[tahoe-dev] 100-year cryptography

Chris Palmer chris at noncombatant.org
Tue Mar 9 14:38:56 PST 2010 

Justin Stottlemyer writes:

> In 5 years you will have had to move an object at least once and can
> re-encrypt at that time using the now faster CPU.

Hard to guarantee that all the old ciphertext is really gone. A key
implication of the very loose coupling between client and server that
Tahoe-LAFS and Octavia adopt is that there can be no such guarantee. I
haven't even bothered to implement the Delete{Request,Response} messages,
and I only created them as an afterthought, and grudgingly. I don't want to
even hint that I support things that are impossible to really support.
"Servers MAY give a crap, and probably SHOULD, but rarely DO."

In particular, a goal of Octavia is to allow for clients and servers that
live in radically different administrative domains, with no necessary
assumptions about shared policy. For example, a server may set a garbage
collection policy as follows: "For each client registration (== key
sharing), I allow that client entity to store 20GB of blocks with me. When
they try to store a block more than that, I just delete their
oldest/least-recently accessed/stinkiest block. I am a very busy server with
no time to waste, so I simply ignore DeleteRequest." This server chooses to
be generous with space and parsimonious with time; maybe enough clients will
be satisfied with its space generosity to not be bothered about its
ignorance of DeleteRequests.

Another server might do its job by opaquely proxying StorageRequests to
other hosts that are Octavia servers, and those servers might be in many
other administrative domains. So the proxy server could hardly claim to
reliably delete ciphertext in other domains...

I understand Tahoe-LAFS does not claim to reliably delete ciphertext.

> Additionally in 10 years, how likely is it the data you are encrypting
> today is going to be very poignant?

That is not for us to decide, it is for our users to decide.

Fun fact about users: They think we did our job competently. Zooko and I
are hoping to meet a very high expectation bar, as implied by the phrase
"100-year cryptography".

> Speed is key to adoption.

Symmetric crypto is only rarely the bottleneck in a real application usage
scenario. We should not be slaves to microbenchmarks; as Ferguson and
Schneier say, "We already have enough fast, insecure systems."

More information about the tahoe-dev mailing list