[tahoe-dev] "Elk Point" design for mutable, add-only, and immutable files

Brian Warner warner at lothar.com
Sat Sep 12 19:31:32 UTC 2009 

David-Sarah Hopwood wrote:
> I've designed a new version of the cap protocol I posted a few days
> ago, that addresses Brian's comments about roadblock attacks.

This is great stuff. The diagram is immensely helpful too. Some
comments:

* so S+T is the storage-index, and the conservative values make it 210
  bits for immutable files and 288 bits for mutable files.

* roadblock attacks: I agree that it's probably plenty to make "t" large
  enough that the attacker can't put roadblocks in place before the
  uploader finishes their upload. If convergence is in use, the
  roadblocker may get more time to construct their preimages
  (particularly for likely-to-be-popular files, especially if someone
  has exclusive access to the file for some period of time before it
  becomes popular). However, we can (and probably should) design the
  upload code to detect a roadblock (i.e. notice shares for the existing
  SI, download some pieces of it to validate the hashes, then discover
  the problem) and re-upload with a randomly-generated key.

* more significantly, the attacker can prevent repair of the file,
  because once the original shares are uploaded, they have plenty of
  time to compute preimages and place roadblocks on all the other
  servers

But, 2**50 is still pretty big, and each operation requires generating a
DSA keypair, so perhaps we can rely upon the significant expense of this
attack to discourage people from trying it.

For mutable files:

* The destroy-cap is a neat bit of feature, but I'd want to think about
  it further before actually building it in. It makes a lot more sense
  in the context of add-only files.. if you don't have those, then
  there's not a lot of difference between filling the mutable slot with
  an empty file and completely destroying the slot. The existing URI:SSK
  files grant this ability to writecap holders: they can set the
  container length to zero, which will cause the server to delete the
  share altogether (the idea being to help with rebalancing/GC).

* I'd rename "master cap" to "writecap" or "full-writecap".. I spent a
  bit of time trying to figure out how to reattain offline
  writecap-to-readcap attenuation before realizing that the red "KCsign"
  value is actually the add-only cap, and the rainbow-colored box is the
  writecap. Also, I'd probably use "extra-verification readcap" or
  something similar instead of "read/verify cap".. the latter makes me
  think that the "readcap" doesn't provide any verification properties
  (when in fact, with your parameters, provides something like
  128+50=178 bits of integrity checking, which corresponds to a 178/2=
  2^89 work factor to find a single collision?).

* I like the variable-length cap thing. You'd store R+T+U everywhere,
  but you'd let users pass just R+T when they want to share. I think we
  could make this non-quantized: they could pass R+T+U[:extra] when they
  want to share, setting 'extra' according to how much they value
  brevity over integrity.

I'll try to write up a message later this weekend about server-side
validation properties. The most important reason is to get rid of the
write-enabler, to enable a future non-confidential share transport
protocol.

thanks!
 -Brian

More information about the tahoe-dev mailing list