**diff options**

author | pukkamustard <pukkamustard@posteo.net> | 2020-10-22 17:28:10 +0200 |
---|---|---|

committer | pukkamustard <pukkamustard@posteo.net> | 2020-10-22 17:28:10 +0200 |

commit | 9d13a9678c45a530972da3182683ce74e5c90656 (patch) | |

tree | dbbd762cb0d2dc288603b4ffdb35d2f0c3cf8e8d /doc | |

parent | 1e05ed9502dffbe0598edda5d271e517098c76a8 (diff) |

eris.adoc: notes on convergence secret

Diffstat (limited to 'doc')

-rw-r--r-- | doc/eris.adoc | 20 |

1 files changed, 14 insertions, 6 deletions

diff --git a/doc/eris.adoc b/doc/eris.adoc index 4a681a6..b4d1607 100644 --- a/doc/eris.adoc +++ b/doc/eris.adoc @@ -134,29 +134,36 @@ The convergence-secret MUST NOT be used to compute the reference to the encrypte ===== Convergence Secret -TODO: some notes on convergence secret. +Using the hash of the content as key is called _convergent encryption_. + +Because the hash of the content is deterministically computed from the content, the key will be the same when the same content is encoded twice. This results in de-duplication of content. + +However convergent encryption suffers from two known attacks: The Confirmation Of A File Attack and The Learn-The-Remaining-Information Attack <<Zooko2008>>. + +A defense against both attacks is to use a _convergence secret_. This results in different encoding of the same content with different convergence secret. + +The convergence secret is implemented as the keying feature of the Blake2 cryptographic hash <<RFC7693>>. ==== Merkle Tree Reference-key pairs are collected into nodes of size block size by concatenating the concatenated reference-key pair. The node is encrypted, and a reference-key pair to the node is computed. This results in a sequence of reference-key pairs that refer nodes containing reference-key pairs at a lower level - a tree. This process is recursively applied until there is a single reference-key pair - the _root reference-key pair_. We keep track of the level of recursion. -The root reference-key pair and the level of the root reference-key pair is the necessary information required to decode content. The triple consisting of root reference, key and level is called the _read capability_. The read capability as well as the encrypted blocks (as output by the <<_reference_key_pair>> sub-process) is the output of the entire encoding process. +The number of reference-key pairs collected into a node is called the _arity_ of the tree and depends on the block size. For block size 1Kb the arity of the tree is 16, for block size 32Kb the arity is 512. If there are less than arity number of references-key pairs to collect in a node, then the node is filled with missing number of _null reference-key pairs_ - 64 bytes of zeros. The size of a node is always equal the block size. The initial input (level 0) is the sequence of reference-key pairs to the input content. -The number of reference-key pairs collected into a node is called the _arity_ of the tree and depends on the block size. For block size 1Kb the arity of the tree is 16, for block size 32Kb the arity is 512. If there are less than arity number of references to collect in a node, then the node is filled with missing number of _null reference-key pairs_ - 64 bytes of zeros. +The root reference-key pair, the level of the root reference-key pair and the block-size are the necessary pieces of information required to decode content. The tuple consisting of block size, level, root reference and key is called the _read capability_. -The output is the root reference-key pair and the level of the root reference-key pair. +The read capability as well as the encrypted blocks (as output by the <<_reference_key_pair>> sub-process) is the output of the entire encoding process. NOTE: The constructed tree of nodes containing reference-key pairs is called a Merkle Tree. -A tree with for levels is depicted in <<figure_merkle_tree>>. For illustration purposes the tree is of arity 2 (instead of 16 or 512). +An encoding of a content that is split into eight blocks is depicted in <<figure_merkle_tree>>. For illustration purposes the tree is of arity 2 (instead of 16 or 512). [[figure_merkle_tree]] .Merkle Tree image::eris-merkle-tree.svg[Merkle Tree,opts=inline] - === Decoding === Binary Encoding of Read Capability @@ -207,3 +214,4 @@ This work is licensed under a http://creativecommons.org/licenses/by-sa/4.0/[Cre - [[[RFC7049]]] C. Bormann & P. Hoffman. https://tools.ietf.org/html/rfc7049[Concise Binary Object Representation (CBOR)]. 2013 - [[[RFC7693]]] M-J. Saarinen & J-P. Aumasson. https://tools.ietf.org/html/rfc7693[The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)]. 2015 - [[[RFC8439]]] Nir & Langley. https://tools.ietf.org/html/rfc8439[ChaCha20 and Poly1305 for IETF Protocols]. 2018 +- [[[Zooko2008]]] Zooko Wilcox-O'Hearn. https://tahoe-lafs.org/hacktahoelafs/drew_perttula.html[Drew Perttula and Attacks on Convergent Encryption]. 2008 |