[Cryptography] Cryptographically securing a two-phase commit

matbit at airmail.cc matbit at airmail.cc
Fri Jul 31 06:11:28 EDT 2020 

>> On 2020-07-29 14:23, Peter Gutmann wrote:
>> Let's say you have a computationally somewhat expensive operation 
>> that's
>> performed as a two-phase commit (2PC). The details aren't important, 
>> but in
>> crypto terms think of it as receiving a large blob of signed data in 
>> PGP or
>> S/MIME format where you can't tell until you reach the signature at 
>> the end
>> whether it's valid or not. The prepare portion of the 2PC is receiving 
>> and
>> saving the blob, the commit/abort operation is checking the signature 
>> at the
>> end and either discarding it or acting on it.

> Doctor doctor, it hurts when I do that.
> 
> Patient, patient, don't do that.
> 
> Why don't you just store the bundle and do any expensive computation
> when it has all arrived.
> 
> You do a few public key operations to generate a shared secret when the
> pile of stuff begins, as every protocol does, you do symmetric
> decryption as it comes through, as every protocol does, and when you
> have a pile of stuff at the end, check it for validity, as every
> protocol does.
> 
> Well, I guess you have a terribly expensive test for validity, 
> something
> like a blockchain block which is an enormous pile of public key
> operations, and until you have done the last one, you do not know if 
> you
> have a valid block until you have done a huge number of public key
> operations and database lookups, one public key operation and one
> database lookup every thirty two bytes or so.
> 
> OK, the communication starts with the sender ID, you blacklist people
> who send you bad blocks, greylist people who send other people good
> blocks, whitelist people who send you good blocks, and you have a rule
> prohibiting ridiculously big blocks.
implementing kinda reputation system based on "sender id" in a 
distributed peer to peer system (for example a blockchain) is not a 
practical solution, since each node (potentially sender) can be 
connect/disconnect anonymously with no particular identifier(e.g. user 
name, IP, …).

More information about the cryptography mailing list