[messaging] Group messaging consistency under resource constraints

Ximin Luo infinity0 at pwned.gg
Mon Oct 20 10:22:15 PDT 2014 

On 20/10/14 18:10, Trevor Perrin wrote:
> On Mon, Oct 20, 2014 at 8:11 AM, Ximin Luo <infinity0 at pwned.gg> wrote:
>> On 10/10/14 23:09, Trevor Perrin wrote:
>>> On Fri, Oct 10, 2014 at 1:21 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
>>>> On 10/10/14 21:06, Trevor Perrin wrote:
>>>>> [1] https://moderncrypto.org/mail-archive/messaging/2014/000372.html
> [...]
>>
>> Here is another example of an attack scenario. Hopefully, this demonstrates more obviously, that the [1] scheme proposed makes certain consistency attacks invisible to some of the victims:
>>
>> Alice: (1) So let's discuss Dual EC DRBG (last-message-seen: 0) # to everyone except David
>> Alice: (1A) So let's discuss Fortuna (last-message-seen: 0) # to David only
>> Bob:   (2) Do you think this RNG is suitable, David? (last-message-seen: 1) # to everyone
>> # David is feeling lazy today and doesn't want to wait for the warning to disappear nor to slow down the conversation.
>> # Besides, nothing bad happened with the last 37 warnings. Also, Bob is a totally trustworthy friend, right?
>> David: (3) Yeah it's suitable, let's go with that. (last-message-seen: 2) # to everyone
>> Alice: (4) OK, sounds good. Team, you heard our advisor. Make it so! (last-message-seen: 3)
>>
>> Everyone else except David sees 1<-2<-3<-4 with no warnings.
> 
> 
> David's "Yeah" should have last-messages-seen: 1A, 2.  So people are
> warned on receiving "Yeah" that they're missing context (1A).
> 
> ([1] wasn't clear that a message could reference multiple parents, but
> I'm pretty sure that's what was meant).
> 

OK, so could you (or Moxie) describe in more precise detail what exactly would be pointed to?

If there can be multiple parents, that suggests semantics of "all branch tips". But what happens in the case where I receive (1,2,3) ... (7,8,9)? 3 is an ancestor of 7, but I don't know that since I haven't received 4,5,6. Do I point to (3,9)? But that still doesn't *fully describe* the messages that I have missed, which is the root of why the above attack is possible.

As long as the "parent pointers" are not an unambigious description of what I have actually seen, a consistency attack like the one above is possible. It would just take me longer to come up with a convincing attack scenario... OTOH, coming up with a compact scheme that does unambigiously describe what I have seen, would fix the attack, and be a huge step forward. (I haven't managed to come up with one that isn't complex or inefficient, though.)

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141020/24bc4244/attachment.sig>

More information about the Messaging mailing list