search

urbit / urbit.org

The source for urbit.org
https://urbit.org
MIT License
93 stars 197 forks source link

Peer-Peer Crypto Documentation #824

Closed eaterjolly closed 3 years ago

eaterjolly commented 8 years ago

Bearing in mind that the crypto is likely the most sensitive part of the project and extensive documentation may speed exposing vulnerable points, understanding the full extent of peer-enforced powers versus protocol-enforced powers granted by the certificates/sibyls. Also, to what degree are private keys and re-signing are significant? A person concerned about security may want to initiate a physical barrier between key calculations and the network connected client (such as usb to carry messages or manual data-entry).

A person skeptical of the legitimate monopoly of force, might be curious of the "pre-mining" process, practicality of "side-chaining" the network, and/or cross-compatibility between networks (or conflicting ~zod). Suggesting that doubt is an option may cut into the legitimacy of Tlon, but, if the electorial system is effective and legitimacy popular, it should be a negligible assurance.

More specific questions might be: are stars able to invalidate planets? If so, is it still deterministic that they were infact once valid? What algorithms can be used to efficiently create these keys and how much arbitrary work goes into the creation of a new sibyl, since P vs NP is still something to factor into. It's reasonable the believe that the underlining key of ~zod is vulnerable since it can be reasonable that facebookcorewwwi.onion proved the feasibility of breaking sha-256 and that the most recent supposed forgery of a single Satoshi private key. This makes wondering what algorithm is being used definitely a relevant longevity concern.

UDP choice seems to be controversial, though for the uninitiated in the halls of cisco, it may require some more documentation on how the actual association engine of messages and listeners works and why it works the way it does to defend or criticize.

And, as mentioned elsewhere, there is no redundancy of work between Urbit and Juan Benet's IPFS, however there could be said to be a redundacy of work between Urbit's addressing system and Juan Benet's IPNS which provides similar level of functionality at the moment, however has vaporware roadmap promising more deeply elaborated ethical considerations about the matter. The ultimately interesting question is, could urbit implements an alternative IPNS scheme or perhaps even some twisted hybrid scheme? The ethical considerations of a hybrid potential, likely out-weigh either's merits through mere individual choice, unless we don't believe in the power of that any more.

With the entire Vulture repayment model hinging on the value of such a system, centralized control and disenfranchising such compatibility would be incentivized even when destructive, so ethically how does one justify not documenting this most contraversial aspect. And, to everyone not associated and just reading, how do you justify not asking? Legitimately this is likely a lapse in consideration, but a cynical mind could paint it as malicious and reasonably so. If we can't hold ourselves accountable, the question, these days, is: who will?

Disclaimer: primary computer has only <600 mbs of ram; unable to actually use urbit.

ohAitch commented 8 years ago

Cross-compatibility between two claimants on the same galaxy with different keys, or their children, is nonexistent; similarly, whoever is in the %ames of any other galaxy / families wins, and the other is ignored by said family tree. Tlon is legitimate by virtue of maintaining the popular distribution, and allocating itself a sizable portion of galaxies in that distribution.

On Monday, 27 June 2016, eaterjolly notifications@github.com wrote:

Bearing in mind that the crypto is likely the most sensitive part of the project and extensive documentation may speed exposing vulnerable points, understanding the full extent of peer-enforced powers versus protocol-enforced powers granted by the certificates/sibyls. Also, to what degree are private keys and re-signing are significant? A person concerned about security may want to initiate a physical barrier between key calculations and the network connected client (such as usb to carry messages or manual data-entry).

A person skeptical of the legitimate monopoly of force, might be curious of the "pre-mining" process, practicality of "side-chaining" the network, and/or cross-compatibility between networks (or conflicting ~zod). Suggesting that doubt is an option may cut into the legitimacy of Tlon, but, if the electorial system is effective and legitimacy popular, it should be a negligible assurance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/urbit/docs/issues/59, or mute the thread https://github.com/notifications/unsubscribe/ABxXhmsOEnk33haFPqjrKxYOFWxLeqEvks5qQLcIgaJpZM4I_w-E .

galenwp commented 8 years ago

I'm not really the person to comment on most of what's brought up here: but I will say that any lack of documentation is simply a mistake to be fixed. We still have work to do on our docs — there's certainly no intent to obfuscate. @juped might be a good person to comment on the actual crypto code.

juped commented 8 years ago

The specification is in the whitepaper: http://media.urbit.org/whitepaper.pdf

eaterjolly commented 8 years ago

@juped Admitably only having read seemingly relevant sections prior to posting, please correct me if I missed anything crucial to answering my inquiry, which I don't think would be the case else I wouldn't bother raising the issue.

