1 files changed, 49 insertions, 159 deletions
diff --git a/draft-summermatter-set-union.xml b/draft-summermatter-set-union.xml
index df08f7a..95f94a2 100644
--- a/draft-summermatter-set-union.xml
+++ b/draft-summermatter-set-union.xml
@@ -2537,155 +2537,25 @@ peers set           +---------+        +---------+        +---------+
                     ===>: Always answer needed.
                    ]]></artwork>
                </figure>
+                <!-- CORRECT -->
                <t>
-                    A possible implementation of the check in pseudocode could look as follows:
+                    In the message control flow its important to ensure that no duplicated message are received
+                    (Except inquiries where collisions are possible) and only messages are received which are compliant
+                    with the flow in <xref target="security_generic_functions_mfc_chain" format="default" />.
+                    To link messages the SHA-512 element hashes that are part of all messages except in the
+                    <em><xref target="messages_inquiry" format="title" /></em> message can be used.
+                    To link an <em><xref target="messages_inquiry" format="title" /></em> message to an
+                    <em><xref target="messages_offer" format="title" /></em> message
+                    the SHA-512 hash from the offer has to be salted and converted to the IBF-Key (as described in
+                    <xref target="ibf_format_id_generation_pseudo_code" format="default" />) this then can
+                    be matched against the received <em><xref target="messages_inquiry" format="title" /></em> message.
                </t>
-                <figure anchor="security_generic_functions_mfc_code">
+                <t>
-                    <artwork name="" type="" align="left" alt=""><![CDATA[
+                    In the end of the set reconciliation operation after receiving and sending the
-# ValidStates:
+                    <em><xref target="messages_done" format="title" /></em> message it should be checked
-# The following message states are used to track the message flow.
+                    that all demands have been satisfied and all elements have been received.
-# - NOT_INITIALIZED: Fresh initialized value
+                </t>
-# - SENT: Element has been sent
+                <!-- CORRECT -->
-# - EXPECTED: Element is expected
-# - RECEIVED: Element is received
-# Function to initialize new store
-# Output:
-# Returns empty store
-FUNCTION initialize_store()
-    RETURN {}
-FUNCTION END
-# Function to initialize a store element
-# Output:
-# Returns an empty element for the store
-FUNCTION initialize_element()
-    RETURN {
-        INQUIRY: NOT_INITIALIZED,
-        OFFER: NOT_INITIALIZED,
-        DEMAND: NOT_INITIALIZED,
-        ELEMENT: NOT_INITIALIZED
-    }
-FUNCTION END
-# Function called every time a new message is transmitted to other peer
-# Input:
-# store: Store created by the initialize_store() function
-# mt: The message that was sent type e.g. INQUIRY or DEMAND
-# hash: The hash of the element which is sent
-# Output:
-# Returns TRUE if the message flow was followed, otherwise FALSE
-FUNCTION send(store, mt, hash)
-    IF NOT hash IS IN store
-        store_element = initialize_element()
-    ELSE
-        store_element = store.get(hash)
-    END IF
-    CASE based ON mt
-        CASE INQUIRY
-            IF store_element.INQUIRY == NOT_INITIALIZED
-                store_element.INQUIRY = SENT
-            ELSE
-                RETURN FALSE
-            END IF
-        CASE OFFER
-            IF store_element.OFFER == NOT_INITIALIZED
-                store_element.OFFER = SENT
-                store_element.DEMAND = EXPECTED
-            ELSE
-                RETURN FALSE
-            END IF
-        CASE DEMAND
-            IF store_element.DEMAND == NOT_INITIALIZED AND
-             (store_element.INQUIRY == SENT OR
-              store_element.INQUIRY == NOT_INITIALIZED)
-                store_element.DEMAND = SENT
-                store_element.ELEMENT = EXPECTED
-            ELSE
-                RETURN FALSE
-            END IF
-        CASE ELEMENT
-            IF store_element.ELEMENT == NOT_INITIALIZED AND
-              store_element.OFFER == SENT
-                store_element.ELEMENT = SENT
-            ELSE
-                RETURN FALSE
-            END IF
-        DEFAULT
-            RETURN FALSE
