[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0003] branch master updated (645fdcc -> 97a7e6f)
|
From: |
gnunet |
|
Subject: |
[lsd0003] branch master updated (645fdcc -> 97a7e6f) |
|
Date: |
Wed, 09 Jun 2021 09:09:44 +0200 |
This is an automated email from the git hooks/post-receive script.
elias-summermatter pushed a change to branch master
in repository lsd0003.
from 645fdcc minor points
new dc5c89d Added some stuff
new 97a7e6f Merge branch 'master' of git+ssh://gnunet.org/lsd0003
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
draft-summermatter-set-union.pdf | Bin 0 -> 489183 bytes
draft-summermatter-set-union.txt | 2856 ++++++++++++++++++++
draft-summermatter-set-union.xml | 5 +-
statemaschine/differential_state_machine | 1 +
statemaschine/differential_state_machine.png | Bin 0 -> 105665 bytes
statemaschine/differential_state_machine.svg | 3 +
...l_state_maschine.png => full_state_machine.png} | Bin
...l_state_maschine.svg => full_state_machine.svg} | 0
...l_state_maschine.xml => full_state_machine.xml} | 0
statemaschine/state_machine_full | 1 +
statemaschine/state_machine_full.png | Bin 0 -> 56892 bytes
statemaschine/state_machine_full.svg | 3 +
12 files changed, 2867 insertions(+), 2 deletions(-)
create mode 100644 draft-summermatter-set-union.pdf
create mode 100644 draft-summermatter-set-union.txt
create mode 100644 statemaschine/differential_state_machine
create mode 100644 statemaschine/differential_state_machine.png
create mode 100644 statemaschine/differential_state_machine.svg
rename statemaschine/{full_state_maschine.png => full_state_machine.png} (100%)
rename statemaschine/{full_state_maschine.svg => full_state_machine.svg} (100%)
rename statemaschine/{full_state_maschine.xml => full_state_machine.xml} (100%)
create mode 100644 statemaschine/state_machine_full
create mode 100644 statemaschine/state_machine_full.png
create mode 100644 statemaschine/state_machine_full.svg
diff --git a/draft-summermatter-set-union.pdf b/draft-summermatter-set-union.pdf
new file mode 100644
index 0000000..779b351
Binary files /dev/null and b/draft-summermatter-set-union.pdf differ
diff --git a/draft-summermatter-set-union.txt b/draft-summermatter-set-union.txt
new file mode 100644
index 0000000..eba95b8
--- /dev/null
+++ b/draft-summermatter-set-union.txt
@@ -0,0 +1,2856 @@
+
+
+
+
+Independent Stream E. Summermatter
+Internet-Draft Seccom GmbH
+Intended status: Informational C. Grothoff
+Expires: 16 September 2021 Berner Fachhochschule
+ 15 March 2021
+
+
+ Byzantine Fault Tolerant Set Reconciliation
+ draft-schanzen-gns-01
+
+Abstract
+
+ This document contains a protocol specification for Byzantine fault-
+ tolerant Set Reconciliation.
+
+Status of This Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at https://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on 16 September 2021.
+
+Copyright Notice
+
+ Copyright (c) 2021 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents (https://trustee.ietf.org/
+ license-info) in effect on the date of publication of this document.
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document. Code Components
+ extracted from this document must include Simplified BSD License text
+ as described in Section 4.e of the Trust Legal Provisions and are
+ provided without warranty as described in the Simplified BSD License.
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 1]
+�
+Internet-Draft Set Union March 2021
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.1. Bloom Filters . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.2. Counting Bloom Filter . . . . . . . . . . . . . . . . . . 7
+ 3. Invertible Bloom Filter . . . . . . . . . . . . . . . . . . . 8
+ 3.1. Structure . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.2. Operations . . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.2.1. Insert Element . . . . . . . . . . . . . . . . . . . 9
+ 3.2.2. Remove Element . . . . . . . . . . . . . . . . . . . 10
+ 3.2.3. Decode IBF . . . . . . . . . . . . . . . . . . . . . 11
+ 3.2.4. Set Difference . . . . . . . . . . . . . . . . . . . 13
+ 3.3. Wire format . . . . . . . . . . . . . . . . . . . . . . . 15
+ 3.3.1. ID Calculation . . . . . . . . . . . . . . . . . . . 15
+ 3.3.2. Mapping Function . . . . . . . . . . . . . . . . . . 16
+ 3.3.3. HASH calculation . . . . . . . . . . . . . . . . . . 17
+ 4. Strata Estimator . . . . . . . . . . . . . . . . . . . . . . 18
+ 4.1. Description . . . . . . . . . . . . . . . . . . . . . . . 18
+ 5. Mode of operation . . . . . . . . . . . . . . . . . . . . . . 18
+ 5.1. Full Synchronisation Mode . . . . . . . . . . . . . . . . 19
+ 5.2. Delta Synchronisation Mode . . . . . . . . . . . . . . . 20
+ 5.3. Combined Mode . . . . . . . . . . . . . . . . . . . . . . 23
+ 6. Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 23
+ 6.1. Operation Request . . . . . . . . . . . . . . . . . . . . 23
+ 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 24
+ 6.1.2. Structure . . . . . . . . . . . . . . . . . . . . . . 24
+ 6.2. IBF . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
+ 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 24
+ 6.2.2. Structure . . . . . . . . . . . . . . . . . . . . . . 25
+ 6.3. IBF . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 6.3.1. Description . . . . . . . . . . . . . . . . . . . . . 26
+ 6.4. Elements . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 6.4.1. Description . . . . . . . . . . . . . . . . . . . . . 27
+ 6.4.2. Structure . . . . . . . . . . . . . . . . . . . . . . 27
+ 6.5. Offer . . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 6.5.1. Description . . . . . . . . . . . . . . . . . . . . . 28
+ 6.5.2. Structure . . . . . . . . . . . . . . . . . . . . . . 28
+ 6.6. Inquiry . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 6.6.1. Description . . . . . . . . . . . . . . . . . . . . . 28
+ 6.6.2. Structure . . . . . . . . . . . . . . . . . . . . . . 29
+ 6.7. Demand . . . . . . . . . . . . . . . . . . . . . . . . . 29
+ 6.7.1. Description . . . . . . . . . . . . . . . . . . . . . 29
+ 6.7.2. Structure . . . . . . . . . . . . . . . . . . . . . . 29
+ 6.8. Done . . . . . . . . . . . . . . . . . . . . . . . . . . 30
+ 6.8.1. Description . . . . . . . . . . . . . . . . . . . . . 30
+ 6.8.2. Structure . . . . . . . . . . . . . . . . . . . . . . 30
+ 6.9. Full Done . . . . . . . . . . . . . . . . . . . . . . . . 30
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 2]
+�
+Internet-Draft Set Union March 2021
+
+
+ 6.9.1. Description . . . . . . . . . . . . . . . . . . . . . 31
+ 6.9.2. Structure . . . . . . . . . . . . . . . . . . . . . . 31
+ 6.10. Request Full . . . . . . . . . . . . . . . . . . . . . . 31
+ 6.10.1. Description . . . . . . . . . . . . . . . . . . . . 31
+ 6.10.2. Structure . . . . . . . . . . . . . . . . . . . . . 32
+ 6.11. Strata Estimator . . . . . . . . . . . . . . . . . . . . 32
+ 6.11.1. Description . . . . . . . . . . . . . . . . . . . . 32
+ 6.11.2. Structure . . . . . . . . . . . . . . . . . . . . . 32
+ 6.12. Strata Estimator Compressed . . . . . . . . . . . . . . . 33
+ 6.12.1. Description . . . . . . . . . . . . . . . . . . . . 33
+ 6.13. Full Element . . . . . . . . . . . . . . . . . . . . . . 33
+ 6.13.1. Description . . . . . . . . . . . . . . . . . . . . 33
+ 6.13.2. Structure . . . . . . . . . . . . . . . . . . . . . 33
+ 7. Performance Considerations . . . . . . . . . . . . . . . . . 34
+ 7.1. Formulas . . . . . . . . . . . . . . . . . . . . . . . . 34
+ 7.1.1. Operation Mode . . . . . . . . . . . . . . . . . . . 34
+ 7.1.2. Full Synchronisation: Decision witch peer sends
+ elements first . . . . . . . . . . . . . . . . . . . 35
+ 7.1.3. IBF Parameters . . . . . . . . . . . . . . . . . . . 36
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 36
+ 8.1. Generic functions . . . . . . . . . . . . . . . . . . . . 37
+ 8.1.1. Duplicated or Missing Message detection . . . . . . . 37
+ 8.1.2. Store Remote Peers Element Number . . . . . . . . . . 38
+ 8.2. States . . . . . . . . . . . . . . . . . . . . . . . . . 38
+ 8.2.1. Expecting IBF . . . . . . . . . . . . . . . . . . . . 38
+ 8.2.2. Full Sending . . . . . . . . . . . . . . . . . . . . 42
+ 8.2.3. Expecting IBF Last . . . . . . . . . . . . . . . . . 43
+ 8.2.4. Active Decoding . . . . . . . . . . . . . . . . . . . 43
+ 8.2.5. Finish Closing . . . . . . . . . . . . . . . . . . . 44
+ 8.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 44
+ 8.2.7. Expect SE . . . . . . . . . . . . . . . . . . . . . . 44
+ 8.2.8. Full Receiving . . . . . . . . . . . . . . . . . . . 45
+ 8.2.9. Passive Decoding . . . . . . . . . . . . . . . . . . 45
+ 8.2.10. Finish Waiting . . . . . . . . . . . . . . . . . . . 46
+ 9. GANA Considerations . . . . . . . . . . . . . . . . . . . . . 46
+ 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 47
+ 11. Normative References . . . . . . . . . . . . . . . . . . . . 47
+ Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 50
+ A.1. Map Function . . . . . . . . . . . . . . . . . . . . . . 50
+ A.2. ID Calculation Function . . . . . . . . . . . . . . . . . 50
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50
+
+1. Introduction
+
+ This document describes a Byzantine fault-tolerant set reconciliation
+ protocol used to efficient and securely synchronize two sets of
+ elements between two peers.
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 3]
+�
+Internet-Draft Set Union March 2021
+
+
+ This Byzantine fault-tolerant set reconciliation protocol can be used
+ in a variety of applications. Our primary envisioned application
+ domain is the distribution of revocation messages in the GNU Name
+ System (GNS) [GNUNET]. In GNS, key revocation messages are usually
+ flooded across the peer-to-peer overlay network to all connected
+ peers whenever a key is revoked. However, as peers may be offline or
+ the network might have been partitioned, there is a need to reconcile
+ revocation lists whenever network partitions are healed or peers go
+ online. The GNU Name System uses the protocol described in this
+ specification to efficiently distribute revocation messages whenever
+ network partitions are healed. Another application domain for the
+ protocol described in this specification are Byzantine fault-tolerant
+ bulletin boards, like those required in some secure multiparty
+ computations. A well-known example for secure multiparty
+ computations are various E-voting protocols
+ [CryptographicallySecureVoting] which use a bulletin board to share
+ the votes and intermediate computational results. We note that for
+ such systems, the set reconciliation protocol is merely a component
+ of a multiparty consensus protocol, such as the one described in
+ (FIXME-CITE: DOLD MS Thesis! Which paper is his MS thesis on
+ fdold.eu).
+
+ The protocol described in this report is generic and suitable for a
+ wide range of applicaitons. As a result, the internal structure of
+ the elements in the sets must be defined and verified by the
+ application using the protocol. This document thus does not cover
+ the element structure, except for imposing a limit on the maximum
+ size of an element.
