[tahoe-dev] [tahoe-lafs] #217: DSA-based mutable files -- small URLs, fast file creation
tahoe-lafs
trac at allmydata.org
Mon May 18 21:57:15 PDT 2009
#217: DSA-based mutable files -- small URLs, fast file creation
----------------------------+-----------------------------------------------
Reporter: zooko | Owner: zooko
Type: enhancement | Status: assigned
Priority: major | Milestone: eventually
Component: code-mutable | Version: 0.7.0
Keywords: mutable crypto | Launchpad_bug:
----------------------------+-----------------------------------------------
Comment(by zooko):
So up until the last bullet point concerning the storage-index, I think
what you describe is what I diagrammed in Figure 3 of
[http://allmydata.org/~zooko/lafs.pdf lafs.pdf]. Does that look right?
I agree this scheme has many good properties. I do still have a concern
that 256-bit read-caps (e.g.
{{{http://127.0.0.1:8234/c/r_FRPG24yB7Amho6NoWaaJlBrU7lON7AyiChWRcaQZ1pH}}}
or
{{{http://127.0.0.1:8234/c/D_FRPG24yB7Amho6NoWaaJlBrU7lON7AyiChWRcaQZ1pH/path/to/sub/file.txt}}})
might be long enough to exclude Tahoe from some interesting uses where
125-bit read-caps (e.g.
{{{http://127.0.0.1:8234/c/r_FMK3eUypHbj6uLocF0496}}} or
{{{http://127.0.0.1:8234/c/D_FMK3eUypHbj6uLocF0496/path/to/sub/file.txt}}}
would fit.
Have you ever looked at http://bench.cr.yp.to ? In particular, this page
-- http://bench.cr.yp.to/results-sign.html -- shows measurements of a
bunch of digital signature schemes, including key-generation time, public-
key size, and private-key size. Compare "ecdonaldp256" (which is ecdsa
with a 256-bit curve) with the one named "hector" (which is a
hyperelliptic curve scheme).
Hector has estimated 113-bit security (compared to ecdonaldp256's 128-bit
security), verifies signatures in about half as many CPU cycles, generates
signatures in about one eighth as many CPU cycles, generates key pairs in
about one eighth as many CPU cycles. In theory (I think) hyperelliptic
curve public keys can be compressed down to the size of the curve, in this
case 113 bits, just like elliptic curve pubkeys can be compressed down to
the size of the curve, although implementations of both measured here
don't do that sort of compression.
Here's the source code of the hyperelliptic curve implementation:
http://cryptojedi.org/crypto/index.shtml
113 bits should be enough for now in my opinion.
The fatal flaw of the hector algorithm is that it isn't mature. The only
known implementation is described as a "demo", it doesn't work at all
unless your CPU has SSE2 instructions, and it doesn't compile out of the
box on my Ubuntu Jaunty amd64. Figuring out how to compress the public
keys and finding or creating a portable implementation sounds like way too
hard of a job for us. Hopefully in a few years other people who know more
about implementing such things than us will have done so and we can rely
on their implementations, but for now I think we have to reluctantly pass
up the opportunity to be the first ever serious users of hyperelliptic
curve cryptography. :-)
Lacking hyperelliptic curve cryptography, we have to make a trade-off
between the larger size of having a full elliptic curve point in the cap
and the disadvantages of having the key stored on the servers instead of
in the caps.
I'm not entirely sure about those disadvantages. We've previously talked
about several, but on closer inspection I'm not sure if they are actual
disadvantages. You (Brian) nicely summarized some of those at the end of
your note:
* offline attenuation (By the way, let's call this action "diminishing" a
capability. "Attenuating" is something that you do to authority, and it
is a very general and flexible notion -- you can imagine writing arbitrary
code or even having a human in the loop making the decisions which result
in the authority being attenuated. "Diminishing" is something that you do
to a capability, and it only goes from one specific thing to another
specific thing. I called this operation "diminishing" in lafs.pdf in
order to follow the terminology of Jonathan Shapiro's thesis about EROS
(http://www.eros-os.org/papers/shap-thesis.ps), where he defined the
"Diminish-Take" access model as an extension of the standard "Take-Grant"
access model. The addition he added was an operation named "diminish",
the effect of which was to produce a capability which offered transitive
read-only access to whatever the original capability could access. The
first kind of "diminishing" that we wanted in Tahoe was for precisely this
same purpose, so that's why I used that word. Of course, the ''next''
kind of diminishing that we wanted was for something else -- producing a
verify cap from a read cap. Oh well. Anyway, since I've already
committed to "diminish" in publishing lafs.pdf, and since it might be
useful to have the word "attenuation" separately as being what you do to
authority in general, let's call this operation "diminish".)
Oh dear it is way past my bedtime. I'll continue this tomorrow.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/217#comment:50>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list