"Ames addresses are 128-bit atoms. Addresses above 64-bit are hashes of a public key. 64, 32, and 16-bit addresses are initially signed by their half-width prefix. Initial fingerprints of 8-bit addresses are hardcoded. 8, 16, and 32-bit addresses sign their own key updates and are “sovereign.” Prefix servers are also supernodes for P2P routing."

Does hardcoded mean a bootstrap where a public key of aribrary proquint is assoiated with the galaxy/star/universe(~zod) standard proquinf, as it would be inplied by comets simply having the verse? I appologize if raising this issue was based on a misinterpretation of current documentation.

"They start with a cryptosuite byte for algorithm update, so we can think of all algorithms as a single meta-cryptosystem" and "[The "cryptosuite's"] replacement B (crub) is AES in SIV mode [11], SHA-256, Curve25519 and Ed25519."

Does this imply eventual compatiblity with IPFS's 'multihash' fileformat? My understanding was that the ship was the public key, which would require a more obscure cryptoformula sure. Ethereum mandates use of Keccak-256, so is this implying Urbit isn't crypto-specific, if not 'multihash' compatible?

With minimal understanding of the properties of existing crypto and the passing of meta data through them available, how does the prefix signing work? Can one simply chop a hash in half and still recognize it's owner? Resigning keys are mentioned, however there is no mention of when resignature is necessary for the protocol to work, but the implication would be that this is only when ownership changes or a sibyl is created. Even with all these notes, it's still unclear: what delivers the infeasible of forging a new galazy key of the current ~zod (if its only a bootstrapped pass/ship association, then couldn't an insurgent bootstrap name a new galaxy?) and what is the actual barrier between accepting this ~zod as legitimate and accepting both this and another ~zod as both legitimate (which would create a new spin on the byzantine fault tolerance problem). There is some brief mention of the possible existence of illegitimate galaxies in the Interim Constitution, mostly notating that they are excluded from proceedings.

My only concern @galenwp was that discussion of this phenomenon is (at the moment) mysteriously absent from any formal documentation. @ohAitch If their is no method by which arbitrary difficlty could result in a "coup" so to speak the Tlon corporation would be incentivised to ONLY give galaxies to those with more 'fallible' morals than there own, since usurption would only be possible by expatriation (which is a clever protection preventing the _need_ for usurption, by having a graduated incentive for moral reputation). Again this might all be a bit dramatic, since if the only time resigning is necessary is in sibyl creation, then hardly any power after the fact is really held. (and galaxies would be more akin to a bank than a full government: A government can invalidate a passport with force, while a bank can try to invalidate a currency).

ohAitch commented 8 years ago

Hardcoded means https://github.com/urbit/arvo/blob/master/arvo/ames.hoon#L145-L400, which is compiled into the urbit.pill bootstrapping binary, and thereafter available as source on any ship. Urbit is not crypto-specific, but the initial key is, so a valid galaxy must have a certificate chain signed by the initial one. If someone gets a hold of it, there is a key-pinning race; someone losing but trying to keep using the forked galaxy is probably what was referred to as "illegitimate" in the governance structure.

Prefix signing = ~nec 0x01 signs ~marbud 0x0201 signs ~mislem-ronrem 0x3333.0201. Addresses are only hashes if they're >64bits, the smaller ones are distributed hierarchically, bottoming out in the hardcoded galaxies.

An insurgent bootstrap could certainly name a new galaxy, and the other Galaxy owners would refuse to cooperate only on the principle that it would set a bad precedent wrt them continuing to be galaxy owners.

On Tuesday, 28 June 2016, eaterjolly notifications@github.com wrote:

@juped https://github.com/juped Admitably only having read seemingly relevant sections prior to posting, please correct me if I missed anything crucial to answering my inquiry, which I don't think would be the case else I wouldn't bother raising the issue.

"Ames addresses are 128-bit atoms. Addresses above 64-bit are hashes of a public key. 64, 32, and 16-bit addresses are initially signed by their half-width prefix. Initial fingerprints of 8-bit addresses are hardcoded. 8, 16, and 32-bit addresses sign their own key updates and are “sovereign.” Prefix servers are also supernodes for P2P routing."

Does hardcoded mean a bootstrap where a public key of aribrary proquint is assoiated with the galaxy/star/universe(~zod) standard proquinf, as it would be inplied by comets simply having the verse? I appologize if raising this issue was based on a misinterpretation of current documentation.

"They start with a cryptosuite byte for algorithm update, so we can think of all algorithms as a single meta-cryptosystem" and "[The "cryptosuite's"] replacement B (crub) is AES in SIV mode [11], SHA-256, Curve25519 and Ed25519."

