diff options
author | Christian Grothoff <christian@grothoff.org> | 2021-06-14 18:04:03 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2021-06-14 18:04:03 +0200 |
commit | 46d68dcc0382a52bc34c2efb014a858295439c21 (patch) | |
tree | 5b5077b38b7ca93b04defcc05fcf08f730bd9de1 /draft-summermatter-set-union.xml | |
parent | 280f17a5e59200b8d02d4a27a99b880e34c5dd9f (diff) | |
download | lsd0003-46d68dcc0382a52bc34c2efb014a858295439c21.tar.gz lsd0003-46d68dcc0382a52bc34c2efb014a858295439c21.zip |
more work on 8.x
Diffstat (limited to 'draft-summermatter-set-union.xml')
-rw-r--r-- | draft-summermatter-set-union.xml | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/draft-summermatter-set-union.xml b/draft-summermatter-set-union.xml index 44f377a..dd73158 100644 --- a/draft-summermatter-set-union.xml +++ b/draft-summermatter-set-union.xml | |||
@@ -2723,23 +2723,26 @@ FUNCTION END | |||
2723 | <name>Limit Active/Passive Decoding changes</name> | 2723 | <name>Limit Active/Passive Decoding changes</name> |
2724 | <t> | 2724 | <t> |
2725 | To prevent an attacker from sending a peer into an endless loop between active and passive decoding, a | 2725 | To prevent an attacker from sending a peer into an endless loop between active and passive decoding, a |
2726 | limitation for active/passive roll switches is required. This can be implemented by | 2726 | limitation for active/passive roll switches is required. |
2727 | Otherwise, an attacker could | ||
2728 | force the victim to waste unlimited amount of resources by just transmitting | ||
2729 | IBFs that do not decode. | ||
2730 | This can be implemented by | ||
2727 | a simple counter which terminates the operation after a predefined number of switches. | 2731 | a simple counter which terminates the operation after a predefined number of switches. |
2728 | The number of switches needs to be defined in such a way that it is very unprobable that more | 2732 | The maximum number of switches needs to be defined in such a way that it is |
2729 | switches are required an the malicious intend of the other peer can be assumed. | 2733 | very improbable that more switches are required in a legitimate interaction, |
2734 | and hence the malicious behavior of the other peer is assured. | ||
2730 | </t> | 2735 | </t> |
2731 | <t> | 2736 | <t> |
2732 | Thus, the limitation of the maximum allowed active/passive changes during differential synchronisation is key | 2737 | The question after how many active/passive switches it can be assumed that the other peer is not honest, |
2733 | to security. By limiting the maximum rounds in differential synchronisation an attacker can not waste | 2738 | depends on the various tuning parameters of the algorithm. |
2734 | unlimited amount of resources by just pretending an IBF does not decode. | 2739 | Section 5.4 of <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/> |
2735 | </t> | 2740 | demonstrates that the probability of decoding failure is less than |
2736 | <t> | 2741 | 15% for each round. The probability that there will be n legitimate |
2737 | The question after how many active/passive switches it can be assumed that the other peer is not honest, | 2742 | active/passive changes is thus less than 0.15^{round number}. |
2738 | depends on many factors and can only be solved probabilistically. This is described in detail in <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/> | 2743 | Which means that after about 30 active/passive switches it can be said with a certainty of 2^80 that one of the peers |
2739 | in section 5.4. From this work it is concluded that the probability of decoding failure is about | 2744 | is not following the protocol. |
2740 | 15% for each round. The probability that there will be n active/passive changes is given by 0.15^{round number}. | 2745 | Hence, participants MUST impose a maximum of 30 active/passive changes. |
2741 | Which means that after about 30 active/passive switches it can be said with a certainty of 2^80 that one of the peers | ||
2742 | is not following the protocol. It is reasonable that a maximum of 30 active/passive changes should be set. | ||
2743 | </t> | 2746 | </t> |
2744 | </section> | 2747 | </section> |
2745 | 2748 | ||
@@ -2749,14 +2752,13 @@ FUNCTION END | |||
2749 | An attacker can try to use up a peer's bandwidth by pretending that the peer | 2752 | An attacker can try to use up a peer's bandwidth by pretending that the peer |
2750 | needs full synchronisation, even if the set difference is very small and the attacker | 2753 | needs full synchronisation, even if the set difference is very small and the attacker |
2751 | only has a few (or even zero) elements that are not already synchronised. | 2754 | only has a few (or even zero) elements that are not already synchronised. |
2752 | In such a case, it would be ideal, if the plausibility could already be checked | 2755 | In such a case, it would be ideal if the plausibility could already be checked |
2753 | during full synchronisation as to whether the other peer was honest or not with | 2756 | during full synchronisation as to whether the other peer was honest or not with |
2754 | regard to the estimation of the set size difference and thus the choice of mode | 2757 | regard to the estimation of the set size difference and thus the choice of mode |
2755 | of operation. | 2758 | of operation. |
2756 | </t> | 2759 | </t> |
2757 | <t> | 2760 | <t> |
2758 | In order to calculate this plausibility, in Summmermatters paper <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/> in section 5.5 | 2761 | In order to calculate this plausibility, section 5.5 of <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/> describes a formula, which depicts the probability with which one |
2759 | a formula was developed, which depicts the probability with which one | ||
2760 | can calculate the corresponding plausibility based on the number of | 2762 | can calculate the corresponding plausibility based on the number of |
2761 | new and repeated elements after each received element. | 2763 | new and repeated elements after each received element. |
2762 | </t> | 2764 | </t> |