Np1sec/incremental consistency

Revision as of 18:46, 8 September 2014 by Infinity0 (Talk | contribs)

This builds on the server-dictated ordered transcript hashes currently mentioned in SenderKeys.

Definitions

A message m is fully-acked (from the POV of a given member u) iff, for all recipients r, u has accepted a message by r where seqnum(parent(r)) > seqnum(m).

  • recipients possibly includes u, but certainly excludes m's sender
  • accepted means delivered locally, i.e. received, then decrypted-verified including parent hash checks; all causally-previous messages must already be accepted
    • we assume a server-dictated ordering, so accepting a message at seqnum i means we have already accepted all messages j ≤ i.

Consistency

When a member u wants to part, they send a "farewell" message m:

  • everyone should explicit-ack this message ASAP
    • this message should contain the next-sender-key, to be used after u leaves, encrypted to everyone except u. (Hopefully this addresses the concern Joe brought up.)
    • could probably do something similar for group keys
  • when this message is fully-acked, u gains consistency for all previous messages up to m, and may leave
    • other messages should be probably be discarded, u won't have a chance to verify their consistency.
  • TBD: need to think about simultaneous parts

When a member u accepts a non-explicit-ack message m at time t

  • if u did not send m, and they have not acked m by t+MAX_GRACE, they should send an explicit-ack
  • if m is not fully-acked (from their POV) by t+(2*MAX_RTT)+(k*MAX_GRACE) (k slightly > 1) then issue a local UI warning. Cancel the warning if/when full-ack is reached later.

Parameters and properties

  • MAX_RTT should be based on the transport
  • MAX_GRACE should be based on expected user communication rate

This guarantees that a warning shows up if we don't reach consistency within the timeout defined above, ensuring timeliness.

In terms of overhead, effectively a user will send a message at least every MAX_GRACE time period, whilst the session has other people talking. When there is a lull in the conversation, there should be no further messages.

I'm confident we can tweak the parameters so servers don't see too much extra load, but have not tried to model this precisely.

We are still vulnerable to a "drop everything" attack, but that can't be helped unless we have unconditionally-periodic heartbeats. Not sure if we want to put these in the upcoming spec.

(The above is basically my msg-notes stuff, except assuming reliable transport, without recovery or flow control, without heartbeats, and adapted to a server-dictated ordering.)

Relative ordering

Ensure that messages received out-of-order are highly visible to the user.

A message m is unsynced if seqnum(parent(m)) < seqnum(m) - MAX_UNSYNC_COUNT

  • MAX_UNSYNC_COUNT may either be constant, or a linear function of the number of members, TBD.

These messages should be highlighted in some way in the UI that is not too severe. They are still valid messages; the user should just be informed that they refer to older context that may be surprising.

This definition is globally consistent (or else transcript consistency breaks) so it's easier to reason about, and the warning is simpler to explain than MAX_RTD.