Does this imply eventual compatiblity with IPFS's 'multihash' fileformat? My understanding was that the ship was the public key, which would require a more obscure cryptoformula sure. Ethereum mandates use of Keccak-256, so is this implying Urbit isn't crypto-specific, if not 'multihash' compatible?

With minimal understanding of the properties of existing crypto and the passing of meta data through them available, how does the prefix signing work? Can one simply chop a hash in half and still recognize it's owner? Resigning keys are mentioned, however there is no mention of when resignature is necessary for the protocol to work, but the implication would be that this is only when ownership changes or a sibyl is created. Even with all these notes, it's still unclear: what delivers the infeasible of forging a new galazy key of the current ~zod (if its only a bootstrapped pass/ship association, then couldn't an insurgent bootstrap name a new galaxy?) and what is the actual barrier between accepting this ~zod as legitimate and accepting both this and another ~zod as both legitimate (which would create a new spin on the byzantine fault tolerance problem). There is some brief mention of the possible existence of illegitimate galaxies in the Interim Constitution, mostly notating that they are excluded from proceedings.

My only concern @galenwp https://github.com/galenwp was that discussion of this phenomenon is (at the moment) mysteriously absent from any formal documentation. @ohAitch https://github.com/ohAitch If their is no method by which arbitrary difficlty could result in a "coup" so to speak the Tlon corporation would be incentivised to ONLY give galaxies to those with more 'fallible' morals than there own, since usurption would only be possible by expatriation (which is a clever protection preventing the need for usurption, by having a graduated incentive for moral reputation). Again this might all be a bit dramatic, since if the only time resigning is necessary is in sibyl creation, then hardly any power after the fact is really held. (and galaxies would be more akin to a bank than a full government: A government can invalidate a passport with force, while a bank can try to invalidate a currency).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/urbit/docs/issues/59#issuecomment-229154272, or mute the thread https://github.com/notifications/unsubscribe/ABxXhqzodLybE9VOOjikDqAumc_vlYPWks5qQXQqgaJpZM4I_w-E .

eaterjolly commented 8 years ago

Isn't it the peers in question recieving a message who in turn decide whether or not to accept the certificate of an insurgent galaxy? Unless there is some sort of renewal process be necessary (which I'm sure would be necessary as the P versus NP ratio gradually depreciate over time, both through discovery and through weakening of the underlining formula) in order to maintain "Star Citizen"-ship (great game; great pun, btw xD).

If the longterm authority of the Tlon is based on the inveritable weakness of the crypto, that is a terrible precedent, however I admit that in this case it matters little since it's probably better to recognize and allow a certain degree of weakness, rather than purport a perfect identity theater. Ultimately projects such as bitcoin profit on a degree of secure crypto, where severe re-calculation doesn't make "more" P alternatives more attractive to research. While Tlon would gain legitimacy through the depreciation of NP due to requiring certificate resigning and key updates, a total collapse of the algorithm would make renewals almost pointless and, there-being already severely enough incentive already for bitcoin miners to research proprietary weaknesses in the algo's, Tlon would pressumably have no incentive to weaken the protocol and that their position would be based on disillusionment and pragmatic foresight of an almost Machiavelian nature in this case. Again, I don't claim to be an expert in the matter, so I may be wrong.

This consideration, coming mostly from deduction, I appologize if there was any cynical tone. It would still be very useful to discuss this more in the documentation, as it is very unclear from what's written alone, just how one derives authority in Urbit. While obviously preferrable that it be leaning more economically in exchange, it is very reassuring that fail-safes be discussed incase of an eminent however unreached collapse in the network be reached. That's probably the most dangerous time for people, because things still have value based purely on uncertainty and latency of information however understanding that a galaxy theoretically _can_ be created in extreme circumstances to adopt mis-informed late investors post-collapse can avoid panic and shock-strategy economics.

It seems quite vain that a galaxy owner would refuse to renew a planets key _simply_ because they accept the sibyl of an insurgent galaxy which is known not to be malicious to planets. Obviously (to me atleast) other digital perks can be based around digital property just as coin and vouchers held in ethereum. These coin being validated by contracts owned by stars and galaxies distributed to their respective sibyl-citizens, could create the basis for a real and true government structure in the virtual world, where punishment could be scaled appropriately and the ultimate punishment would be refused renewal.

The only thing missing is a real world supply chain to transport (differing degrees of ephemeral)-capital, namely food preserves, hardware, and livingwares.

eaterjolly commented 8 years ago

(The chief implication being, each star/galaxy would have it's own real world or (arbitrary-work) artistic or (arbitrary-work) endorsement requirments for newly joining sibyls. Mostly the difference would be technically arbitrary, but culturally and ethically significant in non-normative unobvious fashion.)

