verification Spam	Flood verification contract	High	High	✅ Gas costs limit spam ⚠️ Need circuit optimization

Confidential Transactions

Threat	Description	Likelihood	Impact	Mitigations
Key Exhaustion	Deplete HSM key slots	Medium	Medium	✅ Key rotation ✅ Resource monitoring
Database Overload	Saturate with encrypted data	High	Medium	✅ Connection pooling ✅ Query optimization
Audit Log Flooding	Fill audit storage	Medium	Medium	✅ Log rotation ✅ Storage monitoring

6. Elevation of Privilege

ZK Receipt Attestation

Threat	Description	Likelihood	Impact	Mitigations
Setup Privilege	Gain trusted setup access	Low	Critical	⚠️ Multi-party ceremony ⚠️ Independent audits
Coordinator Compromise	Full system control	Medium	Critical	✅ Multi-sig controls ✅ Regular security audits

Confidential Transactions

Threat	Description	Likelihood	Impact	Mitigations
HSM Takeover	Gain HSM admin access	Low	Critical	✅ HSM access controls ✅ Dual authorization
Access Control Escalation	Bypass role restrictions	Medium	High	✅ Principle of least privilege ✅ Regular access reviews

Risk Matrix

Threat	Likelihood	Impact	Risk Level	Priority
Trusted Setup Compromise	Low	Critical	HIGH	1
HSM Compromise	Low	Critical	HIGH	1
Proof Forgery	Medium	High	HIGH	2
Private Key Extraction	Low	Critical	HIGH	2
Information Disclosure	Medium	High	MEDIUM	3
DoS Attacks	High	Medium	MEDIUM	3
Side-Channel Attacks	Low	Medium	LOW	4
Repudiation	Low	Medium	LOW	4

Implemented Mitigations

ZK Receipt Attestation

✅ Groth16 soundness and zero-knowledge properties
✅ On-chain verification prevents tampering
✅ Open-source circuit code for transparency
✅ Rate limiting on proof generation
✅ Comprehensive audit logging

Confidential Transactions

✅ AES-256-GCM provides confidentiality and authenticity
✅ HSM-backed key management prevents key extraction
✅ Role-based access control with time restrictions
✅ Per-transaction DEKs for forward secrecy
✅ Immutable audit trails with chain of hashes
✅ Multi-factor authentication for sensitive operations

Recommended Future Improvements

Short Term (1-3 months)

Trusted Setup Ceremony
- Implement multi-party computation (MPC) setup
- Engage independent auditors
- Publicly document process
Enhanced Monitoring
- Real-time threat detection
- Anomaly detection for access patterns
- Automated alerting for security events
Security Testing
- Penetration testing by third party
- Side-channel resistance evaluation
- Fuzzing of circuit implementations

Medium Term (3-6 months)

Advanced Privacy
- Differential privacy for metadata
- Secure multi-party computation
- Homomorphic encryption support
Quantum Resistance
- Evaluate post-quantum schemes
- Migration planning for quantum threats
- Hybrid cryptography implementations
Compliance Automation
- Automated compliance reporting
- Privacy impact assessments
- Regulatory audit tools

Long Term (6-12 months)

Formal Verification
- Formal proofs of circuit correctness
- Verified smart contract deployments
- Mathematical security proofs
Decentralized Trust
- Distributed key generation
- Threshold cryptography
- Community governance of security

Security Controls Summary

Preventive Controls

Cryptographic guarantees (ZK proofs, encryption)
Access control mechanisms
Secure key management
Network security (TLS, certificates)

Detective Controls

Comprehensive audit logging
Real-time monitoring
Anomaly detection
Security incident response

Corrective Controls

Key rotation procedures
Incident response playbooks
Backup and recovery
System patching processes

Compensating Controls

Insurance for cryptographic risks
Legal protections
Community oversight
Bug bounty programs

Compliance Mapping

Regulation	Requirement	Implementation
GDPR	Right to encryption	✅ Opt-in confidential transactions
GDPR	Data minimization	✅ Selective disclosure
SEC 17a-4	Audit trail	✅ Immutable logs
MiFID II	Transaction reporting	✅ ZK proof verification
PCI DSS	Key management	✅ HSM-backed keys

Incident Response

Security Event Classification

Critical - HSM compromise, trusted setup breach
High - Large-scale data breach, proof forgery
Medium - Single key compromise, access violation
Low - Failed authentication, minor DoS

Response Procedures

Immediate containment
Evidence preservation
Stakeholder notification
Root cause analysis
Remediation actions
Post-incident review

Review Schedule

Monthly: Security monitoring review
Quarterly: Threat model update
Semi-annually: Penetration testing
Annually: Full security audit

Contact Information

Security Team: security@aitbc.io
Bug Reports: security-bugs@aitbc.io
Security Researchers: research@aitbc.io

Acknowledgments

This threat model was developed with input from:

AITBC Security Team
External Security Consultants
Community Security Researchers
Cryptography Experts

This document is living and will be updated as new threats emerge and mitigations are implemented.

12 KiB Raw Blame History

AITBC Threat Modeling: Privacy Features

Overview

Document Version

Scope

In-Scope Components

Out-of-Scope Components

Threat Actors

STRIDE Analysis

1. Spoofing

ZK Receipt Attestation

Confidential Transactions

2. Tampering

ZK Receipt Attestation

Confidential Transactions

3. Repudiation

ZK Receipt Attestation

Confidential Transactions

4. Information Disclosure

ZK Receipt Attestation

Confidential Transactions

5. Denial of Service

ZK Receipt Attestation

Confidential Transactions

6. Elevation of Privilege

ZK Receipt Attestation

Confidential Transactions

Risk Matrix

Implemented Mitigations

ZK Receipt Attestation

Confidential Transactions

Recommended Future Improvements

Short Term (1-3 months)

Medium Term (3-6 months)

Long Term (6-12 months)

Security Controls Summary

Preventive Controls

Detective Controls

Corrective Controls

Compensating Controls

Compliance Mapping

Incident Response

Security Event Classification

Response Procedures

Review Schedule

Contact Information

Acknowledgments

12 KiB

Raw Blame History