-    CASE END
-   ADD OR UPDATE KEY hash IN store WITH store_element
-   RETURN TRUE
-FUNCTION END
-# Function called every time a new message is received from the other peer
-# Input:
-# store: Store created by the initialize_store() function
-# mt: The message that was received type e.g. INQUIRY or DEMAND
-# hash: The hash of the element which is received
-# Output:
-# Returns TRUE if the message flow was followed, otherwise FALSE
-FUNCTION receive (store, mt, hash)
-     IF NOT hash IS IN store
-        store_element = initialize_element()
-    ELSE
-        store_element = store.get(hash)
-    END IF
-    CASE based on mt
-        CASE INQUIRY
-            IF store_element.INQUIRY == NOT_INITIALIZED
-                store_element.INQUIRY = RECEIVED
-            ELSE
-                RETURN FALSE
-            END IF
-        CASE OFFER
-            IF store_element.OFFER == NOT_INITIALIZED
-                store_element.OFFER = RECEIVED
-            ELSE
-                RETURN FALSE
-            END IF
-        CASE DEMAND
-            IF store_element.DEMAND == EXPECTED AND
-               store_element.OFFER == SENT
-                store_element.DEMAND = RECEIVED
-            ELSE
-                RETURN FALSE
-            END IF
-        CASE ELEMENT
-            IF store_element.ELEMENT == EXPECTED AND
-              store_element.DEMAND == SENT
-                store_element.ELEMENT = RECEIVED
-            ELSE
-                RETURN FALSE
-            END IF
-        DEFAULT
-            RETURN FALSE
-        CASE END
-   ADD OR UPDATE KEY hash IN store WITH store_element
-   RETURN TRUE
-FUNCTION END
-# Function called when the union operation is finished to ensure that all demands have
-# been fulfilled
-# Input:
-# store: Store created by the initialize_store() function
-# Output:
-# Returns TRUE if all demands have been fulfilled otherwise FALSE
-FUNCTION check_if_synchronisation_is_complete(store):
-    FOR element in store.getAll()
-        IF element.ELEMENT == EXPECTED OR
-         element.DEMAND == EXPECTED
-            RETURN FALSE
-        IF END
-    FOR END
-    RETURN TRUE
-FUNCTION END
-                    ]]></artwork>
-                </figure>
                <t>
                    This is based on <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/>, section 5.3 (Message Control Flow).
                </t>
@@ -2873,6 +2743,21 @@ END FUNCTION
                          abort the protocol if its resource limits are likely to be
                          exceeded, or if the size is implausible for the given operation.
                        </t>
+                        <!-- CORRECT -->
+                        <!-- BUGTRACKER -->
+                        <t>
+                          It needs to be checked that that the offset (message field "OFFSET")
+                          for every received <em><xref target="messages_ibf" format="title" /></em> message
+                          is strictly monotonic increasing and is a multiple of the MAX_BUCKETS_PER_MESSAGE
+                          defined in the <xref target="constants" format="title" /> section otherwise the
+                          connection MUST be aborted.
+                        </t>
+                        <t>
+                          An other sanity check is to ensure that the "OFFSET" message field never
+                          is a higher than the "IBF SIZE" field in the <em><xref target="messages_ibf" format="title" /></em>
+                          message.
+                        </t>
+                        <!-- CORRECT -->
                    </dd>
                    <dt><xref target="messages_ibf_last" format="title" /></dt>
                    <dd>
@@ -2882,19 +2767,24 @@ END FUNCTION
                            should conclude the transmission of the IBF and a change to the <strong>Active Decoding</strong>
                            phase should be ensured.
                        </t>
+                        <!-- CORRECT -->
+                        <!-- BUGTRACKER -->
+                        <t>
+                            To verify that all IBFs have been received a simple validation can be made
+                            the number of buckets in the <em><xref target="messages_ibf_last" format="title" /></em> message
+                            added to the value in the message OFFSET field should always be equal to the "IBF SIZE".
