[tahoe-dev] how to encrypt, integrity-check, and offline-attenuate with only 2n bits
Brian Warner
warner at lothar.com
Wed Sep 9 02:02:22 PDT 2009
Brian Warner wrote:
> So I'd argue that this scheme results in a verifycap that's half as
> strong as the readcap.
.. and, finally catching up with your subsequent messages, I think we
agree on this one :).
> I'll take a look at the mutable diagram separately.
On the mutable diagram: what if we compute the signature over
(K1enc,ciphertext) instead of merely over (ciphertext)? When we wouldn't
need to hash K1enc into V'. And, if I can apply the same red X as I did
for the immutable diagram (removing SI from the hash that computes V'),
then we're down to V'=H(Kverify), which is exactly what we have in the
current mutable-file scheme (writecap, readcap, and verifycap all
contain a hash of the pubkey).
I think we're hitting the same tradeoff here. By folding the pubkey into
R, we're making all its bits do double duty, so we can get n bits of
integrity out of the n-bit R value (in addition to their n bits of
confidentiality). But it also means that we can't derive the
storage-index from just the pubkey (to preserve the ability to derive it
from R), which means the server loses its validation abilities.
The mutable scheme does retain the offline attenuation, though, which I
like :).
ah, such difficulties..
-Brian
More information about the tahoe-dev
mailing list