Formal Treatment

This section is currently a start to a formal treatment of the snackabra design - this is early. The reality of the ~3 year development period has been to begin with a simple implementation using readily available building blocks, then iterating with input from internal discussions combined with progressively deeper research into academic work. We expect this to continue for some time, and we continue to appreciate any and all inputs, critiques, and pointers to relevant work.

Within the scope of tentative steps, we begin not with the core room (group) chat service, but with the storage service. This is for two reasons: firstly we have more confidence that any issues that arise with chat messaging can be addressed, given the large amount of work done in this space, whereas for the storage service, it feels like we are breaking some new ground, which is always worrisome. Probably for that reason, the storage design has attracted more initial interest and questions, which is the second reason to prioritize it.

Photos and Files (Blobs)

For a new group chat service to be a credible alternative to the myriad existing alternatives, it needs these basic features: text chat (either one-to-one or group) and photo sharing (again, either one-to-one or group). Seen from a more abstract view, a minimal messaging fabric needs to be able to exchange simple (text) messages, as well as arbitrary blobs of data. We picked photos first for reasons explained elsewhere.

For the purposes of this section, we will refer to any blob of data as \(\mathcal{M}\). [1] Small messages (next section) are referred to as \(\mathcal{m}\). [2] Consider Alice wants to send \(\mathcal{M}\) to Bob:

1. Alice creates a partial hash \(\mathfrak{H}_1(\mathcal{M})\). \(\mathfrak{H}_1\) and \(\mathfrak{H}_2\) are decompositions \(\mathfrak{H}(\mathcal{M}) = \mathfrak{H}_1(\mathcal{M}) | \mathfrak{H}_2(\mathcal{M})\). Alice sends this to the storage server, which returns a nonce \(\mathcal{iv}\) and salt \(\mathcal{s}\).

2. The server mantains a mapping \(\mathcal{T}'(h)\longmapsto\langle\mathcal{iv},\mathcal{s}\rangle\) which relates half of the hash of the full plaintext to enryption parameters; if the values existed already, they are returned, otherwise, they are created on the fly (and saved and returned). [3] This is the point where deduplication occurs: any attempts to upload an identical message will always result in the same encryption parameters.

3. Alice next generates an encryption key \(\mathcal{k}=\mathcal{K}(\mathfrak{H}_2(\mathcal{M}), \mathcal{s})\) from the second half of the hash of the plaintext message (and salted), then generates the cryptotext of the message \(\mathcal{C}=\mathscr{E}(\mathcal{k},\mathcal{iv}|\mathcal{M})\), and then constructs a new hash of the encrypted message \(\mathcal{c}=\mathcal{H}(\mathcal{C})\). Alice sends the full encrypted message \(\mathcal{C}\) to the server.

4. The storage server maintains a second mapping \(\mathcal{T}''(c)\longmapsto\langle\mathcal{v},\mathcal{C}\rangle\), which simply relates a hash of the encrypted contents to the contents, as well as a random verification identifier \(\mathcal{v}\), which is returned only if the server receives the full encrypted message.

5. At this point Alice has collected the full “manifest”: \(\langle\mathcal{H}(\mathcal{C}),\mathcal{k},\mathcal{iv},\mathcal{s},\mathcal{v}\rangle\), which can be sent to Bob.

When Bob wants to fetch the object, Bob sends \(\langle\mathcal{H}(\mathcal{C}),\mathcal{v}\rangle\) to the storage server which first confirms correct \(\mathcal{T}''(c)\longmapsto\langle\mathcal{v}\rangle\) and then returns \(\mathcal{C}\). Bob then has \(\mathcal{M}\) from \(\mathcal{D}(\mathcal{C},\mathcal{k},\mathcal{iv},\mathcal{s})\).

