[tahoe-dev] #217: DSA-based mutable files -- small URLs, fast file creation

Shawn Willden shawn-tahoe at willden.org
Wed Feb 4 21:21:29 UTC 2009

On Tuesday 03 February 2009 08:26:00 pm zooko wrote:
> It is the topic of section 6 of: http://allmydata.org/~zooko/lafs.pdf

Clever!  And quite simple and flexible, too.  I do see a weakness, though.

The security of DSA is dependent on x being drawn from a uniformly-distributed 
keyspace, but the distribution of xy mod q is not uniform.

If X and Y are uniform random variables (a reasonable assumption since secure 
hash functions are designed to simulate uniform random variables), then the 
PMF of XY mod q has a kind of a fractal-ish sawtooth wave shape.  I haven't 
found a way to characterize it mathematically, but I plotted some histograms 
to get an idea of the shape.  Ideally, you want every element of XY mod q to 
appear with probability 1/q.  In fact, based on some testing with tractable 
values of q, it appears that an attacker who searches the right 25% of the 
keyspace has a 50% chance of finding the key.

Some interesting patterns in the PMF, CMF and sorted CMF make me think it 
should be possible to find a simple mathematical description of the 
structure, which would enable quantitative analysis, including determination 
of the effective keyspace size.  How exactly to do that isn't obvious to me, 
though.  This stuff always makes me wish I'd bothered to take a course in 
statistics :-)

What is clear is that the construction is not as strong as normal DSA.  I'm 
not sure whether it weakens DSA enough to make a practical break feasible.  
My intuition says no, but intuition is pretty unreliable in this space. 


More information about the tahoe-dev mailing list