+
+ The protocol faces an inherent trade-off between minimizing the
+ number of network round-trips and the number of bytes sent over the
+ network. Thus, for the protocol to choose the right parameters for a
+ given situation, applications using the protocol must provide a
+ parameter that specifies the cost-ratio of round-trips vs. bandwidth
+ usage. Given this trade-off factor, the protocol will then choose
+ parameters that minimize the total execution cost. In particular,
+ there is one major choice to be made, which is between sending the
+ full set of elements, or just sending the elements that differ. In
+ the latter case, our design is basically a concrete implementation of
+ a proposal by Eppstein.[Eppstein]
+
+ We say that our set reconciliation protocol is Byzantine fault-
+ tolerant because it provides cryptographic and probabilistic methods
+ to discover if the other peer is dishonest or misbehaving.
+
+ The objective here is to limit resources wasted on malicious actors.
+ Malicious actors could send malformed messages, including malformed
+ set elements, claim to have much larger numbers of valid set elements
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 4]
+�
+Internet-Draft Set Union March 2021
+
+
+ than the actually hold, or request the retransmission of elements
+ that they have already received in previous interactions. Bounding
+ resources consumed by malicous actors is important to ensure that
+ higher-level protocols can use set reconciliation and still meet
+ their resource targets. This can be particularly critical in multi-
+ round synchronous consensus protocols where peers that cannot answer
+ in a timely fashion would have to be treated as failed or malicious.
+
+ To defend against some of these attacks, applications need to
+ remember the number of elements previously shared with a peer, and
+ offer a means to check that elements are well-formed. Applications
+ may also be able to provide an upper bound on the total number of
+ valid elements that may exist. For example, in E-voting, the number
+ of eligible voters could be used to provide such an upper bound.
+
+ This document defines the normative wire format of resource records,
+ resolution processes, cryptographic routines and security
+ considerations for use by implementors. SETU requires a
+ bidirectional secure communication channel between the two parties.
+ Specification of the communication channel is out of scope of this
+ document.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in[RFC2119].
+
+2. Background
+
+2.1. Bloom Filters
+
+ A Bloom filter (BF) is a space-efficient datastructure to test if am
+ element is part of a set of elements. Elements are identified by an
+ element ID. Since a BF is a probabilistic datastructure, it is
+ possible to have false-positives: when asked if an element is in the
+ set, the answer from a BF is either "no" or "maybe".
+
+ A BF consists of L buckets. Every bucket is a binary value that can
+ be either 0 or 1. All buckets are initialized to 0. A mapping
+ function M is used to map each the ID of each element from the set to
+ a subset of k buckets. M is non-injective and can thus map the same
+ element multiple times to the same bucket. The type of the mapping
+ function can thus be described by the following mathematical
+ notation:
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 5]
+�
+Internet-Draft Set Union March 2021
+
+
+ ------------------------------------
+ # M: E->B^k
+ ------------------------------------
+ # L = Number of buckets
+ # B = 0,1,2,3,4,...L-1 (the buckets)
+ # k = Number of buckets per element
+ # E = Set of elements
+ ------------------------------------
+ Example: L=256, k=3
+ M('element-data') = {4,6,255}
+
+
+ Figure 1
+
+ A typical mapping function is constructed by hashing the element, for
+ example using the well-known Section 2 of HKDF construction
+ [RFC5869].
+
+ To add an element to the BF, the corresponding buckets under the map
+ M are set to 1. To check if an element may be in the set, one tests
+ if all buckets under the map M are set to 1.
+
+ Further in this document a bitstream outputted by the mapping
+ function is represented by a set of numeric values for example (0101)
+ = (2,4). In the BF the buckets are set to 1 if the corresponding bit
+ in the bitstream is 1. If there is a collision and a bucket is
+ already set to 1, the bucket stays 1.
+
+ In the following example the element M(element) = (1,3) has been
+ added:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ | 0 | 1 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 2
+
+ Is easy to see that the M(element) = (0,3) could be in the BF bellow
+ and M(element) = (0,2) can't be in the BF bellow:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ | 1 | 0 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 3
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 6]
+�
+Internet-Draft Set Union March 2021
+
+
+ The parameters L and k depend on the set size and must be chosen
+ carefully to ensure that the BF does not return too many false-
+ positives.
+
+ It is not possible to remove an element from the BF because buckets
+ can only be set to 1 or 0. Hence it is impossible to differentiate
+ between buckets containing one or more elements. To remove elements
+ from the BF a Counting Bloom Filter is required.
+
+2.2. Counting Bloom Filter
+
+ A Counting Bloom Filter (CBF) is an extension of the Bloom Filters.
+ In the CBF, buckets are unsigned numbers instead of binary values.
+ This allows the removal of an elements from the CBF.
+
+ Adding an element to the CBF is similar to the adding operation of
+ the BF. However, instead of setting the bucket on hit to 1 the
+ numeric value stored in the bucket is increased by 1. For example if
+ two colliding elements M(element1) = (1,3) and M(element2) = (0,3)
+ are added to the CBF, bucket 0 and 1 are set to 1 and bucket 3 (the
+ colliding bucket) is set to 2:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ | 1 | 1 | 0 | 2 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 4
+
+ The counter stored in the bucket is also called the order of the
+ bucket.
+
+ To remove an element form the CBF the counters of all buckets the
+ element is mapped to are decreased by 1.
+
+ Removing M(element2) = (1,3) from the CBF above:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ | 1 | 0 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 5
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 7]
+�
+Internet-Draft Set Union March 2021
+
+
+ In practice, the number of bits available for the counters is usually
+ finite. For example, given a 4-bit counter, a CBF bucket would
+ overflow once 16 elements are mapped to the same bucket. To
+ efficiently handle this case, the maximum value (15 in our example)
+ is considered to represent "infinity". Once the order of a bucket
+ reaches "infinity", it is no longer incremented or decremented.
+
+ The parameters L and k and the number of bits allocated to the
+ counters should depend on the set size. An IBF will degenerate when
+ subjected to insert and remove iterations of different elements, and
+ eventually all buckets will reach "infinity". The speed of the
+ degradation will depend on the choice of L and k in relation to the
+ number of elements stored in the IBF.
+
+3. Invertible Bloom Filter
+
+ An Invertible Bloom Filter (IBF) is a further extension of the
+ Counting Bloom Filter. An IBF extends the Counting Bloom Filter with
+ two more operations: decode and set difference. This two extra
+ operations are useful to efficiently extract small differences
+ between large sets.
+
+3.1. Structure
+
+ An IBF consists of a mapping function M and L buckets that each store
+ a signed counter and an XHASH. An XHASH is the XOR of various hash
+ values. As before, the values used for k, L and the number of bits
+ used for the signed counter and the XHASH depend on the set size and
+ various other trade-offs, including the CPU architecture.
+
+ If the IBF size is to small or the mapping function does not spread
+ out the elements uniformly, the signed counter can overflow or
+ underflow. As with the CBF, the "maximum" value is thus used to
+ represent "infinite". As there is no need to distinguish between
+ overflow and underflow, the most canonical representation of
+ "infinite" would be the minimum value of the counter in the canonical
+ 2-complement interpretation. For example, given a 4-bit counter a
+ value of -8 would be used to represent "infinity".
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+-------
+ count | COUNTER | COUNTER | COUNTER | COUNTER | C...
+ +-------------+-------------+-------------+-------------+------
+ idSum | IDSUM | IDSUM | IDSUM | IDSUM | I...
+ +-------------+-------------+-------------+-------------+------
+ hashSum | HASHSUM | HASHSUM | HASHSUM | HASHSUM | H..
+ +-------------+-------------+-------------+-------------+-------
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 8]
+�
+Internet-Draft Set Union March 2021
+
+
+ Figure 6
+
+3.2. Operations
+
+ When an IBF is created, all counters and IDSUM and HASHSUM values of
+ all buckets are initialized to zero.
+
+3.2.1. Insert Element
+
+ To add an element to a IBF, the element is mapped to a subset of k
+ buckets using the mapping function M as described in the Bloom
+ Filters section introducing BFs. For the buckets selected by the
+ mapping function, the counter is increased by one and the IDSUM field
+ is set to the XOR of the element ID and the previously stored IDSUM.
+ Furthermore, the HASHSUM is set to the XOR of the hash of the element
+ ID and the previously stored HASHSUM.
+
+ In the following example, the insert operation is illustrated using
+ an element with the ID 0x0102 and a hash of 0x4242, and a second
+ element with the ID 0x0304 and a hash of 0x0101.
+
+ Empty IBF:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 0 | 0 | 0 | 0 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0000 | 0x0000 | 0x0000 | 0x0000 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0000 | 0x0000 | 0x0000 | 0x0000 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 7
+
+ Insert first element: [0101] with ID 0x0102 and hash 0x4242:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 0 | 1 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0000 | 0x0102 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0000 | 0x4242 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 8
+
+ Insert second element: [1100] with ID 0x0304 and hash 0101:
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 9]
+�
+Internet-Draft Set Union March 2021
+
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 1 | 2 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0304 | 0x0206 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0101 | 0x4343 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 9
+
+3.2.2. Remove Element
+
+ To remove an element from the IBF the element is again mapped to a
+ subset of the buckets using M. Then all the counters of the buckets
+ selected by M are reduced by one, the IDSUM is replaced by the XOR of
+ the old IDSUM and the ID of the element being removed, and the
+ HASHSUM is similarly replaced with the XOR of the old HASHSUM and the
+ hash of the ID.
+
+ In the following example the remove operation for the element [1100]
+ with the hash 0x0101 is demonstrated.
+
+ IBF with encoded elements:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 1 | 2 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0304 | 0x0206 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0101 | 0x4343 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 10
+
+ Remove element [1100] with ID 0x0304 and hash 0x0101 from the IBF:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 0 | 1 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0000 | 0x0102 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0000 | 0x4242 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 11
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 10]
+�
+Internet-Draft Set Union March 2021
+
+
+ Note that it is possible to "remove" elements from an IBF that were
+ never present in the IBF in the first place. A negative counter
+ value is thus indicative of elements that were removed without having
+ been added. Note that an IBF bucket counter of zero no longer
+ warrants that an element mapped to that bucket is not present in the
+ set: a bucket with a counter of zero can be the result of one element
+ being added and a different element (mapped to the same bucket) being
+ removed. To check that an element is not present requires a counter
+ of zero and an IDSUM and HASHSUM of zero --- and some assurance that
+ there was no collision due to the limited number of bits in IDSUM and
+ HASHSUM. Thus, IBFs are not suitable to replace BFs or IBFs.
+
+ Buckets in an IBF with a counter of 1 or -1 are crucial for decoding
+ an IBF, as they might represent only a single element, with the IDSUM
+ being the ID of that element. Following Eppstein (CITE), we will
+ call buckets that only represent a single element pure buckets. Note
+ that due to the possibility of multiple insertion and removal
+ operations affecting the same bucket, not all buckets with a counter
+ of 1 or -1 are actually pure buckets. Sometimes a counter can be 1
+ or -1 because N elements mapped to that bucket were added while N-1
+ or N+1 different elements also mapped to that bucket were removed.
+
+3.2.3. Decode IBF
+
+ Decoding an IBF yields the HASH of an element from the IBF, or
+ failure.