The storage server (obviously) never sees \(\mathcal{M}\). Furthermore, it doesn’t track an explicit relationship between \(\mathcal{M}\) and \(\mathcal{C}\) in any manner. [4]

Now, consider another user, Charles, who independently uploads the same object to share with some other party. The above process will play out the same, and the resulting \(\langle\mathcal{H}(\mathcal{C}),\mathcal{k},\mathcal{iv},\mathcal{s},\mathcal{v}\rangle\) will end up being identical. Thus, re-uploading or sharing (copying and distributing the manifest) results in the exact same data.

An outside adversary cannot determine what objects have been shared: all they can do is go through the above process and abort at some point, but won’t learn anything: they won’t receive the full manifest until all steps are completed, and at no point will the server act differently than if it had never seen the object.

The manifest is portable outside the system: it doesn’t matter if the manifest was shared within a chat room (see next section), or in some other manner (SMS, emailed, copied to file across flash USB, etc). Regardless of how Bob receives the manifest, Bob can ask for \(\mathcal{C}\) and can perform \(\mathcal{D}(\mathcal{C},\mathcal{k},\mathcal{iv},\mathcal{s})\).

Deduplication will occur at step “1” and “3”: when the server receives \(\mathcal{C}\) it calculates \(\mathcal{c}=\mathcal{H}(\mathcal{C})\), and if it has already seen it, it returns the stored value \(\mathcal{T}''(c)\longmapsto\langle\mathcal{v},\mathcal{C}\rangle\), otherwise it generates a new \(\mathcal{v}\) (and stores and returns it). Regardless, it goes through the motions of “storing” \(\mathcal{C}\), which will in effect be a no-op if it had already stored it.

The final result is a \(\mathcal{T}''(c)\longmapsto\langle\mathcal{v},\mathcal{C}\rangle\) storage system, that will only respond if you already have \(\mathcal{v}\), which you can only have if you either went through the above steps yourself, or somebody else did and gave you the results. And of course the resulting \(\mathcal{C}\) is of no use to you without \(\langle\mathcal{k},\mathcal{iv},\mathcal{s}\rangle\).

Future Design Directions

The above design is the current one. The next generation will be a slight tweak: you can access either with the ID plus the verification, or a hash of both. It’s up to the shard server to decide on policy.

Ledger

For a conversational (and more complete) exposition of how the Ledger currently works, see Storage Ledger Server. Note also that this (slightly more) formal presentation presuposes the next-generation usage of OPRF() functions (see this discussion). The Ledger complements the flow of uploading and sharing files and documents (blobs), thus make sure to have read those sections first.

A global ledger \(\mathfrak{D_1}\mathcal{(a)}\mapsto\mathcal{b}\) maintains account balance \(\mathcal{b}\) for every account \(\mathcal{a}\). Balance is a positive integer that defaults to zero (ergo all possible accounts ‘exist’), corresponding to bytes of storage. Account is either a Room Name, or one of two reserved account names that correspond to two special accounts: \(\mathcal{B_g}\) is the global budget for the service, and \(\mathcal{B_s}\) is the total spent so far.

Every Room maintains a budget \(\mathcal{B_r}\) that was assigned to it at creation by taking an initial budget from \(\mathcal{B_g}\) and adding it to both \(\mathcal{B_s}\) and \(\mathcal{B_r}\). [7]

When a client uploads an item \(\mathcal{M}\), it first needs to calculate what \(\mathcal{|C|}\) will become. [8] It first requests from the room to spend \(\mathcal{s = |C|}\) bytes out of the Room balance \(\mathcal{B_r}\).

If approved, the Room \(\mathcal{r}\) requests an identifier \(\mathcal{t}\) (elsewhere called <TID>) from the Ledger. [9] This is a random token generated by the Ledger which maintains \(\mathfrak{D_2}\mathcal{h(t)}\mapsto\langle\mathcal{s, u}\rangle\) where \(\mathcal{h()}\) is a hash function, \(\mathcal{s}\) is the size and \(\mathcal{u}\) is a boolean indicating if this has been ‘spent’ or not. Essentially, we are generating a local cryptocurrency token of sorts, that can be traded for an upload of \(\mathcal{s}\) bytes.

