image/svg+xml
If you have the read cap (of size 2n bits), you can findthe storage index S || T || V, and use it to get the currentfile contents (along with the other objects that are storedon the server). This gives you n bits of confidentiality, i.e.you know that it would take approximately 2^n work forsomeone who doesn't have any of the orange secretvalues to learn anything about the contents, providedthat either the convergence secret is unknown or thefile contents have sufficient entropy. This also gives n bitsof collision resistance, i.e. you know that it would takeapproximately 2^n work for anyone, even the originaluploader, to generate a collision.If you have a verify cap (of size k+2n bits), you can verifythat a given server has stored sufficient information toallow reading the contents, including any subdirectories.This assumes that Plain_X for a directory stores verifycaps for the directory's children. It would take about2^n work for anyone without the verify cap to readPlain_X. It would also take at least 2^n work for anyoneexcept the original uploader of the file to forge a sharethat incorrectly passes the verify check. The verify capcan be derived from the read cap by contacting a server,or off-line from a read/verify cap of size 3n bits.If you have an index cap (of size k+2n bits), you can verifythis file/directory, but not subdirectories. The index cap canbe derived off-line from the verify cap, and is the same asthe storage index.(Note: it would be more efficient to use intermediate hashes,not shown, rather than repeating the hashing of longciphertexts to compute R, T and V.)
data
Immutable file protocol
Goals
convergence secret
hash
n
PRP
key
input
read cap
stored on server
“Elk Point 4” design
encrypt
R
CS
Params
key
verify cap
Ctext
X
Ctext
K
encrypt
data
key
Plain
X
Plain
K
X
K
EncK
Params
Ctext
K
hash
k
hash
n
T
T
X
S
T
V
V
index cap
hash
n
hash
k
hash
k