+
+ A decode operation requires a pure bucket, that is a bucket to which
+ M only mapped a single element, to succeed. Thus, if there is no
+ bucket with a counter of 1 or -1, decoding fails. However, as a
+ counter of 1 or -1 is not a guarantee that the bucket is pure, there
+ is also a chance that the decoder returns an IDSUM value that is
+ actually the XOR of several IDSUMs. This is primarily detected by
+ checking that the HASHSUM is the hash of the IDSUM. Only if the
+ HASHSUM also matches, the bucket could be pure. Additionally, one
+ should check that the IDSUM value actually would be mapped by M to
+ the respective bucket. If not, there was a hash collision.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 11]
+�
+Internet-Draft Set Union March 2021
+
+
+ The very rare case that after all these checks a bucket is still
+ falsely identified as pure must be detected (say by determining that
+ extracted element IDs do not match any actual elements), and
+ addressed at a higher level in the protocol. As these failures are
+ probabilistic and depend on element IDs and the IBF construction,
+ they can typically be avoided by retrying with different parameters,
+ such as a different way to assign element IDs to elements, using a
+ larger value for L, or a different mapping function M. A more common
+ scenario (especially if L was too small) is that IBF decoding fails
+ because there is no pure bucket. In this case, the higher-level
+ protocol also should retry using different parameters.
+
+ Suppose the IBF contains a pure bucket. In this case, the IDSUM in
+ the bucket identifies a single element. Furthermore, it is then
+ possible to remove that element from the IBF (by inserting it if the
+ counter was negative, and by removing it if the counter was
+ positive). This is likely to cause other buckets to become pure,
+ allowing further elements to be decoded. Eventually, decoding should
+ succeed with all counters and IDSUM and HASHSUM values reaching zero.
+ However, it is also possible that an IBF only partly decodes and then
+ decoding fails after yielding some elements.
+
+ In the following example the successful decoding of an IBF containing
+ the two elements previously added in our running example.
+
+ IBF with the two encoded elements:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 1 | 2 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0304 | 0x0206 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0101 | 0x4343 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 12
+
+ In the IBF are two pure buckets to decode (bit-1 and bit-4) we choose
+ to start with decoding bucket 1, we decode the element with the hash
+ 1010 and we see that there is a new pure bucket created (bit-2)
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 12]
+�
+Internet-Draft Set Union March 2021
+
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 0 | 1 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0000 | 0x0102 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0000 | 0x4242 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 13
+
+ In the IBF only pure buckets are left, we choose to continue decoding
+ bucket 2 and decode element with the hash 0x4242. Now the IBF is
+ empty (all buckets have count 0) that means the IBF has successfully
+ decoded.
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 0 | 0 | 0 | 0 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0000 | 0x0000 | 0x0000 | 0x0000 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0000 | 0x0000 | 0x0000 | 0x0000 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 14
+
+3.2.4. Set Difference
+
+ Given addition and removal as defined above, it is possible to define
+ an operation on IBFs that computes an IBF representing the set
+ difference. Suppose IBF1 represents set A, and IBF2 represents set
+ B. Then this set difference operation will compute IBF3 which
+ represents the set A - B --- without needing elements from set A or
+ B. To calculate the IBF representing this set difference, both IBFs
+ must have the same length L, the same number of buckets per element k
+ and use the same map M. Given this, one can compute the IBF
+ representing the set difference by taking the XOR of the IDSUM and
+ HASHSUM values of the respective buckets and subtracting the
+ respective counters. Care should be taken to handle overflows and
+ underflows by setting the counter to "infinity" as necessary. The
+ result is a new IBF with the same number of buckets representing the
+ set difference.
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 13]
+�
+Internet-Draft Set Union March 2021
+
+
+ This new IBF can be decoded as described in section 3.2.3. The new
+ IBF can have two types of pure buckets with counter set to 1 or -1.
+ If the counter is set to 1 the element is missing in the secondary
+ set, and if the counter is set to -1 the element is missing in the
+ primary set.
+
+ To demonstrate the set difference operation we compare IBF-A with
+ IBF-B and generate as described IBF-AB
+
+ IBF-A containing elements with hashes 0x0101 and 0x4242:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 1 | 2 | 0 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0304 | 0x0206 | 0x0000 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0101 | 0x4343 | 0x0000 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 15
+
+ IBF-B containing elements with hashes 0x4242 and 0x5050
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 0 | 1 | 1 | 1 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0000 | 0x0102 | 0x1345 | 0x0102 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0000 | 0x4242 | 0x5050 | 0x4242 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 16
+
+ IBF-AB XOR value and subtract count:
+
+ bucket-0 bucket-1 bucket-2 bucket-3
+ +-------------+-------------+-------------+-------------+
+ count | 1 | 1 | -1 | 0 |
+ +-------------+-------------+-------------+-------------+
+ idSum | 0x0304 | 0x0304 | 0x1345 | 0x0000 |
+ +-------------+-------------+-------------+-------------+
+ hashSum | 0x0101 | 0x0101 | 0x5050 | 0x0000 |
+ +-------------+-------------+-------------+-------------+
+
+ Figure 17
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 14]
+�
+Internet-Draft Set Union March 2021
+
+
+ After calculating and decoding the IBF-AB its clear that in IBF-A the
+ element with the hash 0x5050 is missing (-1 in bit-3) while in IBF-B
+ the element with the hash 0101 is missing (1 in bit-1 and bit-2).
+ The element with hash 0x4242 is present in IBF-A and IBF-B and is
+ removed by the set difference operation (bit-4).
+
+3.3. Wire format
+
+ To facilitate a reasonably CPU-efficient implementation, this
+ specification requires the IBF counter to always use 8 bits. Fewer
+ bits would result in a paritcularly inefficient implementation, while
+ more bits are rarely useful as sets with so many elements should
+ likely be represented using a larger number of buckets. This means
+ the counter of this design can reach a minimum of -127 and a maximum
+ of 127 before the counter reaches "infinity" (-128).
+
+ For the "IDSUM", we always use a 64-bit representation. The IDSUM
+ value must have sufficient entropy for the mapping function M to
+ yield reasonably random buckets even for very large values of L.
+ With a 32 bit value the chance that multiple elements may be mapped
+ to the same ID would be quite high, even for moderately large sets.
+ Using more than 64 bits would at best make sense for very large sets,
+ but then it is likely always better to simply afford additional round
+ trips to handle the occasional collision. 64 bits are also a
+ reasonable size for many CPU architectures.
+
+ For the "HASHSUM", we always use a 32-bit representation. Here, it
+ is mostly important to avoid collisions, where different elements are
+ mapped to the same hash. However, we note that by design only a few
+ elements (certainly less than 127) should ever be mapped to the same
+ bucket, so a small number of bits should suffice. Furthermore, our
+ protocol is designed to handle occasional collisions, so while with
+ 32-bits there remains a chance of accidental collisions, at 32 bit
+ the chance is generally believed to be sufficiently small enough for
+ the protocol to handle those cases efficiently for a wide range of
+ use-cases. Smaller hash values would safe bandwidth, but also
+ drastically increase the chance of collisions. 32 bits are also again
+ a reasonable size for many CPU architectures.
+
+3.3.1. ID Calculation
+
+ The ID is generated as 64-bit output from a Section 2 of HKDF
+ construction [RFC5869] with HMAC-SHA512 as XTR and HMAC-SHA256 as PRF
+ and salt is set to the unsigned 64-bit equivalent of 0. The output
+ is then truncated to 64-bit. Its important that the elements can be
+ redistributed over the buckets in case the IBF does not decode,
+ that's why the ID is salted with a random salt given in the SALT
+ field of this message. Salting is done by calculation the a random
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 15]
+�
+Internet-Draft Set Union March 2021
+
+
+ salt modulo 64 (using only the lowest 6-bits of the salt) and do a
+ bitwise right rotation of output of KDF by the 6-bit salts numeric
+ representation.
+
+ Representation in pseudocode:
+
+ # INPUTS:
+ # key: Pre calculated and truncated key from id_calculation function
+ # ibf_salt: Salt of the IBF
+ # OUTPUT:
+ # value: salted key
+ FUNCTION salt_key(key,ibf_salt):
+ s = ibf_salt % 64;
+ k = key
+
+ /* rotate ibf key */
+ k = (k >> s) | (k << (64 - k))
+ return key
+
+
+ # INPUTS:
+ # element: Element to calculated id from.
+ # salt: Salt of the IBF
+ # OUTPUT:
+ # value: the ID of the element
+
+ FUNCTION id_calculation (element,ibf_salt):
+ salt = 0
+ XTR=HMAC-SHA256
+ PRF=HMAC-SHA256
+ key = HKDF(XTR, PRF, salt, element)
+ key = key modulo 2^64 // Truncate
+ return salt_key(key,ibf_salt)
+
+
+
+ Figure 18
+
+3.3.2. Mapping Function
+
+ The mapping function M as described above in the figure Figure 1
+ decides in which buckets the ID and HASH have to be binary XORed to.
+ In practice there the following algorithm is used:
+
+ The first index is simply the HASH modulo the IBF size. The second
+ index is calculated by creating a new 64-bit value by shifting the
+ 32-bit value left and setting the lower 32-bit to the number of
+ indexes already processed. From the resulting 64-bit value a CRC32
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 16]
+�
+Internet-Draft Set Union March 2021
+
+
+ checksum is created the second index is now the modulo of the CRC32
+ output this is repeated until the predefined amount indexes is
+ generated. In the case a index is hit twice, which would mean this
+ bucket could not get pure again, the second hit is just skipped and
+ the next iteration is used as.
+
+ # INPUTS:
+ # key: Is the ID of the element calculated in the id_calculation function
above.
+ # number_of_buckets_per_element: Pre-defined count of buckets elements are
inserted into
+ # ibf_size: the size of the ibf (count of buckets)
+ # OUTPUT:
+ # dst: Array with bucket IDs to insert ID and HASH
+
+ FUNCTION get_bucket_id (key, number_of_buckets_per_element, ibf_size)
+ bucket = CRC32(key)
+
+ i = 0
+ filled = 0
+ WHILE filled < number_of_buckets_per_element
+
+ element_already_in_bucket = false
+ j = 0
+ WHILE j < filled
+ IF dst[j] == bucket modulo ibf_size THEN
+ element_already_in_bucket = true
+ ENDIF
+ j++
+ ENDWHILE
+
+ IF !element_already_in_bucket THEN
+ dst[filled++] = bucket modulo ibf_size
+ ENDIF
+
+ x = (bucket << 32) | i
+ bucket = CRC32(x)
+
+ i++
+ ENDWHILE
+ return dst
+
+ Figure 19
+
+3.3.3. HASH calculation
+
+ The HASH is calculated by calculating the CRC32 checksum of the
+ 64-bit ID value which returns a 32-bit value.
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 17]
+�
+Internet-Draft Set Union March 2021
+
+
+4. Strata Estimator
+
+4.1. Description
+
+ Strata Estimators help estimate the size of the set difference
+ between two set of elements. This is necessary to efficiently
+ determinate the tuning parameters for an IBF, in particular a good
+ value for L.
+
+ Basically a Strata Estimator (SE) is a series of IBFs (with a rather
+ small value of L) in which increasingly large subsets of the full set
+ of elements are added to each IBF. For the n-th IBF, the function
+ selecting the subset of elements should sample to select
+ (probabilistically) 1/(2^n) of all elements. This can be done by
+ counting the number of trailing bits set to "1" in an element ID, and
+ then inserting the element into the IBF identified by that counter.
+ As a result, all elements will be mapped to one IBF, with the n-th
+ IBF being statistically expected to contain 1/(2^n) elements.
