[tahoe-dev] Removing the dependency of immutable read caps on UEB computation

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Oct 7 01:20:12 UTC 2009

David-Sarah Hopwood wrote:
> Brian Warner wrote:
>> I *am* intrigued by the idea of immutable files being just locked-down
>> variants of mutable files. A mutable-file readcap plus a hash of the
>> expected contents (i.e. H(UEB1)) would achieve this pretty well.. might
>> not be too much longer than our current immutable readcaps, and we could
>> keep the encoding-parameter-sensitive parts (UEB2) in the signed (and
>> therefore mutable) portion, so they could be changed later.
> We can do better than that. Notice that the mutable and immutable
> Elk Point protocols are (deliberately) already very similar.
> In particular, the mutable protocol obtains the same (n+t)/2 bits of
> collision-resistance as the immutable protocol does, for the values
> that are hashed by hash_m to obtain T || U. (This is from the point
> of view of a read cap holder. Assumptions: m >= n+t, K1 is at least
> n bits, and all cryptographic primitives have the strength expected
> from their security parameters.)
> When it is used for mutable files, this collision-resistance for EncK1,
> Dhash and V doesn't really buy you anything because even if those values
> are fixed, the file contents can still vary. However, if a hash of the
> plaintext (also of length m bits, say) is optionally included in the input
> to hash_m, the same protocol can be used for immutable files, and still
> obtains (n+t)/2 bits of collision resistance for the plaintext, from
> the point of view of a read cap holder.

Incidentally, I previously said
"I think it's desirable to continue to avoid relying on public key
cryptography in the immutable file protocol."

However, using the mutable file protocol in the way described above,
does not rely on public key cryptography for integrity of the plaintext
as read by a read-cap holder. That is still only dependent on hashes,
and on the symmetric cipher used to encrypt K1. The public key crypto is
relied on just to allow checking validity of a share without the read cap.

David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the tahoe-dev mailing list