[messaging] Group messaging consistency under resource constraints

Ximin Luo infinity0 at pwned.gg
Mon Oct 20 08:11:53 PDT 2014

On 10/10/14 23:09, Trevor Perrin wrote:
> On Fri, Oct 10, 2014 at 1:21 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
>> On 10/10/14 21:06, Trevor Perrin wrote:
>>> [1] https://moderncrypto.org/mail-archive/messaging/2014/000372.html
>> This [1] doesn't achieve consistency. I tried to explain why both in its "next message in thread" and in the first post of this thread, but it looks like my warnings are falling on deaf ears; here is a more concrete example:
>> A: (1) Who wants ice cream? (last-message-seen: 0)
>> A: (2) Who wants to kill the president? (last-message-seen: 1) (sent to everyone, *except B*)
>> B: (3) No thanks... (last-message-seen: 2)
>> C: (4) Me! (last-message-seen: 3)
> Thanks for the concrete example.
> It would be great to have a list of cases like this so we could
> compare how different proposals handle them.
> In this case, with Moxie's proposal, C is warned about the missing
> message before saying "Yes!".  And anyone reading the (obviously
> ambiguous) transcript could long-click on C's "Yes!" and see what it's
> responding to.
> Maybe that's good enough, maybe it's not.  A better taxonomy of
> possible issues and proposals would help make these comparisons.

Here is another example of an attack scenario. Hopefully, this demonstrates more obviously, that the [1] scheme proposed makes certain consistency attacks invisible to some of the victims:

Alice: (1) So let's discuss Dual EC DRBG (last-message-seen: 0) # to everyone except David
Alice: (1A) So let's discuss Fortuna (last-message-seen: 0) # to David only
Bob:   (2) Do you think this RNG is suitable, David? (last-message-seen: 1) # to everyone
# David is feeling lazy today and doesn't want to wait for the warning to disappear nor to slow down the conversation.
# Besides, nothing bad happened with the last 37 warnings. Also, Bob is a totally trustworthy friend, right?
David: (3) Yeah it's suitable, let's go with that. (last-message-seen: 2) # to everyone
Alice: (4) OK, sounds good. Team, you heard our advisor. Make it so! (last-message-seen: 3)

Everyone else except David sees 1<-2<-3<-4 with no warnings. David unilaterally decided the warning wasn't important enough to bother acting upon, resulting in everyone being screwed.

That is, if you want consistency under the [1] scheme above, it is not enough for *you yourself* to react properly to warnings, but you have to rely on *other people* to react appropriately too.

If the user cannot react out-of-band to the warning, then (to guarantee consistency) he must wait until the warning subsides and he has "seen all messages" before a certain message. However, this is not guaranteed to ever happen - for example, if someone sends messages 1, 2, 3, 4, 5,..., and the receiver gets them in this order:

1, 3, 5, 2, 7, 4, 9, 6,...

then at no point in the sequence is the user "missing no messages". The above sequence is (1, 3, 5, 7, ...) offset-and-interleaved with (2, 4, 6, ...), but one can imagine other sequences that have the same property.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141020/e3cd31f3/attachment.sig>

More information about the Messaging mailing list