+
+ Given two SEs, the set size difference can be estimated by trying to
+ decode all of the IBFs. Given that L was set to a rather small
+ value, IBFs containing large strata will likely fail to decode. For
+ those IBFs that failed to decode, one simply extrapolates the number
+ of elements by scaling the numbers obtained from the other IBFs that
+ did decode. If none of the IBFs of the SE decoded (which given a
+ reasonable choice of L should be highly unlikely), one can retry
+ using a different mapping function M.
+
+5. Mode of operation
+
+ The set union protocol uses IBFs and SEs as primitives. Depending on
+ the state of the two sets there are different strategies or operation
+ modes how to efficiently determinate missing elements between the two
+ sets.
+
+ The simplest mode is the "full" synchronization mode. The idea is
+ that if the difference between the sets of the two peers exceeds a
+ certain threshold, the overhead to determine which elements are
+ different outweighs the overhead of sending the complete set. In
+ this case, the most efficient method can be to just exchange the full
+ sets.
+
+ Link to statemachine diagram
+ (https://git.gnunet.org/lsd0003.git/plain/statemaschine/
+ full_state_maschine.jpg)
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 18]
+�
+Internet-Draft Set Union March 2021
+
+
+ The second possibility is that the difference of the sets is small
+ compared to the set size. Here, an efficient "delta" synchronization
+ mode is more efficient. Given these two possibilities, the first
+ steps of the protocol are used to determine which mode should be
+ used.
+
+ Thus, the set synchronization protocol always begins with the
+ following operation mode independent steps.
+
+ The initiating peer begins in the *Initiating Connection* state and
+ the receiving peer in the *Expecting Connection* state. The first
+ step for the initiating peer in the protocol is to send an _Operation
+ Request_ to the receiving peer and transition into the *Expect SE*
+ state. After receiving the _Operation Request_ the receiving peer
+ transitions to the *Expecting IBF* state and answers with the _Strata
+ Estimator_ message. When the initiating peer receives the _Strata
+ Estimator_ message, it decides with some heuristics which operation
+ mode is likely more suitable for the estimated set difference and the
+ application-provided latency-bandwidth tradeoff. The detailed
+ tradeoff between the Full Synchronisation Mode and the Delta
+ Synchronisation Mode is explained in the section Combined Mode.
+
+5.1. Full Synchronisation Mode
+
+ When the initiating peer decides to use the full synchronisation mode
+ and the set of the initiating peer is bigger than the set of the
+ receiving peer, the initiating peer sends a _Request Full_ message,
+ and transitions from *Expecting SE* to the *Full Receiving* state.
+ If the set of the initiating peer is smaller, it sends all set
+ elements to the other peer followed by the _Full Done_ message, and
+ transitions into the *Full Sending* state.
+
+ Link to statemachine diagram
+ (https://git.gnunet.org/lsd0003.git/plain/statemaschine/
+ full_state_maschine.jpg)
+
+ *The behavior of the participants the different state is described
+ below:*
+
+ *Expecting IBF:* If a peer in the *Expecting IBF* state receives a
+ _Request Full_ message from the other peer, the peer sends all the
+ elements of its set followed by a _Full Done_ message to the other
+ peer, and transitions to the *Full Sending* state. If the peer
+ receives an _Full Element_ message, it processes the element and
+ transitions to the *Full Receiving* state.
+
+ *Full Sending:* While a peer is in *Full Sending* state the peer
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 19]
+�
+Internet-Draft Set Union March 2021
+
+
+ expects to continuously receive elements from the other peer. As
+ soon as a the _Full Done_ message is received, the peer
+ transitions into the *Finished* state.
+
+ *Full Receiving (In code: Expecting IBF):* While a peer is in the
+ *Full Receiving* state, it expects to continuously receive
+ elements from the other peer. As soon as a the _Full Done_
+ message is received, it sends the remaining elements (those it did
+ not receive) from its set to the other peer, followed by a _Full
+ Done_. After sending the last message, the peer transitions into
+ the *Finished* state.
+
+5.2. Delta Synchronisation Mode
+
+ When the initiating peer in the *Expected SE* state decides to use
+ the delta synchronisation mode, it sends a _IBF_ to the receiving
+ peer and transitions into the *Passive Decoding* state.
+
+ The receiving peer in the *Expecting IBF* state receives the _IBF_
+ message from the initiating peer and transitions into the *Expecting
+ IBF Last* state when there are multiple _IBF_ messages to sent, when
+ there is just a single _IBF_ message the reviving peer transitions
+ directly to the *Active Decoding* state.
+
+ The peer that is in the *Active Decoding*, *Finish Closing* or in the
+ *Expecting IBF Last* state is called the active peer and the peer
+ that is in either the *Passive Decoding* or the *Finish Waiting*
+ state is called the passive peer.
+
+ Link to statemachine diagram
+ (https://git.gnunet.org/lsd0003.git/plain/statemaschine/
+ full_state_maschine.jpg)
+
+ *The behavior of the participants the different states is described
+ below:*
+
+ *Passive Decoding:* In the *Passive Decoding* state the passive peer
+ reacts to requests from the active peer. The action the passive
+ peer executes depends on the message the passive peer receives in
+ the *Passive Decoding* state from the active peer and is described
+ below on a per message basis.
+
+ _Inquiry_ message: The _Inquiry_ message is received if the
+ active peer requests the SHA-512 hash of one or more elements
+ (by sending the 64 bit element ID) that are missing from the
+ active peer's set. In this case the passive peer answers with
+ _Offer_ messages which contain the SHA-512 hash of the
+ requested element. If the passive peer does not have an
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 20]
+�
+Internet-Draft Set Union March 2021
+
+
+ element with a matching element ID, it MUST ignore the inquiry.
+ If multiple elements match the 64 bit element ID, the passive
+ peer MUST send offers for all of the matching elements.
+
+ _Demand_ message: The _Demand_ message is received if the active
+ peer requests a complete element that is missing in the active
+ peers set. If the requested element is valid the passive peer
+ answers with an _Elements_ message which contains the full,
+ application-dependent data of the requested element. If the
+ passive peer receives a demand for a SHA-512 hash for which it
+ has no element, a protocol violation is detected and the
+ protocol MUST be aborted. Implementations MAY strengthen this
+ and forbid demands without previous matching offers.
+
+ _Offer_ message: The _Offer_ message is received if the active
+ peer has decoded an element that is present in the active peers
+ set and may be missing in the set of the passive peer. If the
+ SHA-512 hash of the offer is indeed not a hash of any of the
+ elements from the set of the passive peer, the passive peer
+ MUST answer with a _Demand_ message for that SHA-512 hash and
+ remember that it issued this demand. The send demand need to
+ be added to a list with unsatisfied demands.
+
+ _Elements_ message: When a new element message has been received
+ the peer checks if a corresponding _Demand_ for the element has
+ been sent and the demand is still unsatisfied. If the element
+ has been demanded the peer checks the element for validity,
+ removed it from the list of pending demands and then then saves
+ the element to the the set otherwise the peer rejects the
+ element.
+
+ _IBF_ message: If an _IBF_ message is received, this indicates
+ that decoding of the IBF on the active site has failed and
+ roles should be swapped. The receiving passive peer
+ transitions into the *Expecting IBF Last* state, and waits for
+ more _IBF_ messages or the final _IBF_ message to be received.
+
+ _IBF_ message: If an _IBF_ message is received this indicates
+ that the there is just one IBF slice and a direct state and
+ role transition from *Passive Decoding* to *Active Decoding* is
+ initiated.
+
+ _Done_ message: Receiving the _Done_ message signals the passive
+ peer that all demands of the active peer have been satisfied.
+ Alas, the active peer will continue to process demands from the
+ passive peer. Upon receiving this message, the passive peer
+ transitions into the *Finish Waiting* state.
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 21]
+�
+Internet-Draft Set Union March 2021
+
+
+ *Active Decoding:* In the *Active Decoding* state the active peer
+ decodes the IBFs and evaluates the set difference between the
+ active and passive peer. Whenever an element ID is obtained by
+ decoding the IBF, the active peer sends either an offer or an
+ inquiry to the passive peer, depending on which site the decoded
+ element is missing.
+
+ If the IBF decodes a positive (1) pure bucket, the element is
+ missing on the passive peers site. Thus the active peer sends an
+ _Offer_ to the passive peer. A negative (-1) pure bucket
+ indicates that a element is missing in the active peers set, so
+ the active peer sends a _Inquiry_ to the passive peer.
+
+ In case the IBF does not successfully decode anymore, the active
+ peer sends a new IBF to the passive client and changes into
+ *Passive Decoding* state. This initiates a role swap. To reduce
+ overhead and prevent double transmission of offers and elements
+ the new IBF is created on the new complete set after all demands
+ and inquiries have been satisfied.
+
+ As soon as the active peer successfully finished decoding the IBF,
+ the active peer sends a _Done_ message to the passive peer.
+
+ All other actions taken by the active peer depend on the message
+ the active peer receives from the passive peer. The actions are
+ described below on a per message basis:
+
+ _Offer_ message: The _Offer_ message indicates that the passive
+ peer received a _Inquiry_ message from the active peer. If a
+ Inquiry has been sent and the offered element is missing in the
+ active peers set, the active peer sends a _Demand_ message to
+ the passive peer. The send demand need to be added to a list
+ with unsatisfied demands. In the case the received offer is
+ for an element that is already in the set of the peer the offer
+ is ignored.
+
+ _Demand_ message: The _Demand_ message indicates that the passive
+ peer received a _Offer_ from the active peer. The active peer
+ satisfies the demand of the passive peer by sending _Elements_
+ message if a offer request for the element has been sent. In
+ the case the demanded element does not exist in the set there
+ was probably a bucket decoded that was not really pure so
+ potentially all _Offer_ and _Demand_ messages sent after are
+ invalid in this case a role change active -> passive with a new
+ IBF is easiest. If a demand for the same element is received
+ multiple times the demands should be discarded.
+
+ _Elements_ message: A element that is received is marked in the
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 22]
+�
+Internet-Draft Set Union March 2021
+
+
+ list of demanded elements as satisfied, validated and saved and
+ not further action is taken. Elements that are not demanded or
+ already known are discarded.
+
+ _Done_ message: Receiving the message _Done_ indicates that all
+ demands of the passive peer have been satisfied. The active
+ peer then changes into the state *Finish Closing* state. If
+ the IBF is not finished decoding and the _Done_ is received the
+ other peer is not in compliance with the protocol and the set
+ reconciliation MUST be aborted.
+
+ *Expecing IBF Last* In the *Expecing IBF Last* state the active peer
+ continuously receives _IBF_ messages from the passive peer. When
+ the last _IBF_ message is received the active peer changes into
+ *Active Decoding* state.
+
+ *Finish Closing* / *Finish Waiting* In this states the peers are
+ waiting for all demands to be satisfied and for the
+ synchronisation to be completed. When all demands are satisfied
+ the peer changes into state *Finished*.
+
+5.3. Combined Mode
+
+ In the combined mode the Full Synchronisation Mode and the Delta
+ Synchronisation Mode are combined to minimize resource consumption.
+
+ The Delta Synchronisation Mode is only efficient on small set
+ differences or if the byte-size of the elements is large. Is the set
+ difference is estimated to be large the Full Synchronisation Mode is
+ more efficient. The exact heuristics and parameters on which the
+ protocol decides which mode should be used are described in the
+ Performance Considerations section of this document.
+
+ There are two main cases when a Full Synchronisation Mode is always
+ used. The first case is when one of the peers announces having an
+ empty set. This is announced by setting the SETSIZE field in the
+ _Strata Estimator_ to 0. The second case is if the application
+ requested full synchronization explicitly. This is useful for
+ testing and should not be used in production.