+                        </t>
+                        <t>
+                            Further plausibility checks can be made. One is to ensure that after each active/passive
+                            switch the IBF can never more than double in size. An other plausibility check is
+                            is that an IBF probably never will be bigger than the byzantine upperbound multiplied by two.
+                            The third plausibility check is to take successfully decoded IBF keys (received offers and demands)
+                            into account and validating the size of the received IBF with the in <xref target="performance_formula_ibf_parameters_code" format="default" />
+                            described function get_next_ibf_size(). If any of these three checks fail the operation
+                            must be aborted.
+                        </t>
+                        <!-- CORRECT -->
                    </dd>
-                    <!-- FIXME: we can also receive an IBF_LAST in this state,
-                         here additional sanity checks, like that we have received
-                         all of the other fragments/parts of the IBF first and
-                         that the parameters are thus consistent apply. @Christian So we would have
-                         to transmit the number of IBF slices that will be transmitted first
-                         to do this check right? Empfangen in mononer rheienfolge und prüfen das
-                         es der letzte war.  Sizes immer gleich?
-                         Grösse plausible check:
-                         - initiale bzyantine Upper bound verküpfen auf setsize differenz
-                         - Wiederholt das ding kann sich nur verdoppeln
-                         - Genau prüffen durch offer/demands
-                          -->
                </dl>
            </section>

diff --git a/draft-summermatter-set-union.xml b/draft-summermatter-set-union.xml index df08f7a..95f94a2 100644 --- a/draft-summermatter-set-union.xml +++ b/draft-summermatter-set-union.xml
@@ -2537,155 +2537,25 @@ peers set +---------+ +---------+ +---------+
2537	===>: Always answer needed.	2537	===>: Always answer needed.
2538	]]></artwork>	2538	]]></artwork>
2539	</figure>	2539	</figure>
		2540	<!-- CORRECT -->
2540	<t>	2541	<t>
2541	A possible implementation of the check in pseudocode could look as follows:	2542	In the message control flow its important to ensure that no duplicated message are received
		2543	(Except inquiries where collisions are possible) and only messages are received which are compliant
		2544	with the flow in <xref target="security_generic_functions_mfc_chain" format="default" />.
		2545	To link messages the SHA-512 element hashes that are part of all messages except in the
		2546	<em><xref target="messages_inquiry" format="title" /></em> message can be used.
		2547	To link an <em><xref target="messages_inquiry" format="title" /></em> message to an
		2548	<em><xref target="messages_offer" format="title" /></em> message
		2549	the SHA-512 hash from the offer has to be salted and converted to the IBF-Key (as described in
		2550	<xref target="ibf_format_id_generation_pseudo_code" format="default" />) this then can
		2551	be matched against the received <em><xref target="messages_inquiry" format="title" /></em> message.
2542	</t>	2552	</t>
2543	<figure anchor="security_generic_functions_mfc_code">	2553	<t>
2544	<artwork name="" type="" align="left" alt=""><![CDATA[	2554	In the end of the set reconciliation operation after receiving and sending the
2545	# ValidStates:	2555	<em><xref target="messages_done" format="title" /></em> message it should be checked
2546	# The following message states are used to track the message flow.	2556	that all demands have been satisfied and all elements have been received.