The Room never shares \(\mathcal{t}\) with the Client, instead it returns \(\mathcal{T=}\mathfrak{E}\mathcal{(}\langle\mathcal{h(t), R(t), R(h(t)}\mathcal{)}\rangle\) where \(\mathfrak{E}\mathcal{()}\) is encrypted into a magical token \(\mathcal{T}\) such that only the Storage server can untangle it. \(\mathcal{R()}\) is encryption using the LEDGER_KEY for future garbage collection.

The Client can now do the actual upload of \(\mathcal{v|C}\), sending along with it \(\mathcal{T}\).

Rooms, Chats, Groups

For a conversational exposition of how Rooms work, see the Technical Overview.

To be written, we’re saving the formal treatment for this for last, since it’s quite conventional.

---

Footnotes

[1]

In this section we will largely follow the nomenclature in Message-Locked Encryption and Secure Deduplication; Mihir Bellare, Sriram Keelveedhi, Thomas Ristenpart; Full version, original version in Eurocrypt 2013.

[2]

You can think about it as follows: think of a generic message as being \(\mathfrak{m}\) with size \(\vert\mathfrak{m}\vert\). We wish to distinguish between “small” and “large” \(\mathfrak{m}\). That’s an engineering and cost analysis question. Given a boundary \(\mathfrak{S}\), then messages where \(\vert\mathfrak{m}\vert < \mathfrak{S}\) are treated as \(\mathcal{m}\) otherwise \(\mathcal{M}\). The smaller objects \(\mathcal{m}\) are replicated wherever they are used, and the larger \(\mathcal{M}\) are essentially converted into a reference and embedded inside a new \(\mathcal{m}\). That conversion includes handling deduplication.

[3]

There is a race condition if multiple parties are trying to create a new entry in this mapping at the same time. To address this, the underlying primitive should be a compare-and-exchange-style operation, where a new nonce and salt are always generated, and are then atomically compared with existing storage, which should default to zero if not allocated: ergo, if there’s a zero (unallocated), write the new values, otherwise, return the old ones. This would also reduce timing differences, since the overhead of generating enryption parameters is always carried, but optionally discarded.

[4]

Note that this is slightly different from the current implementation, and is a (believed) improvement: current code (soon to be updated) creates a concatenation of partial hash of the plaintext with partial hash of the encrypted. The problem this creates is that an adversary that is able to gain full access to the storage server at some point in time could look for the existence of matches to known plaintext messages by simply inspecting the first half. In this revised design, a storage server has the option of clearing the mapping of \(\mathcal{T}'(h)\longmapsto\langle\mathcal{iv},\mathcal{s}\rangle\) at any time: sharing manifests and retrieving encrypted messages would be unaffected, to the detriment of reduced effectiveness of deduplication. This allows for a form of forward privacy (on the aggregate): for example, a storage server configured to reset this mapping every week could only leverage deduplication within each distinct weekly period, but conversely an adversary that could completely compromise the system would only be able to determine if a given plaintext message was uploaded and shared by anybody in the past week.

[5]

The final xor operation with \(\mathfrak{H}(\mathcal{M})\) exists to protect for the case where the \(\mathcal{OPRF_1}\) server has been compromised.

[6]

A concern is that OPRF is not yet an accepted IETF standard. Latest draft is here https://www.ietf.org/id/draft-irtf-cfrg-voprf-09.html and current (Draft 9) reference implementations are here https://github.com/cfrg/draft-irtf-cfrg-voprf. So far in snackabra design, we have avoided using any functions that triggers the necessity of including libraries or even major sections of code. The advantages of improving the blob storage system with OPRF might outweigh those concerns, but we have not made a final decision.

[7]

The Room balance is actually simply a local cached value that matches whatever the balance is for the room according to the Ledger server. The Room ‘copy’ of the balance serves as a synchronization primitive, allowing the Ledger server to not have to worry about that - the Ledger server can fullfil account balance changes in any order. Similarly, this naturally protects against various abuse and DDOS scenarios.

[8]

Because of the very specific padding requirements, this is predictable.

[9]

Note that <TID> and verification are different.