+
+6. Messages
+
+6.1. Operation Request
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 23]
+�
+Internet-Draft Set Union March 2021
+
+
+6.1.1. Description
+
+ This message is the first message of the protocol and it is sent to
+ signal to the receiving peer that the initiating peer wants to
+ initialize a new connection.
+
+ This message is sent in the transition between the *Initiating
+ Connection* state and the *Expect SE* state.
+
+ If a peer receives this message and is willing to run the protocol,
+ it answers by sending back a _Strata Estimator_ message. Otherwise
+ it simply closes the connection.
+
+6.1.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | ELEMENT COUNT |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | APX
+ +-----+-----+-----+-----+-----+-----+-----+-----+
/
+ / /
+ / /
+
+ Figure 20
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_OPERATION_REQUEST as registered in
+ GANA Considerations, in network byte order.
+
+ ELEMENT COUNT is the number of the elements the requesting party has
+ in its set, as a 32-bit unsigned integer in network byte order.
+
+ APX is a SHA-512 hash that identifies the application.
+
+6.2. IBF
+
+6.2.1. Description
+
+ The IBF message contains a slice of the IBF.
+
+ The _IBF_ message is sent at the start of the protocol from the
+ initiating peer in the transaction between *Expect SE* -> *Expecting
+ IBF Last* or when the IBF does not decode and there is a role change
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 24]
+�
+Internet-Draft Set Union March 2021
+
+
+ in the transition between *Active Decoding* -> *Expecting IBF Last*.
+ This message is only sent if there are more than one IBF slice to
+ sent, in the case there is just one slice the IBF message is sent.
+
+6.2.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE |ORDER| PAD |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | OFFSET | SALT |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | IBF-SLICE
+ + /
+ / /
+ / /
+
+ Figure 21
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_REQUEST_IBF as registered in GANA
+ Considerations in network byte order.
+
+ ORDER is a 8-bit unsigned integer which signals the order of the
+ IBF. The order of the IBF is defined as the logarithm of the
+ number of buckets of the IBF.
+
+ PAD is 24-bit always set to zero
+
+ OFFSET is a 32-bit unsigned integer which signals the offset to the
+ following ibf slices in the original.
+
+ SALT is a 32-bit unsigned integer that contains the salt which was
+ used to create the IBF.
+
+ IBF-SLICE are variable count of slices in an array. A single slice
+ contains out multiple 64-bit IDSUMS, 32-bit HASHSUMS and 8-bit
+ COUNTERS. In the network order the array of IDSUMS is first,
+ followed by an array of HASHSUMS and ended with an array of
+ COUNTERS. Length of the array is defined by MIN( 2^ORDER -
+ OFFSET, MAX_BUCKETS_PER_MESSAGE). MAX_BUCKETS_PER_MESSAGE is
+ defined as 32768 divided by the BUCKET_SIZE which is 13-byte
+ (104-bit).
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 25]
+�
+Internet-Draft Set Union March 2021
+
+
+ To get the IDSUM field, all IDs who hit a bucket are added up with
+ a binary XOR operation. See ID Calculation for details about ID
+ generation.
+
+ The calculation of the HASHSUM field is done accordingly to the
+ calculation of the IDSUM field: all HASHes are added up with a
+ binary XOR operation. The HASH value is calculated as described
+ in detail in section HASH calculation.
+
+ The algorithm to find the correct bucket in which the ID and the
+ HASH have to be added is described in detail in section Mapping
+ Function.
+
+ IBF-SLICE
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | IDSUMS |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | IDSUMS |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | HASHSUMS | HASHSUMS |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | COUNTERS | COUNTERS |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 22
+
+6.3. IBF
+
+6.3.1. Description
+
+ This message indicates to the remote peer that all slices of the
+ bloom filter have been sent. The binary structure is exactly the
+ same as the Structure of the message IBF with a different "MSG TYPE"
+ which is defined in GANA Considerations "SETU_P2P_IBF_LAST".
+
+ Receiving this message initiates the state transmissions *Expecting
+ IBF Last* -> *Active Decoding*, *Expecting IBF* -> *Active Decoding*
+ and *Passive Decoding* -> *Active Decoding*. This message can
+ initiate a peer the roll change from *Active Decoding* to *Passive
+ Decoding*.
+
+6.4. Elements
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 26]
+�
+Internet-Draft Set Union March 2021
+
+
+6.4.1. Description
+
+ The Element message contains an element that is synchronized in the
+ Delta Synchronisation Mode and transmits a full element between the
+ peers.
+
+ This message is sent in the state *Active Decoding* and *Passive
+ Decoding* as answer to a _Demand_ message from the remote peer. The
+ Element message can also be received in the *Finish Closing* or
+ *Finish Waiting* state after receiving a _Done_ message from the
+ remote peer, in this case the client changes to the *Finished* state
+ as soon as all demands for elements have been satisfied.
+
+ This message is exclusively sent in the Delta Synchronisation Mode.
+
+6.4.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | E TYPE | PADDING |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | E SIZE | AE TYPE | DATA
+ +-----+-----+-----+-----+ /
+ / /
+ / /
+
+ Figure 23
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_ELEMENTS as registered in GANA
+ Considerations in network byte order.
+
+ E TYPE element type is a 16-bit unsigned integer witch defines the
+ element type for the application.
+
+ PADDING is 16-bit always set to zero
+
+ E SIZE element size is 16-bit unsigned integer that signals the size
+ of the elements data part.
+
+ AE TYPE application specific element type is a 16-bit unsigned
+ integer that is needed to identify the type of element that is in
+ the data field
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 27]
+�
+Internet-Draft Set Union March 2021
+
+
+ DATA is a field with variable length that contains the data of the
+ element.
+
+6.5. Offer
+
+6.5.1. Description
+
+ The offer message is an answer to an _Inquiry_ message and transmits
+ the full hash of an element that has been requested by the other
+ peer. This full hash enables the other peer to check if the element
+ is really missing in its set and eventually sends a _Demand_ message
+ for that a element.
+
+ The offer is sent and received only in the *Active Decoding* and in
+ the *Passive Decoding* state.
+
+ This message is exclusively sent in the Delta Synchronisation Mode.
+
+6.5.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | HASH
+ +-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 24
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_OFFER as registered in GANA
+ Considerations in network byte order.
+
+ HASH is a SHA 512-bit hash of the element that is requested with a
+ inquiry message.
+
+6.6. Inquiry
+
+6.6.1. Description
+
+ The Inquiry message is exclusively sent by the active peer in *Active
+ Decoding* state to request the full hash of an element that is
+ missing in the active peers set. This is normally answered by the
+ passive peer with _Offer_ message.
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 28]
+�
+Internet-Draft Set Union March 2021
+
+
+ This message is exclusively sent in the Delta Synchronisation Mode.
+
+ NOTE: HERE IS AN IMPLEMENTATION BUG UNNECESSARY 32-BIT PADDING!
+
+6.6.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | SALT |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | IBF KEY |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+
+ Figure 25
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_INQUIRY as registered in GANA
+ Considerations in network byte order.
+
+ IBF KEY is a 64-bit unsigned integer that contains the key for which
+ the inquiry is sent.
+
+6.7. Demand
+
+6.7.1. Description
+
+ The demand message is sent in the *Active Decoding* and in the
+ *Passive Decoding* state. It is a answer to a received _Offer_
+ message and is sent if the element described in the _Offer_ message
+ is missing in the peers set. In the normal workflow the answer to
+ the demand message is an _Elements_ message.
+
+ This message is exclusively sent in the Delta Synchronisation Mode.
+
+6.7.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | HASH
+ +-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 26
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 29]
+�
+Internet-Draft Set Union March 2021
+
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_DEMAND as registered in GANA
+ Considerations in network byte order.
+
+ HASH is a 512-bit Hash of the element that is demanded.
+
+6.8. Done
+
+6.8.1. Description
+
+ The done message is sent when all _Demand_ messages have been
+ successfully satisfied and the set is complete synchronized. A final
+ checksum (XOR SHA-512 hash) over all elements of the set is added to
+ the message to allow the other peer to make sure that the sets are
+ equal.
+
+ This message is exclusively sent in the Delta Synchronisation Mode.
+
+6.8.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | HASH
+ +-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 27
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_DONE as registered in GANA
+ Considerations in network byte order.
+
+ HASH is a 512-bit hash of the set to allow a final equality check.
+
+6.9. Full Done
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 30]
+�
+Internet-Draft Set Union March 2021
+
+
+6.9.1. Description
+
+ The full done message is sent in the Full Synchronisation Mode to
+ signal that all remaining elements of the set have been sent. The
+ message is received and sent in in the *Full Sending* and in the
+ *Full Receiving* state. When the full done message is received in
+ *Full Sending* state the peer changes directly into *Finished* state.
+ In *Full Receiving* state receiving a full done message initiates the
+ sending of the remaining elements that are missing in the set of the
+ other peer.
+
+6.9.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | HASH
+ +-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 28
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_FULL_DONE as registered in GANA
+ Considerations in network byte order.
+
+ HASH is a 512-bit hash of the set to allow a final equality check.
+
+6.10. Request Full
+
+6.10.1. Description
+
+ The request full message is sent by the initiating peer in *Expect
+ SE* state to the receiving peer if the operation mode "Full
+ Synchronisation Mode" is determined as the better Mode of operation
+ and the set size of the initiating peer is smaller than the set size
+ of the receiving peer. The initiating peer changes after sending the
+ request full message into *Full Receiving* state.
+
+ The receiving peer receives the Request Full message in the
+ *Expecting IBF*, afterwards the receiving peer starts sending its
+ complete set in Full Element messages to the initiating peer.
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 31]
+�
+Internet-Draft Set Union March 2021
+
+
+6.10.2. Structure
+
+ 0 8 16 24 32
+ +-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE |
+ +-----+-----+-----+-----+
+
+ Figure 29
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_REQUEST_FULL as registered in GANA
+ Considerations in network byte order.
+
+6.11. Strata Estimator
+
+6.11.1. Description
+
+ The strata estimator is sent by the receiving peer at the start of
+ the protocol right after the Operation Request message has been
+ received.
+
+ The strata estimator is used to estimate the difference between the
+ two sets as described in section 4.
+
+ When the initiating peer receives the strata estimator the peer
+ decides which Mode of operation to use for the synchronization.
+ Depending on the size of the set difference and the Mode of operation
+ the initiating peer changes into *Full Sending*, *Full Receiving* or
+ *Passive Decoding* state.
+
+6.11.2. Structure
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | SETSIZE
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ SETSIZE | SE-SLICES
+ +-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 30
+
+ where:
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 32]
+�
+Internet-Draft Set Union March 2021
+
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_SE as registered in GANA
+ Considerations in network byte order.
+
+ SETSIZE is a 64-bit unsigned integer that is defined by the size of
+ the set the SE is
+
+ SE-SLICES is variable in size and contains the same structure as the
+ IBF-SLICES field in the IBF message.
+
+6.12. Strata Estimator Compressed
+
+6.12.1. Description
+
+ The Strata estimator can be compressed with gzip to improve
+ performance. For details see section Performance Considerations.
+
+ Since the content of the message is the same as the uncompressed
+ Strata Estimator, the details aren't repeated here for details see
+ section 6.11.
+
+6.13. Full Element
+
+6.13.1. Description
+
+ The full element message is the equivalent of the Elements message in
+ the Full Synchronisation Mode. It contains a complete element that
+ is missing in the set of the peer that receives this message.