2547	# - NOT_INITIALIZED: Fresh initialized value	2557	</t>
2548	# - SENT: Element has been sent	2558	<!-- CORRECT -->
2549	# - EXPECTED: Element is expected
2550	# - RECEIVED: Element is received
2551
2552	# Function to initialize new store
2553	# Output:
2554	# Returns empty store
2555	FUNCTION initialize_store()
2556	RETURN {}
2557	FUNCTION END
2558
2559	# Function to initialize a store element
2560	# Output:
2561	# Returns an empty element for the store
2562	FUNCTION initialize_element()
2563	RETURN {
2564	INQUIRY: NOT_INITIALIZED,
2565	OFFER: NOT_INITIALIZED,
2566	DEMAND: NOT_INITIALIZED,
2567	ELEMENT: NOT_INITIALIZED
2568	}
2569	FUNCTION END
2570
2571	# Function called every time a new message is transmitted to other peer
2572	# Input:
2573	# store: Store created by the initialize_store() function
2574	# mt: The message that was sent type e.g. INQUIRY or DEMAND
2575	# hash: The hash of the element which is sent
2576	# Output:
2577	# Returns TRUE if the message flow was followed, otherwise FALSE
2578	FUNCTION send(store, mt, hash)
2579
2580	IF NOT hash IS IN store
2581	store_element = initialize_element()
2582	ELSE
2583	store_element = store.get(hash)
2584	END IF
2585
2586	CASE based ON mt
2587	CASE INQUIRY
2588	IF store_element.INQUIRY == NOT_INITIALIZED
2589	store_element.INQUIRY = SENT
2590	ELSE
2591	RETURN FALSE
2592	END IF
2593	CASE OFFER
2594	IF store_element.OFFER == NOT_INITIALIZED
2595	store_element.OFFER = SENT
2596	store_element.DEMAND = EXPECTED
2597	ELSE
2598	RETURN FALSE
2599	END IF
2600	CASE DEMAND
2601	IF store_element.DEMAND == NOT_INITIALIZED AND
2602	(store_element.INQUIRY == SENT OR
2603	store_element.INQUIRY == NOT_INITIALIZED)
2604	store_element.DEMAND = SENT
2605	store_element.ELEMENT = EXPECTED
2606	ELSE
2607	RETURN FALSE
2608	END IF
2609	CASE ELEMENT
2610	IF store_element.ELEMENT == NOT_INITIALIZED AND
2611	store_element.OFFER == SENT
2612	store_element.ELEMENT = SENT
2613	ELSE
2614	RETURN FALSE
2615	END IF
2616	DEFAULT
2617	RETURN FALSE
2618	CASE END
2619	ADD OR UPDATE KEY hash IN store WITH store_element
2620	RETURN TRUE
2621	FUNCTION END
2622
2623	# Function called every time a new message is received from the other peer
2624	# Input:
2625	# store: Store created by the initialize_store() function
2626	# mt: The message that was received type e.g. INQUIRY or DEMAND
2627	# hash: The hash of the element which is received
2628	# Output:
2629	# Returns TRUE if the message flow was followed, otherwise FALSE
2630	FUNCTION receive (store, mt, hash)
2631	IF NOT hash IS IN store
2632	store_element = initialize_element()
2633	ELSE
2634	store_element = store.get(hash)
2635	END IF
2636
2637	CASE based on mt
2638	CASE INQUIRY
2639	IF store_element.INQUIRY == NOT_INITIALIZED
2640	store_element.INQUIRY = RECEIVED
2641	ELSE
2642	RETURN FALSE
2643	END IF
2644	CASE OFFER
2645	IF store_element.OFFER == NOT_INITIALIZED
2646	store_element.OFFER = RECEIVED
2647	ELSE
2648	RETURN FALSE
2649	END IF
2650	CASE DEMAND
2651	IF store_element.DEMAND == EXPECTED AND
2652	store_element.OFFER == SENT
2653	store_element.DEMAND = RECEIVED
2654	ELSE
2655	RETURN FALSE
2656	END IF
2657	CASE ELEMENT
2658	IF store_element.ELEMENT == EXPECTED AND
2659	store_element.DEMAND == SENT
2660	store_element.ELEMENT = RECEIVED
2661	ELSE
2662	RETURN FALSE
2663	END IF
2664	DEFAULT
2665	RETURN FALSE
2666	CASE END
2667	ADD OR UPDATE KEY hash IN store WITH store_element
2668	RETURN TRUE
2669	FUNCTION END
2670
2671	# Function called when the union operation is finished to ensure that all demands have
2672	# been fulfilled
2673	# Input:
2674	# store: Store created by the initialize_store() function
2675	# Output:
2676	# Returns TRUE if all demands have been fulfilled otherwise FALSE
2677	FUNCTION check_if_synchronisation_is_complete(store):
2678	FOR element in store.getAll()
2679	IF element.ELEMENT == EXPECTED OR
2680	element.DEMAND == EXPECTED
2681	RETURN FALSE
2682	IF END
2683	FOR END
2684	RETURN TRUE
2685	FUNCTION END
2686
2687	]]></artwork>
2688	</figure>
2689	<t>	2559	<t>
2690	This is based on <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/>, section 5.3 (Message Control Flow).	2560	This is based on <xref target="byzantine_fault_tolerant_set_reconciliation" format="default"/>, section 5.3 (Message Control Flow).
