fwessels
commented
6 years ago Couple of remarks
- since we only compare checksums within a single part (and not across parts, objects or let alone minio servers), if a bit rot would result in an equivalent checksum to the checksum of another part, this would not matter.
- if two different bit rots for the same part would generated the same checksum, but as long as it is different from the original checksum, we would have a 'collision' but it would not matter in minio's case.
- if encryption is used on top, then an undetected bit rot (if it were to happen) would fail the decryption.
aead
Requirements
Since we use a hash-based bitrot protection approach we need a (hash) function
fmapping value of arbitrary length to a value of a fixed length. The functionfmust satisfy the following properties:f(x) = ymust be deterministic. That means thatf(x)always evaluates toyand not tozat some point in timefwith k different randomly chosen inputsx1, ..., xkshould differ with probabilityP = e-((k (k-1)) / (2 2n))wherenis length of the output values off.The 1. requirement is kind of obvious - if
fis not deterministic it is not possible to reliable verify the integrity of data. The 2. requirement is derived from the strong collision requirement. However in contrast to the general birthday problem we are not interested in "constructed" collisions. Therefore we define a requirement violation as a collisions of randomly chosen inputs. A constructed collision would imply and intelligent adversary exploiting a mathematical weakness of a given mappingfto find collisions with a probabilityP' > P. However bitrot protection is not designed to withstand an attacker because the adversary can simple modify the data and replace the stored hash value with the hash value of the modified data.Random Oracle and PRF
A cryptographic secure hash function - like BLAKE2b-512 - always satisfies our requirements since it provides strong collision resistance which does not restrict the input values to be chosen randomly. A random oracle and following a PRF (like SipHash / HighwayHash) also satisfies our requirements since a PRF can be constructed from our function f` using the following scheme:
|ki| = |xi|yi = f(ki ⊕ xi)This implies that SipHash, HighwayHash and BLAKE2b can be used for bitrot protection because of their mathematical properties. (Since we discarded Poly1305 anyway I don't discuss it here further)
However SipHash and HigwayHash are PRFs and require a secret key. The secret key can be securely omitted if the PRF provides strong collision resistance for a fixed (but unkown) secret key which is the case for SipHash and HighwayHash.
Choice of hash size
The following list shows the number of data modifications that can happened before the probability for an undetected bitrot exceeds 50%:
k = 232 + 229 + 228the probability for a collisionPc = 1-e-((k (k-1)) / (2 2n)) = 0.506 ~= 50%That would mean that the probability for one undetected bitrot is about 50% after 5100 million computations - roughly speaking 5 billion objects with bitrot in our case.k = 264 + 261 + 260the probability for a collisionPc = 1-e-((k (k-1)) / (2 2n)) = 0.506 ~= 50%That would mean that the probability for one undetected bitrot is about 50% after 21905508 trillion computations - roughly speaking 21905508 trillion objects with bitrot in our case.k = 2128 + 2125 + 2124the probability for a collisionPc = 1-e-((k (k-1)) / (2 2n)) = 0.506 ~= 50%That would mean that the probability for one undetected bitrot is about 50% after4.04×1038computations - This is far beyond practical computation and can be treated as impossible.Notice that this numbers refer to all minio instances. So for example if we talk about 5 billion objects with bitrot than we mean 5 billion distributed over all minio instances all over the world. Basically 50% chance of undetected bitrot on one minio server somewhere on the planet earth. (Except aliens are using minio :wink:)