+
+ The full element message is exclusively sent in the transitions
+ *Expecting IBF* -> *Full Receiving* and *Full Receiving* ->
+ *Finished*. The message is only received in the *Full Sending* and
+ *Full Receiving* state.
+
+ After the last full element messages has been sent the Full Done
+ message is sent to conclude the full synchronisation of the element
+ sending peer.
+
+6.13.2. Structure
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 33]
+�
+Internet-Draft Set Union March 2021
+
+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | MSG SIZE | MSG TYPE | E TYPE | PADDING |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | SIZE | AE TYPE | DATA
+ +-----+-----+-----+-----+
+ / /
+ / /
+
+ Figure 31
+
+ where:
+
+ MSG SIZE is 16-bit unsigned integer in network byte order witch
+ describes the message size in bytes and the header is included.
+
+ MSG TYPE the type of SETU_P2P_REQUEST_FULL_ELEMENT as registered in
+ GANA Considerations in network byte order.
+
+ E TYPE element type is a 16-bit unsigned integer witch defines the
+ element type for the application.
+
+ PADDING is 16-bit always set to zero
+
+ E SIZE element size is 16-bit unsigned integer that signals the size
+ of the elements data part.
+
+ AE TYPE application specific element type is a 16-bit unsigned
+ integer that is needed to identify the type of element that is in
+ the data field
+
+ DATA is a field with variable length that contains the data of the
+ element.
+
+7. Performance Considerations
+
+7.1. Formulas
+
+7.1.1. Operation Mode
+
+ The decision which mode of operations is used is described by the
+ following code:
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 34]
+�
+Internet-Draft Set Union March 2021
+
+
+ The function takes as input the initial the local setsize, the remote
+ setsize, the by the strata estimator calculated difference, a static
+ boolean that enforces full synchronisation mode of operation and the
+ bandwith/roundtrips tradeoff. As output the function returns "FULL"
+ if the full synchronisation mode should be used and "DIFFERENTIAL" if
+ the differential mode should be used.
+
+ # INPUTS:
+ # initial_local_setsize: The initial local setsize
+ # remote_setsize: The remote setsize
+ # set_diff: the set difference calculated by the strata estimator
+ # force_full: boolean to enforce FULL
+ # ba_rtt_tradeoff: the tradeoff between round trips and bandwidth defined
by the use case
+ # OUTPUTS:
+ # returns: the decision (FULL or DIFFERENTIAL)
+
+ FUNCTION decide_operation_mode(initial_local_setsize, remote_setsize,
set_diff, force_full, ba_rtt_tradeoff)
+ IF set_diff > 200
+ set_diff = set_diff * 3 / 2
+ ENDIF
+ IF force_full || ( set_diff > initial_local_setsize / 4 ) ||
remote_setsize = 0
+ return "FULL"
+ ENDIF
+ return "DIFFERENTIAL"
+
+
+ Figure 32
+
+7.1.2. Full Synchronisation: Decision witch peer sends elements first
+
+ The following function determinate which peer starts sending its full
+ set in full synchronisation mode of operation.
+
+ The function takes as input the initial local setsize (set size of
+ the first iteration) and the remote setsize and returns as output the
+ decision "REMOTE" or "LOCAL" to determinate if the remote or the
+ local peer starts sending the full set.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 35]
+�
+Internet-Draft Set Union March 2021
+
+
+ # INPUTS:
+ # initial_local_setsize: The initial local setsize
+ # remote_setsize: The remote setsize
+ # OUTPUTS:
+ # returns: the decision (LOCAL or REMOTE)
+
+ FUNCTION decide_full_sending(initial_local_size, remote_setsize)
+ IF ( initial_local_size <= remote_setsize ) || ( remote_setsize = 0 )
+ return LOCAL
+ ELIF
+ return REMOTE
+
+
+ Figure 33
+
+7.1.3. IBF Parameters
+
+ The following function calculate the required parameter to create an
+ optimal sized IBF. These parameter are the number of buckets and the
+ number of buckets a single element is mapped to.
+
+ The function takes as input the setsize and returns a array with two
+ numbers the total number of buckets and the number of buckets a
+ single element is mapped to.
+
+ FUNCTION (setsize):
+ number_of_bucket_per_element = 4
+ total_number_of_buckets = setsize
+ return [ total_number_of_buckets, number_of_bucket_per_element ]
+
+
+ Figure 34
+
+8. Security Considerations
+
+ The security considerations in this document focus mainly on the
+ security goal of availability, the primary goal of the protocol is
+ prevent an attacker from wasting cpu and network resources of the
+ attacked peer.
+
+ To prevent denial of service attacks its vital to check that peers
+ can only reconcile a set once in a pre defined time span. This is a
+ predefined values and need to be adapted on per use basis. To
+ enhance reliability and to allow failures in the protocol its
+ possible to introduce a threshold for max failed reconciliation ties.
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 36]
+�
+Internet-Draft Set Union March 2021
+
+
+ The formal format of all messages needs to be properly validated,
+ this is important to prevent many attacks on the code. The
+ application data should be validated by the application using the
+ protocol not by the implementation of the protocol. In case the
+ format validation fails the set operation MUST be terminated.
+
+ To prevent an attacker from sending a peer into a endless loop
+ between active and passive decoding a limitation for active/passive
+ roll switches in required. This can be implemented by a simple
+ counter which terminates the operation after a predefined count of
+ switches. The count of switches needs to be defined as such that its
+ very undroppable that more switches are required an the malicious
+ intend of the other peer can be assumed.
+
+ Its important to close and purge connections after a given timeout to
+ prevent draining attacks.
+
+8.1. Generic functions
+
+ Some functions are used in most of the messages described in the
+ State section.
+
+8.1.1. Duplicated or Missing Message detection
+
+ Most of the messages received need to be checked that they are not
+ received multiple times this is solved with a global store (message)
+ and the following code
+
+ # Initially creates message store
+ FUNCTION createStore()
+ store = {}
+ return store
+
+ # Returns adds a message to the store
+ FUNCTION addMessageToStore(store, message)
+ key = hash(sha512, message)
+ IF store.get(key) != NULL
+ return FALSE
+ store.set(key) = 1
+ return TRUE
+
+ # Returns the count of message received
+ FUNCTION getNumberOfMessage(store)
+ return store.size()
+
+ Figure 35
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 37]
+�
+Internet-Draft Set Union March 2021
+
+
+8.1.2. Store Remote Peers Element Number
+
+ To prevent an other peer from requesting the same set multiple times
+ its important to memorize the number of elements a peer had in
+ previous reconciliation sessions.
+
+ FUNCTION number_elements_last_sync(client_id)
+ IF number_store.get(clientID)
+ return number_store.get(client_id)
+ ENDIF
+ return 0
+
+ FUNCTION saveNumberOfElementsLastSync(client_id, remote_setsize)
+ number_store.update(clientID, remote_setsize)
+
+ Figure 36
+
+8.2. States
+
+ In this section the security considerations for each valid message in
+ all states is described, if any other message is received the peer
+ MUST terminate the operation.
+
+8.2.1. Expecting IBF
+
+ Security considerations for received messages:
+
+ Request Full It needs to be checked that the full synchronisation is
+ plausible according to the formula deciding which operation mode
+ is applicable this is achieved by calculating the upper and lower
+ boundaries of the number of elements in the other peers set. The
+ lower boundary of number of elements can be easily memorized as
+ result from the last synchronisation and the upper boundary can be
+ estimated with prior knowledge of the maximal plausible increase
+ of element since the last reconciliation and the maximal plausible
+ number of elements.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 38]
+�
+Internet-Draft Set Union March 2021
+
+
+ # INPUTS:
+ # client_id: The initial local setsize
+ # remote_setsize: The remote setsize
+ # local_setsize: The local setsize
+ # initial_local_size: The initial local setsize
+ # set_diff: the set difference calculated by the strata estimator
+ # OUTPUTS:
+ # returns: the decision
+
+ FUNCTION validate_messages_request_full(client_id, remote_setsize,
local_setsize, initial_local_size, set_diff)
+
+ last_setsize = getNumberOfElementsLastSync(clientId)
+ IF remote_setsize > last_setsize
+ return FALSE
+ ENDIF
+
+ # Update number of elements in store
+ saveNumberOfElementsLastSync(client_id, remote_setsize)
+
+ # Check for max plausible set size as defined on use case basis (can
be infinite)
+ plausible_setsize = getMaxPlausibleSetSize()
+ IF remote_setsize > plausible_setsize
+ return FALSE
+ ENDIF
+
+ # Check for correct operation mode operation_mode function is
described in performance section
+ IF decide_operation_mode(initial_local_size, remote_setsize,
set_diff) != "FULL"
+ return FALSE
+ ENDIF
+
+ # Check that the other peer is honest and we should send our set
+ IF decide_full_sending(local_size, initial_remote_setsize ) !=
"LOCAL"
+ return FALSE
+ ENDIF
+
+ return TRUE
+
+ Figure 37
+
+ IBF Its important do define a threshold to limit the maximal number
+ of IBFs that are expected from the other peer. This maximal
+ plausible size can be calculated with the known inputs: number of
+ elements in my set and the pre defined applications upper limit as
+ described in the performance section. That the other peer chooses
+ the correct mode of operation MUST be checked as described in the
+ section above.
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 39]
+�
+Internet-Draft Set Union March 2021
+
+
+ FUNCTION validate_messages_ibf(remote_setsize, local_setsize,
initial_local_size, set_diff, ibf_msg)
+ IF is_undefined(number_buckets_left)
+ number_buckets_left = get_bucket_number(remote_setsize,
local_setsize, initial_local_size, set_diff, ibf_msg)
+ ENDIF
+ number_buckets_left --
+ IF number_buckets_left < 0
+ return FALSE
+ return TRUE
+
+
+ # Security check executed when first ibf message is received
+ FUNCTION get_bucket_number(remote_setsize, local_setsize,
initial_local_size, set_diff, ibf_msg)
+
+ # Check for max plausible set size as defined on use case basis (can
be infinite)
+ max_plausible_setsize = getMaxPlausibleSetSize()
+ IF remote_setsize > max_plausible_setsize
+ return 0
+ ENDIF
+
+ # Check for correct operation mode operation_mode function is
described in performance section
+ IF decide_operation_mode(initial_local_size, remote_setsize,
set_diff) != "DIFFERENTIAL"
+ return 0
+ ENDIF
+
+ ibf_params = calculate_optimal_IBF_params(local_setsize)
+ total_number_of_buckets = ibf_params[0]
+ number_of_bucket_per_element = ibf_params[0]
+ IF ( 2^(ibf.order) != total_number_of_buckets ) ||
+ (ibf.number_of_bucket_per_element !=
number_of_bucket_per_element)
+ return 0
+
+ return total_number_of_buckets
+
+ Figure 38
+
+ Full Element If a full element is received the set of the other peer
+ is smaller than the set of the peer in the *Expecting IBF* state
+ and the set difference is smaller than threshold for full
+ synchronisation as described in the performance section. This can
+ be verified by calculating the plausible upper and lower
+ boundaries of the number of elements in the other peers set as
+ described in the first section.
