Re: [Trans] Design of gossip

Linus Nordberg <> Mon, 29 September 2014 13:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4E7FE1A1A6E for <>; Mon, 29 Sep 2014 06:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.829
X-Spam-Level: *
X-Spam-Status: No, score=1.829 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_NEUTRAL=0.779] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rvBKARvpSe3j for <>; Mon, 29 Sep 2014 06:36:51 -0700 (PDT)
Received: from ( [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CCA131A1AFF for <>; Mon, 29 Sep 2014 06:36:45 -0700 (PDT)
Received: from ( [IPv6:2001:948:4:6::32]) by (8.14.4/8.14.4/Debian-4) with ESMTP id s8TDagku011374 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 29 Sep 2014 15:36:42 +0200
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id s8TDaccc029272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 29 Sep 2014 13:36:41 GMT
VBR-Info:; mc=all;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1411997802; bh=J/RzBjCfaGloUjbW6wyUTRovV5KGgUB3G+3fjnOG+jU=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=BK3VwL3YUK2SS1K/sEMwMRJPlpUW7kkdURDS4wj5OLwh4ocRG9HPZDwCUZ4CcHWPo joCUeK+B8KfE3hbRmMO7+m5PZpMCXgQGjG8ZjW1vYfuWoxpUAzwtLkEyx7RnXUUHZj cczKCuOIYp36SAV7fbpJ/mXeBHuTaXiaAjFJR2MQ=
X-Footer: bm9yZHUubmV0
Received: from ([]) (authenticated user by (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Mon, 29 Sep 2014 15:36:40 +0200
From: Linus Nordberg <>
To: Watson Ladd <>
Organization: NORDUnet A/S
References: <>
Date: Mon, 29 Sep 2014 15:37:44 +0200
In-Reply-To: <> (Watson Ladd's message of "Sat, 27 Sep 2014 10:42:30 -0700")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74 on
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=; country=SE; latitude=62.0000; longitude=15.0000;,15.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aMV1AGxI - debe60d5e118 - 20140929
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Cc: "" <>
Subject: Re: [Trans] Design of gossip
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Sep 2014 13:36:53 -0000

Watson Ladd <> wrote
Sat, 27 Sep 2014 10:42:30 -0700:

| The first choice is what to gossip: tree heads and proofs or certs.

What's the reason for including proofs in the gossiping? Is it an
optimisation of network resources? My initial thought has been that
gossiping about anything that's not signed by logs opens up for attacks
against log reputation.

| Both have privacy implications: while certs more directly reveal which
| sites are visited, it's possible that tree heads will be unique per
| cert due to the impact of adding to a tree one cert at a time, so each
| precert will end up showing a different head. This is a tricky issue.

I think that this would have to be handled by stipulating that logs
cannot issue "crazy numbers" of STH's. Numbers get crazy and dangerous
when they come near some number related to the number of unique requests
for STH's. Unique per client, that is. (Imagine a log producing a new
tree head for each STH request and "watermarking" clients by recording
which unique STH was delivered to them, so that when someone come asking
for an inclusion proof for that STH, the log could link a site to a

If there's going to be any point in this maximum number of STH's issued
per something, it has to be auditable. In the CT case, I can think of
STH's per time unit and STH's per logged certificate.

A new log parameter _minimum_ merge delay could be defined for the per
time solution. The time would have to be chosen based on expected number
of STH requests per time unit.

For the "per new entry" idea, we would also have to add a new maximum
new entries per time unit. Not sure that this is such a great thing for
CT. Might be useful for other types of logs.

| The second choice is what gossip produces. In particular do we push
| consistency proofs towards clients, or pull the heads towards
| monitors? Either approach can work, but the first approach could save
| bandwidth: a consistent head does not need to be reported. The first
| also enables remembering what has been recorded. The second approach
| is simpler for gossipers.

I think consistent heads need to be reported too since that's the only
way to learn about you being the only one seeing a particular, from your
point of view well behaving, log.

I'm reading "consistent head" to mean an STH that checks out correctly
against an older trusted STH and a consistency proof from that point.

| The third choice is how to gossip. Probably the best approach is some
| sort of peer-to-peer network, with the possibility of using other
| servers if the P2P approach doesn't work. However, gossip needs to be
| censorship resistant, which can be a bit tricky. We also want gossip
| to deal with a small fraction of malicious nodes, which means some
| approaches are tricky: in particular nodes can't stop if some nodes
| say "we've heard it before".
| We also need to make sure we don't lose submitted heads, even as old
| heads grow in number. Using consistency proofs to reduce the number of
| heads helps with this problem.
| DHTs may be a workable approach, but I don't know of Byzantine proof
| ones. Flood-fill on random graphs scales if you make it publish only,
| but dealing with old data gets tricky: we want new nodes to learn it,
| without having to send it unnecessarily. Showing the result of an
| audit and backfilling can work, but we need to think about the details
| and try some experiments.

This is a pretty large subject. My initial thoughts are that i) boy are
there ways we could mess this up and ii) we don't want clients to have
to try to talk to other clients directly. Taken together that leads me
to a somewhat defensive model where clients use an already established,
untrusted, peer as a vehicle for conveying their gossip messages. That
doesn't mean one couldn't build a useful protocol on top of that though.