Changes between Version 14 and Version 15 of NewMutableEncodingDesign
- Timestamp:
- 2010-01-08T03:35:39Z (15 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
NewMutableEncodingDesign
v14 v15 12 12 * [http://allmydata.org/pipermail/tahoe-dev/2009-September/002848.html The Elk Point design] is very interesting, and has not yet been transcribed into this wiki page. 13 13 14 = Parameters K and T = 15 16 Below, K is the security level needed for an attack against confidentiality: 17 such attacks will require p * 2^K^ work factor (product of machine size and time) 18 for a probability of success p. T is the additional number of bits needed to take 19 into account 20 [http://allmydata.org/trac/tahoe/ticket/882#comment:6 multi-target attacks] against 21 hash functions, so that attacks against integrity also require p * 2^K^ work factor 22 for 2^T^ target files. 23 14 24 = Yay ECDSA = 15 25 … … 23 33 The RSA fields are so large that we clearly cannot put them in the filecaps, 24 34 so the encoding scheme requires them to be stored in the shares, encrypted 25 and hashed as necessary. The DSA keys are short enough (in most cases) to put 26 directly in the filecap, simplifying the design considerably. 35 and hashed as necessary. The ECDSA keys are short enough (in most cases) to put 36 directly in the filecap, although note that this still increases the cap length 37 relative to using a hash truncated to K+T bits. 27 38 28 39 = Desired Features = … … 47 58 == Filecap Length == 48 59 49 A likely security parameter K (=kappa) would be 96, 128, or 160 bits , and most of50 the filecaps will be some multiple of K.[96 bits is too short IMHO --David-Sarah]60 A likely security parameter K (=kappa) would be 96, 128, or 160 bits. 61 [96 bits is too short IMHO --David-Sarah] 51 62 52 63 Assuming a {{{tahoe:}}} prefix and no additional metadata, here's what … … 83 94 [http://allmydata.org/trac/tahoe/ticket/882#comment:6 #882:c6] for a 84 95 counterargument saying that 50 extra bits or so are needed to be secure 85 against multi-target attacks. 96 against multi-target attacks (i.e. T = 50). This page has now been updated 97 assuming the counterargument is correct. 86 98 87 99 = Design Proposals = … … 123 135 material) (remember, K=kappa, probably 128bits) 124 136 * (minimum 2K) readcap = minimum 2*K-bit semiprivate key 125 * verifycap = 2*K-bitpublic key137 * (minimum 2K) verifycap = public key 126 138 * storage-index = truncated verifycap 127 139 … … 142 154 * (minimum 2K) readcap = minimum 2*K-bit first semiprivate key 143 155 * (minimum 2K) traversalcap = minimum 2*K-bit second semiprivate key 144 * verifycap = 2*K-bitpublic key156 * (minimum 2K) verifycap = public key 145 157 * storage-index = truncated verifycap 146 158 … … 158 170 private key out of the share and into the writecap: 159 171 160 * ( 1K) writecap = K-bit random string = privkey161 * ( 3K) readcap = H(writecap)[:K] + H(pubkey)162 * verifycap = H(pubkey)172 * (K) writecap = K-bit random string = privkey 173 * (2K + T) readcap = H(writecap)[:K] + H(pubkey)[:K+T] 174 * (K + T) verifycap = H(pubkey)[:K+T] 163 175 * storage-index = truncated verifycap 164 176 … … 166 178 from one of the shares, since they cannot derive it themselves. This 167 179 preserves offline attenuation and server-side validation. The readcap grows 168 to (1+2)*K : we can truncate the AES key since we only need K bits for K-bit 169 confidentiality, but require 2*K bits on H(pubkey) to attain K-bit collision 170 resistance. The verifycap is 2*K. 180 to 2K + T : we only need K bits for K-bit confidentiality, but require K+T bits 181 on H(pubkey) to attain K-bit second-preimage resistance for 2^T^ targets. (To 182 obtain collision-resistance, set T = K, although that shouldn't be necessary 183 for mutable files.) The verifycap is K+T bits. 171 184 172 185 === include ECDSA pubkey in cap === … … 175 188 requiring the client to fetch a copy: 176 189 177 * ( 1K) writecap = K-bit random string = privkey190 * (K) writecap = K-bit random string = privkey 178 191 * (minimum 3K) readcap = H(writecap)[:K] + pubkey 179 * verifycap = pubkey192 * (minimum 2K) verifycap = pubkey 180 193 * storage-index = H(pubkey) 181 194 182 I think ECDSA pubkeys are 2*K long, so this would not change the length of 183 the readcaps. It would just simplify/speed-up the download process. If we 184 could use shorter pubkeys, this design might give us slightly shorter keys. 185 Alternately, if we could use shorter hashes, then the H(pubkey) design might 186 give us slightly shorter keys. 195 ECDSA pubkeys are slightly more than 2*K long, so this would increase the 196 length of the readcaps whenever K > T. The advantage would be simplifying/speeding up 197 the download process. It is highly unlikely that there is any public key algorithm 198 with keys shorter than 2*K for a K-bit security level. Since we can use shorter 199 hashes than public keys, the H(pubkey) design above gives us shorter read caps, 200 although they are not shorter than using semi-private keys. 187 201 188 202 === Any public key algorithm, no semi-private keys, with traversalcap === 189 203 190 Since a secure pubkey identifier (either H(pubkey) or the original privkey)204 Since a secure pubkey identifier (either H(pubkey)[:K+T] or the original privkey) 191 205 is present in all caps, it's easy to insert arbitrary intermediate levels. It 192 206 doesn't even change the way the existing caps are used: 193 207 194 208 * (1K) writecap = K-bit random string = privkey 195 * ( 3K) readcap = H(writecap)[:K] + H(pubkey)196 * ( 3K) traversalcap: H(readcap)[:K] + H(pubkey)197 * verifycap = H(pubkey)209 * (2K + T) readcap = H(writecap)[:K] + H(pubkey)[:K+T] 210 * (2K + T) traversalcap: H(readcap)[:K] + H(pubkey)[:K+T] 211 * (K + T) verifycap = H(pubkey)[:K+T] 198 212 * storage-index = truncated verifycap 199 213