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 40]
+�
+Internet-Draft Set Union March 2021
+
+
+ FUNCTION validate_messages_full_element(client_id, remote_setsize,
local_setsize, initial_local_size, set_diff, message)
+
+ # On first run create store and make initial checks
+ IF is_undefined(store)
+ full_element_msg_store = createStore()
+ IF ! validate_messages_full_element_init(client_id,
remote_setsize, local_setsize, initial_local_size, set_diff)
+ return FALSE
+ ENDIF
+
+ # Prevent duplication of received message
+ IF ! addMessageToStore(full_element_msg_store, message)
+ return FALSE
+ ENDIF
+
+ # Prevent to receive more elements than the remote peer has
+ number_received_messages = getNumberOfMessage(full_element_msg_store)
+ IF ( number_received_messages > remote_setsize )
+ return FALSE
+
+ return TRUE
+
+
+ # INPUTS:
+ # client_id: The initial local setsize
+ # remote_setsize: The remote setsize
+ # local_setsize: The local setsize
+ # initial_local_size: The initial local setsize
+ # set_diff: the set difference calculated by the strata estimator
+ # OUTPUTS:
+ # returns: the decision
+
+ FUNCTION validate_messages_full_element_init(client_id, remote_setsize,
local_setsize, initial_local_size, set_diff)
+
+ last_setsize = getNumberOfElementsLastSync(clientId)
+ IF remote_setsize < last_setsize
+ return FALSE
+ ENDIF
+
+ # Update number of elements in store
+ saveNumberOfElementsLastSync(client_id, remote_setsize)
+
+ # Check for max plausible set size as defined on use case basis (can
be infinite)
+ plausible_setsize = getMaxPlausibleSetSize()
+ IF remote_setsize > plausible_setsize
+ return FALSE
+ ENDIF
+
+ # Check for correct operation mode operation_mode function is
described in performance section
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 41]
+�
+Internet-Draft Set Union March 2021
+
+
+ IF decide_operation_mode(initial_local_size, remote_setsize,
set_diff) != "FULL"
+ return FALSE
+ ENDIF
+
+ # Check that the other peer is honest and he should send us his set
+ IF decide_full_sending(local_size, initial_remote_setsize ) !=
"REMOTE"
+ return FALSE
+ ENDIF
+
+ return TRUE
+
+
+ Figure 39
+
+8.2.2. Full Sending
+
+ Security considerations for received messages:
+
+ Full Element When receiving full elements there needs to be checked
+ that every element is a valid element, no element is resized more
+ than once and not more or less elements are received as the other
+ peer has committed to in the beginning of the operation. Detail
+ pseudocode implementation can be found in Expecting IBF
+
+ Full Done When receiving the full done message its important to
+ check that not less elements are received as the other peer has
+ committed to send. The 512-bit hash of the complete reconciled
+ set contained in the full done message is required to ensures that
+ both sets are truly identical. If the sets differ a
+ resynchronisation is required. The count of possible
+ resynchronisation MUST be limited to prevent resource exhaustion
+ attacks.
+
+ FUNCTION validate_messages_full_done(full_done_message,
full_element_msg_store, remote_setsize, local_set)
+
+ # Check that correct number of elements has been received
+ number_received_messages = getNumberOfMessage(full_element_msg_store)
+ IF ( number_received_messages != remote_setsize )
+ return FALSE
+ IF local_set.getFullHash() != full_done_message.fullSetHash
+ return FALSE
+ return TRUE
+
+
+ Figure 40
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 42]
+�
+Internet-Draft Set Union March 2021
+
+
+8.2.3. Expecting IBF Last
+
+ Security considerations for received messages:
+
+ IBF When receiving multiple IBFs its important to check that the
+ other peer can only send as many IBFs as expected. The number of
+ expected IBFs can be calculated with the knowledge of the set
+ difference as described in the performance section.
+
+ Use pseudocode of the function "validate_messages_ibf" as
+ described in Expecting IBF section.
+
+8.2.4. Active Decoding
+
+ In the Active Decoding state its important to prevent an attacker
+ from generating and passing unlimited amount of IBF that do not
+ decode or even worse generate an IBF that is constructed to sends the
+ peers in an endless loop. To prevent an endless loop in decoding a
+ loop detection should be implemented the simplest solution would be
+ to prevent decoding of more than a given amount of elements, a more
+ robust solution is to implement a algorithm that detects a loop by
+ analyzing past partially decoded IBFs to detect cycles. This can be
+ archived by saving the hash of all prior partly decoded IBFs hashes
+ in a hashmap and check for every inserted hash if it is already in
+ the hashmap.
+
+ If the IBF decodes more or less elements than are plausible the
+ operation MUST be terminated. The upper and lower threshold for the
+ decoded elements can be calculated with the peers set size and the
+ other peer committed set sizes from the *Expecting IBF* State.
+
+ Security considerations for received messages:
+
+ Offer If an offer for an element that never has been requested by an
+ inquiry or if an offer is received twice the operation MUST be
+ terminated. This requirement can be fulfilled by saving lists
+ that keeps track of the state of all send inquiries and offers.
+ When answering offers these lists MUST be checked.
+
+ (Artwork only available as : No external link available, see
+ draft-schanzen-gns-01.html for artwork.)
+
+ Figure 41
+
+ Elements If an element that never has been requested by a demand or
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 43]
+�
+Internet-Draft Set Union March 2021
+
+
+ is received double the operation MUST be terminated. This
+ requirement can be fulfilled by a simple table that keeps track of
+ the state of all send demands. If an invalid element is received
+ the operation has failed and the MUST be terminated.
+
+ Demand For every received demand a offer has to be send in advance.
+ If an demand for an element is received that never has been
+ offered or the offer already has been answered with a demand the
+ operation MUST be terminated. Its required to implement a list
+ which keeps track of the state of all send offers and received
+ demands.
+
+ Done The done message is only received if the IBF has been finished
+ decoding and all offers have been sent. If the done message is
+ received before the decoding of the IBF is finished or all open
+ offers and demands have been answered the operation MUST be
+ terminated. The 512-bit hash of the complete reconciled set
+ contained in the done message is required to ensures that both
+ sets are truly identical. If the sets differ a resynchronisation
+ is required. The count of possible resynchronisation MUST be
+ limited to prevent resource exhaustion attacks.
+
+8.2.5. Finish Closing
+
+ In case not all sent demands or inquiries have ben answered in time a
+ pre defined timeout the operation has failed and MUST be terminated.
+
+ Security considerations for received messages:
+
+ Elements Checked as described in section Active Decoding.
+
+8.2.6. Finished
+
+ In this state the connection is terminated, so no security
+ considerations are needed.
+
+8.2.7. Expect SE
+
+ Security considerations for received messages:
+
+ Strata Estimator In case the Strata Estimator does not decode the
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 44]
+�
+Internet-Draft Set Union March 2021
+
+
+ operation MUST be terminated to prevent to get to a unresolvable
+ state. The set difference calculated from the strata estimator
+ needs to be plausible, to ensure this multiple factors need to be
+ considered: The absolute plausible maximum of elements in a set
+ which has to be predefined according to the use case and the
+ maximal plausible element increase since the last successful set
+ reconciliation which should be either predefined or can be
+ calculated with the gaussian distribution function over all passed
+ set reconciliations.
+
+ In case of compressed strata estimators the decompression
+ algorithm has to be protected against decompression memory
+ corruption (memory overflow).
+
+8.2.8. Full Receiving
+
+ Security considerations for received messages:
+
+ Full Element The peer in *Full Receiving* state needs to check that
+ exactly the number of elements is received from the remote peer as
+ he initially committed too. If the remote peer transmits less or
+ more elements the operation MUST be terminated.
+
+ Full Done When the full done message is received from the remote
+ peer all elements that the remote peer has committed to needs to
+ be received otherwise the operation MUST be terminated. After
+ receiving the full done message no future elements should be
+ accepted. The 512-bit hash of the complete reconciled set
+ contained in the full done message is required to ensures that
+ both sets are truly identical. If the sets differ a
+ resynchronisation is required. The count of possible
+ resynchronisation MUST be limited to prevent resource exhaustion
+ attacks.
+
+8.2.9. Passive Decoding
+
+ Security considerations for received messages:
+
+ IBF In case an IBF message is received by the peer a active/passive
+ role switch is initiated by the active decoding remote peer. In
+ this instance the peer should wait for all open offers and demands
+ to be fulfilled to prevent retransmission before switching into
+ active decoding operation mode. A switch into active decoding
+ mode should only be permitted for a predefined number of times as
+ described in the top section of the security section.
+
+ Inquiry A check needs to be in place that prevents receiving a
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 45]
+�
+Internet-Draft Set Union March 2021
+
+
+ inquiry for an element multiple times or more inquiries than are
+ plausible. The amount of inquiries that is plausible can be
+ estimated by considering known values as the remote set size, the
+ local set size, the predefined absolute maximum of elements in the
+ set which is defined by real world limitations. To implement this
+ restrictions a list with all received inquiries should be stored
+ and new inquiries should be checked against.
+
+ Demand Same action as described for demand message in section Active
+ Decoding.
+
+ Offer Same action as described for offer message in section Active
+ Decoding.
+
+ Done Same action as described for done message in section Active
+ Decoding.
+
+ Elements Same action as described for element message in section
+ Active Decoding.
+
+8.2.10. Finish Waiting
+
+ In case not all sent demands or inquiries have ben answered in time
+ the operation has failed and MUST be terminated.
+
+ Security considerations for received messages:
+
+ Elements Checked as described in section Active Decoding.
+
+9. GANA Considerations
+
+ GANA is requested to amend the "GNUnet Message Type" registry as
+ follows:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 46]
+�
+Internet-Draft Set Union March 2021
+
+
+ Type | Name | References | Description
+
--------+----------------------------+------------+--------------------------
+ 559 | SETU_P2P_REQUEST_FULL | [This.I-D] | Request the full set of
the other peer
+ 560 | SETU_P2P_DEMAND | [This.I-D] | Demand the whole
element from the other peer, given only the hash code.
+ 561 | SETU_P2P_INQUIRY | [This.I-D] | Tell the other peer to
send us a list of hashes that match an IBF key.
+ 562 | SETU_P2P_OFFER | [This.I-D] | Tell the other peer
which hashes match a given IBF key.
+ 563 | SETU_P2P_OPERATION_REQUEST | [This.I-D] | Request a set union
operation from a remote peer.
+ 564 | SETU_P2P_SE | [This.I-D] | Strata Estimator
uncompressed
+ 565 | SETU_P2P_IBF | [This.I-D] | Invertible Bloom Filter
Slice.
+ 566 | SETU_P2P_ELEMENTS | [This.I-D] | Actual set elements.
+ 567 | SETU_P2P_IBF_LAST | [This.I-D] | Invertible Bloom Filter
Last Slice.
+ 568 | SETU_P2P_DONE | [This.I-D] | Set operation is done.
+ 569 | SETU_P2P_SEC | [This.I-D] | Strata Estimator
compressed
+ 570 | SETU_P2P_FULL_DONE | [This.I-D] | All elements in full
synchronization mode have been send is done.
+ 571 | SETU_P2P_FULL_ELEMENT | [This.I-D] | Send an actual element
in full synchronization mode.
+
+
+ Figure 42
+
+10. Contributors
+
+ The original GNUnet implementation of the Byzantine Fault Tolerant
+ Set Reconciliation protocol has mainly been written by Florian Dold
+ and Christian Grothoff.
+
+11. Normative References
+
+ [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
+ Key Derivation Function (HKDF)", RFC 5869,
+ DOI 10.17487/RFC5869, May 2010,
+ <https://www.rfc-editor.org/info/rfc5869>.
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
+ <https://www.rfc-editor.org/info/rfc1034>.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
+ November 1987, <https://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
+ specifying the location of services (DNS SRV)", RFC 2782,
+ DOI 10.17487/RFC2782, February 2000,
+ <https://www.rfc-editor.org/info/rfc2782>.