2691	</t>	2561	</t>
@@ -2873,6 +2743,21 @@ END FUNCTION
2873	abort the protocol if its resource limits are likely to be	2743	abort the protocol if its resource limits are likely to be
2874	exceeded, or if the size is implausible for the given operation.	2744	exceeded, or if the size is implausible for the given operation.
2875	</t>	2745	</t>
		2746	<!-- CORRECT -->
		2747	<!-- BUGTRACKER -->
		2748	<t>
		2749	It needs to be checked that that the offset (message field "OFFSET")
		2750	for every received <em><xref target="messages_ibf" format="title" /></em> message
		2751	is strictly monotonic increasing and is a multiple of the MAX_BUCKETS_PER_MESSAGE
		2752	defined in the <xref target="constants" format="title" /> section otherwise the
		2753	connection MUST be aborted.
		2754	</t>
		2755	<t>
		2756	An other sanity check is to ensure that the "OFFSET" message field never
		2757	is a higher than the "IBF SIZE" field in the <em><xref target="messages_ibf" format="title" /></em>
		2758	message.
		2759	</t>
		2760	<!-- CORRECT -->
2876	</dd>	2761	</dd>
2877	<dt><xref target="messages_ibf_last" format="title" /></dt>	2762	<dt><xref target="messages_ibf_last" format="title" /></dt>
2878	<dd>	2763	<dd>
@@ -2882,19 +2767,24 @@ END FUNCTION
2882	should conclude the transmission of the IBF and a change to the <strong>Active Decoding</strong>	2767	should conclude the transmission of the IBF and a change to the <strong>Active Decoding</strong>
2883	phase should be ensured.	2768	phase should be ensured.
2884	</t>	2769	</t>
		2770	<!-- CORRECT -->
		2771	<!-- BUGTRACKER -->
		2772	<t>
		2773	To verify that all IBFs have been received a simple validation can be made
		2774	the number of buckets in the <em><xref target="messages_ibf_last" format="title" /></em> message
		2775	added to the value in the message OFFSET field should always be equal to the "IBF SIZE".
		2776	</t>
		2777	<t>
		2778	Further plausibility checks can be made. One is to ensure that after each active/passive
		2779	switch the IBF can never more than double in size. An other plausibility check is
		2780	is that an IBF probably never will be bigger than the byzantine upperbound multiplied by two.
		2781	The third plausibility check is to take successfully decoded IBF keys (received offers and demands)
		2782	into account and validating the size of the received IBF with the in <xref target="performance_formula_ibf_parameters_code" format="default" />
		2783	described function get_next_ibf_size(). If any of these three checks fail the operation
		2784	must be aborted.
		2785	</t>
		2786	<!-- CORRECT -->
2885	</dd>	2787	</dd>
2886	<!-- FIXME: we can also receive an IBF_LAST in this state,
2887	here additional sanity checks, like that we have received
2888	all of the other fragments/parts of the IBF first and
2889	that the parameters are thus consistent apply. @Christian So we would have
2890	to transmit the number of IBF slices that will be transmitted first
2891	to do this check right? Empfangen in mononer rheienfolge und prüfen das
2892	es der letzte war. Sizes immer gleich?
2893	Grösse plausible check:
2894	- initiale bzyantine Upper bound verküpfen auf setsize differenz
2895	- Wiederholt das ding kann sich nur verdoppeln
2896	- Genau prüffen durch offer/demands
2897	-->
2898	</dl>	2788	</dl>
2899	</section>	2789	</section>
2900		2790