Concise summary for theorists: IMHO we can make inserts have meaningful security, with acceptable performance even when the blocks can be known in advance (as with a reinsert for filesharing). I would appreciate you checking my rather hand-wavy maths, which I'm rubbish at!
Encrypt the m blocks for an insert with symmetric keys K_0 ... K_m-1. Give them identifiers X_0 ... X_m-1 and route them by H(X_k), which is included in the pre-insert. Pre-inserts go to a special cache, stored by a few nodes close to the target location, which each return a public key, and we store all the pubkeys in W_k. When all the pre-inserts are completed, we start the "reveal" stage. This includes X_k, rather than H(X_k), and K_k, and is encrypted to all the pubkeys W_k. It is routed by H(X_k) as with the pre-insert. The first node it reaches which has the data in its pre-insert cache decrypts it, tells the others to delete their copy if they are still online, and does a regular insert of the decrypted data, possibly after a delay for batching. Obviously we'd random route for a while at the beginning of at least the reveal stage, before routing to X. For more security, we can do the reveal stage more than once, as with unwrapping an onion. For really good security, I assume that we can tunnel the reveal stage using either rendezvous tunnels or some form of onion routing or even Dining Cryptographers anonymous broadcast; something effective but expensive. There is a very small amount of data, even with the encryption, so this ought to be feasible. It appears to me that the average number of predecessor samples the attacker can gain (where he knows both the content and the immediately preceding node) in the two-stage case is going to be approximately k*m*c^2/n^2, where k is a small constant, m is the number of blocks, c is the number of nodes controlled by the attacker, and n is the number of nodes in total. Does this seem correct? If this is true then it would probably justify a paper, and would mean Freenet could reasonably say we provide security within a factor of the best distributed mixnets (for inserts, not requests), albeit without a formal proof. Since we're into censorship resistance, inserts are more important than requests IMHO.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