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 47]
+�
+Internet-Draft Set Union March 2021
+
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
+ 2003, <https://www.rfc-editor.org/info/rfc3629>.
+
+ [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
+ Counter Mode With IPsec Encapsulating Security Payload
+ (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
+ <https://www.rfc-editor.org/info/rfc3686>.
+
+ [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
+ Advanced Encryption Standard (AES) Cipher Algorithm in the
+ SNMP User-based Security Model", RFC 3826,
+ DOI 10.17487/RFC3826, June 2004,
+ <https://www.rfc-editor.org/info/rfc3826>.
+
+ [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
+ DOI 10.17487/RFC3912, September 2004,
+ <https://www.rfc-editor.org/info/rfc3912>.
+
+ [RFC5890] Klensin, J., "Internationalized Domain Names for
+ Applications (IDNA): Definitions and Document Framework",
+ RFC 5890, DOI 10.17487/RFC5890, August 2010,
+ <https://www.rfc-editor.org/info/rfc5890>.
+
+ [RFC5891] Klensin, J., "Internationalized Domain Names in
+ Applications (IDNA): Protocol", RFC 5891,
+ DOI 10.17487/RFC5891, August 2010,
+ <https://www.rfc-editor.org/info/rfc5891>.
+
+ [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
+ Operational Practices, Version 2", RFC 6781,
+ DOI 10.17487/RFC6781, December 2012,
+ <https://www.rfc-editor.org/info/rfc6781>.
+
+ [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
+ Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
+ April 2013, <https://www.rfc-editor.org/info/rfc6895>.
+
+ [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
+ Algorithm (DSA) and Elliptic Curve Digital Signature
+ Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
+ 2013, <https://www.rfc-editor.org/info/rfc6979>.
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 48]
+�
+Internet-Draft Set Union March 2021
+
+
+ [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
+ for Security", RFC 7748, DOI 10.17487/RFC7748, January
+ 2016, <https://www.rfc-editor.org/info/rfc7748>.
+
+ [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
+ Signature Algorithm (EdDSA)", RFC 8032,
+ DOI 10.17487/RFC8032, January 2017,
+ <https://www.rfc-editor.org/info/rfc8032>.
+
+ [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
+ Writing an IANA Considerations Section in RFCs", BCP 26,
+ RFC 8126, DOI 10.17487/RFC8126, June 2017,
+ <https://www.rfc-editor.org/info/rfc8126>.
+
+ [GANA] GNUnet e.V., "GNUnet Assigned Numbers Authority (GANA)",
+ April 2020, <https://gana.gnunet.org/>.
+
+ [CryptographicallySecureVoting]
+ Dold, F., "Cryptographically Secure, DistributedElectronic
+ Voting",
+ <https://git.gnunet.org/bibliography.git/plain/docs/
+ ba_dold_voting_24aug2014.pdf>.
+
+ [GNUNET] Wachs, M., Schanzenbach, M., and C. Grothoff, "A
+ Censorship-Resistant, Privacy-Enhancing andFully
+ Decentralized Name System",
+ <https://git.gnunet.org/bibliography.git/plain/docs/
+ gns2014wachs.pdf>.
+
+ [Eppstein] Eppstein, D., Goodrich, M., Uyeda, F., and G. Varghese,
+ "What's the Difference? Efficient Set Reconciliation
+ without Prior Context",
+ <https://doi.org/10.1145/2018436.2018462>.
+
+ [GNS] Wachs, M., Schanzenbach, M., and C. Grothoff, "A
+ Censorship-Resistant, Privacy-Enhancing and Fully
+ Decentralized Name System", 2014,
+ <https://doi.org/10.1007/978-3-319-12280-9_9>.
+
+ [R5N] Evans, N. S. and C. Grothoff, "R5N: Randomized recursive
+ routing for restricted-route networks", 2011,
+ <https://doi.org/10.1109/ICNSS.2011.6060022>.
+
+ [Argon2] Biryukov, A., Dinu, D., Khovratovich, D., and S.
+ Josefsson, "The memory-hard Argon2 password hash and
+ proof-of-work function", March 2020,
+ <https://datatracker.ietf.org/doc/draft-irtf-cfrg-
+ argon2/>.
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 49]
+�
+Internet-Draft Set Union March 2021
+
+
+ [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
+ Operation: Methods and Techniques", December 2001,
+ <https://doi.org/10.6028/NIST.SP.800-38A>.
+
+ [ed25519] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
+ Yang, "High-Speed High-Security Signatures", 2011,
+ <http://link.springer.com/
+ chapter/10.1007/978-3-642-23951-9_9>.
+
+Appendix A. Test Vectors
+
+A.1. Map Function
+
+ INPUTS:
+
+ key: 0xFFFFFFFFFFFFFFFF (64-bit) number_of_buckets_per_element: 3
+ ibf_size: 300
+
+ OUTPUT:
+
+ ["222","32","10"]
+
+A.2. ID Calculation Function
+
+ INPUTS:
+
+ element: 0xadadadadadadadad ibf_salt 0x3F (6-bit)
+
+ OUTPUT:
+
+ 0xFFFFFFFFFFFFFFFF
+
+Authors' Addresses
+
+ Elias Summermatter
+ Seccom GmbH
+ Brunnmattstrasse 44
+ CH-3007 Bern
+ Switzerland
+
+ Email: elias.summermatter@seccom.ch
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 50]
+�
+Internet-Draft Set Union March 2021
+
+
+ Christian Grothoff
+ Berner Fachhochschule
+ Hoeheweg 80
+ CH-2501 Biel/Bienne
+ Switzerland
+
+ Email: grothoff@gnunet.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Summermatter & Grothoff Expires 16 September 2021 [Page 51]
diff --git a/draft-summermatter-set-union.xml b/draft-summermatter-set-union.xml
index 8ed3591..d286e32 100644
--- a/draft-summermatter-set-union.xml
+++ b/draft-summermatter-set-union.xml
@@ -1243,8 +1243,9 @@ FUNCTION get_bucket_id (key,
number_of_buckets_per_element, ibf_size)
<t>
are variable numbers of slices in an array. A
single slice contains multiple 64-bit IDSUMS,
32-bit HASHSUMS and 1-64bit COUNTERS of
variable size. In the network order the array of IDSUMS is first, followed
- by an array of HASHSUMS and ended with an
array of COUNTERS. Length of the array is defined
- by MIN( SIZE - OFFSET,
MAX_BUCKETS_PER_MESSAGE). MAX_BUCKETS_PER_MESSAGE is defined as
+ by an array of HASHSUMS and ended with an
array of COUNTERS (details are described in section
+ <xref
target="performance_counter_variable_size" format="default"/>). Length of the
array is
+ defined by MIN( SIZE - OFFSET,
MAX_BUCKETS_PER_MESSAGE). MAX_BUCKETS_PER_MESSAGE is defined as
32768 divided by the BUCKET_SIZE which is
13-byte (104-bit).
</t>
diff --git a/statemaschine/differential_state_machine
b/statemaschine/differential_state_machine
new file mode 100644
index 0000000..9b4e16d
--- /dev/null
+++ b/statemaschine/differential_state_machine
@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2021-06-09T07:04:52.109Z" agent="5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77
Safari/537.36" etag="EjBRg3J6DuL3UCMJqSll" version="14.7.6"
type="device"><diagram id="C5RBs43oDa-KdzZeNtuy"
name="Page-1">7V1bk6O4Ff41rtqkyhRCSILHvs3sJJ1ktno3s/vIGNomsY0H07f59SsuAkvINuCDW06mX9rIILB0zqfv3MQE36xeP6bBZvGPJIyWE8cOXyf4duI4jk0d/i9veStbEMKobJmncVi1NQ0P8feoarSr1qc4jLbSiVmSLLN4IzfOkvU6mmVSW5CmyYt82mOylO+6CeZRq+FhFizbrV/iMFt
[...]
\ No newline at end of file
diff --git a/statemaschine/differential_state_machine.png
b/statemaschine/differential_state_machine.png
new file mode 100644
index 0000000..29f5ee3
Binary files /dev/null and b/statemaschine/differential_state_machine.png differ
diff --git a/statemaschine/differential_state_machine.svg
b/statemaschine/differential_state_machine.svg
new file mode 100644
index 0000000..284ca1d
--- /dev/null
+++ b/statemaschine/differential_state_machine.svg
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
+<svg xmlns="http://www.w3.org/2000/svg";
xmlns:xlink="http://www.w3.org/1999/xlink"; version="1.1" width="974px"
height="781px" viewBox="-0.5 -0.5 974 781" content="<mxfile
host="app.diagrams.net" modified="2021-06-09T07:05:12.668Z"
agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/91.0.4472.77 Safari/537.36" etag="z64y_82akE6YHg7AOlcM"
version="14.7.6" type="device"><diagram
id="C5RBs43oDa [...]
\ No newline at end of file
diff --git a/statemaschine/full_state_maschine.png
b/statemaschine/full_state_machine.png
similarity index 100%
rename from statemaschine/full_state_maschine.png
rename to statemaschine/full_state_machine.png
diff --git a/statemaschine/full_state_maschine.svg
b/statemaschine/full_state_machine.svg
similarity index 100%
rename from statemaschine/full_state_maschine.svg
rename to statemaschine/full_state_machine.svg
diff --git a/statemaschine/full_state_maschine.xml
b/statemaschine/full_state_machine.xml
similarity index 100%
rename from statemaschine/full_state_maschine.xml
rename to statemaschine/full_state_machine.xml
diff --git a/statemaschine/state_machine_full b/statemaschine/state_machine_full
new file mode 100644
index 0000000..dd6b21a
--- /dev/null
+++ b/statemaschine/state_machine_full
@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2021-06-09T06:52:44.377Z" agent="5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77
Safari/537.36" etag="pelenmTsAhDcsqPl0I7k" version="14.7.6"
type="device"><diagram id="C5RBs43oDa-KdzZeNtuy"
name="Page-1">5Vtdc6M2FP01nml3Jow+kIDHfDjbbbftdtM27SMxis0WIy/gJM6vrwAJI4RdAjhLpvuy6CKu4d6jo3MlZYYv10/vE3+z+pkHLJohEDzN8NUMIQQoEv/lll1pgZB6pWWZhIG07Q034TOTRiCt2zBgqdYx4zzKwo1uXPA4ZotMs/lJwh/1bvc80n914y+ZYbhZ+JFpvQ2DbCWtlNj7Gz+
[...]
\ No newline at end of file
diff --git a/statemaschine/state_machine_full.png
b/statemaschine/state_machine_full.png
new file mode 100644
index 0000000..395a21c
Binary files /dev/null and b/statemaschine/state_machine_full.png differ
diff --git a/statemaschine/state_machine_full.svg
b/statemaschine/state_machine_full.svg
new file mode 100644
index 0000000..f3d4b43
--- /dev/null
+++ b/statemaschine/state_machine_full.svg
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
+<svg xmlns="http://www.w3.org/2000/svg";
xmlns:xlink="http://www.w3.org/1999/xlink"; version="1.1" width="752px"
height="531px" viewBox="-0.5 -0.5 752 531" content="<mxfile
host="app.diagrams.net" modified="2021-06-09T06:55:05.725Z"
agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/91.0.4472.77 Safari/537.36" etag="Ho4LXeUk9jqtwfKfm4ic"
version="14.7.6" type="device"><diagram
id="C5RBs43oDa [...]
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [lsd0003] branch master updated (645fdcc -> 97a7e6f),
gnunet <=