(Cooperation being non-trivial, each citizen would have to invest confidence in a particular sibyling method of the star to which they belong, engaging in free-trade (of ideas) within the same system with negotiated partial tax on interstellar trade (of ideas) and a negotiated full tax on intergalactic trade (of ideas).)

ohAitch commented 8 years ago

The peers do decide whether to accept the new certificate; and the renewal process is communicating said new certificate to all existing peers. Non-peers are less critical, though in practice at least on the star level all updates are flooded across the network.

The longterm authority of Tlon is intended to disappear, or rather be complemented by similar levels of authority from other galaxy-holders. "Pre-mined" namespace sales are intended purely for the bootstrapping phase, with later revenue coming from support and hosting, with a healthy amount of competition.

Galaxy and star owners have no control over the renewal of planet keys. They could perhaps refuse to route packets to it, but this only affects new peers, and can be circumvented(though the feature is not yet implemented) by migrating to a different star.

On Tuesday, 28 June 2016, eaterjolly <notifications@github.com javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

Isn't it the peers in question recieving a message who in turn decide whether or not to accept the certificate of an insurgent galaxy? Unless there is some sort of renewal process be necessary (which I'm sure would be necessary as the P versus NP ratio gradually depreciate over time, both through discovery and through weakening of the underlining formula) in order to maintain "Star Citizen"-ship (great game; great pun, btw xD).

If the longterm authority of the Tlon is based on the inveritable weakness of the crypto, that is a terrible precedent, however I admit that in this case it matters little since it's probably better to recognize and allow a certain degree of weakness, rather than purport a perfect identity theater. Ultimately projects such as bitcoin profit on a degree of secure crypto, where severe re-calculation doesn't make "more" P alternatives more attractive to research. While Tlon would gain legitimacy through the depreciation of NP due to requiring certificate resigning and key updates, a total collapse of the algorithm would make renewals almost pointless and, there-being already severely enough incentive already for bitcoin miners to research proprietary weaknesses in the algo's, Tlon would pressumably have no incentive to weaken the protocol and that their position would be based on disillusionment and pragmatic foresight of an almost Machiavelian nature in this case. Again, I don't claim to be an expert in the matter, so I may be wrong.

This consideration, coming mostly from deduction, I appologize if there was any cynical tone. It would still be very useful to discuss this more in the documentation, as it is very unclear from what's written alone, just how one derives authority in Urbit. While obviously preferrable that it be leaning more economically in exchange, it is very reassuring that fail-safes be discussed incase of an eminent however unreached collapse in the network be reached. That's probably the most dangerous time for people, because things still have value based purely on uncertainty and latency of information however understanding that a galaxy theoretically can be created in extreme circumstances to adopt mis-informed late investors post-collapse can avoid panic and shock-strategy economics.

It seems quite vain that a galaxy owner would refuse to renew a planets key simply because they accept the sibyl of an insurgent galaxy which is known not to be malicious to planets. Obviously (to me atleast) other digital perks can be based around digital property just as coin and vouchers held in ethereum. These coin being validated by contracts owned by stars and galaxies distributed to their respective sibyl-citizens, could create the basis for a real and true government structure in the virtual world, where punishment could be scaled appropriately and the ultimate punishment would be refused renewal.

The only thing missing is a real world supply chain to transport (differing degrees of ephemeral)-capital, namely food preserves, hardware, and livingwares.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/urbit/docs/issues/59#issuecomment-229218762, or mute the thread https://github.com/notifications/unsubscribe/ABxXhiVjPMng9zT7fD7-Fw8EqiT8TNy7ks5qQbRIgaJpZM4I_w-E .

eaterjolly commented 8 years ago

Yes, perhaps I referred directly to Tlon too liberally here. There is a lot of question of governence when it comes to Urbit, but not a lot of information on what 'powers' exist with regards to the address space or what stake planets have which provide a medium for force to be used. As the saying goes government is just "a community of people with the monopoly on the legitimate use of force".

I forgot the part where planets are also considered "sovereign". Is this a block that could happen on a large scale isolating someone or does it just affect network information such as a full list of peer names/passes that could be more-or-less attained from peers as well? Theoretically if Urbit was a person's default access to the internet, then how could they contact a new star if their current malicious one controlled the routing of the messages?

Also, I pressume a key-pinning race is a race to maintain legitimacy by convincing peers to endorse a key update, after an old key has been compromised? (regardless of if planet or above.)