[Cryptography] Auditable logs?

Zooko Wilcox-OHearn zooko at leastauthority.com
Tue Oct 28 00:33:27 EDT 2014

We have a fairly thorough design for extending the vocabulary of the
Tahoe-LAFS storage system for this. The added vocabulary item would be
an "add-only set", a set of items that I can authorize you to add
things into without authorizing you to remove or overwrite any of the

This would be straightforward if we would just rely on some third
party to run a server which will accept new ciphertexts from you but
will refuse to delete or overwrite any of your old ciphertexts. Then
the set would have the "add-only" property with respect to you, but
not with respect to that server! The server would have the power to
rollback to earlier versions of the set.

We weren't satisfied with this, because all of the current vocabulary
items in Tahoe-LAFS are enforced by end-to-end cryptography *without*
relying on any single server to enforce the properties and without
being vulnerable to any single server being able to violate the

(Those vocabulary items are: immutable things vs. mutable things,
files vs. directories, and read-only access vs. read-write access.)

So, we went pretty far in defining a data-structure/crypto-structure
that minimized the power of servers. The resulting design is still
vulnerable to rollback attack by a collusion of *all* of the servers,
but if the reader connects to at least one server who is not in the
collusion, then the add-only property holds.

Here's the resulting design:


If you want even more detail, but more telegraphic in style, read the
rest of the comments after comment 13, and follow the link in comment
16 back to a mailing list post.



More information about the cryptography mailing list