gnunet-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AEADs


From: pukkamustard
Subject: Re: AEADs
Date: Wed, 21 Sep 2022 11:13:54 +0000

Hi Jeff,

Jeff Burdges <burdges@gnunet.org> writes:

> I've a friend using ERIS https://inqlab.net/projects/eris/ which is
> based on https://grothoff.org/christian/ecrs.pdf and someone audited.

A more recent version of the ERIS specification has been published at

http://purl.org/eris

(I have now setup a redirect from the URL you posted)

There's also a project page with some further information:

https://eris.codeberg.page/

> It does some signature check instead of using an AEAD, which maybe fine,
> and maybe better for encryption-at-rest, about which they seemingly
> care, but maybe also leaks something via side channels if done wrong,
> like maybe if decryption occurs first.
>
> Can anyone give me some background on what this stuff is really for? 
> Why the encryption-at-rest appears?

ERIS does not do any signature checks.

ERIS encoded some content into a set of uniformly sized, encrypted and
content-addressable blocks as well as a short read capability.

The blocks can be stored and transported over different transport
protocols with relatively low security requirements.

The (short) read capability needs to be transported securely.

The primary motivation is to make content availabe robustly
(i.e. censorship resistance). See
http://purl.org/#name-censorship-resistance and the ECRS paper for more
on the security properties.

Examples of usages include:

- Distributing Guix substitutes (https://issues.guix.gnu.org/52555): The
  short read capabilities are published by the Guix project, but blocks
  can now be transported and cached by anybody over many different
  protocols (e.g. GNUNet, IPFS, HTTP, CoAP).

- For small pieces of RDF in the openEngiadina project
  (https://openengiadina.net/): Content is initially published over
  XMPP, but can be made available and transported further over many
  different protocols.

> And:  Why does it not use an AEAD like chacha20-poly1305?

During deconding, blocks are de-referenced by the hash of their
content. The decoding procedure verifies the integrity of every block
(by recomputing the hash).

As integrity is verified by the encoding itself there is no need to use
AEAD.

However, note that if you want to transfer read capabilites you need a
secure channel (authenticated and private) and this might requires AEAD.

Cheers,
pukkamustard



reply via email to

[Prev in Thread] Current Thread [Next in Thread]