š
Original date posted:2016-05-24
š Original message:On Wed, 18 May 2016 10:00:44 +0200
Jonas Schnelli via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org>
wrote:
> Hi Lee
>
> Thank you very much for the valuable input.
> I'm still processing your feedback....
[...]
> > Why have a fixed MAC length? I think the MAC length should be
> > inferred from the cipher + authentication mode. And the Poly1305
> > tag is 16 bytes.
> >
> > *Unauthenticated Buffering*
> > Implementations are unlikely to (i.e. should not) process the
> > payload until authentication succeeds. Since the length field is 4
> > bytes, this means an implementation may have to buffer up to 4 GiB
> > of data _per connection_ before it can authenticate the length
> > field. If the outter length field were reduced to 2 or 3 bytes, the
> > unauthenticated buffering requirements drop to 64 KiB and 16 MiB
> > respectively. Inner messages already have their own length, so they
> > can span multiple encrypted blocks without other changes. This will
> > increase the bandwidth requirements when the size of a single
> > message exceeds 64 KiB or 16 MiB, since it will require multiple
> > authentication tags for that message. I think an additional 16
> > bytes per 16 MiB seems like a good tradeoff.
> >
>
> Good point.
> I have mentioned this now in the BIP but I think the BIP should allow
> message > 16 MiB.
> I leave the max. message length up to the implementation while keeping
> the 4 byte length on the protocol level.
I expect the implementation defined max size to work (SSH 2.0 does this
after all), but I want to make sure my suggestion is understood
completely.
There is a length field for the encrypted data, and length field(s)
inside of the encrypted data to indicate the length of the plaintext
Bitcoin messages. I am suggesting that the outter (encrypted) length
field be reduced, which will _not limit_ the length of Bitcoin
messages. For example, if a 1 GiB Bitcoin message needed to be sent
and the encrypted length field was 3 bytes - the sender is forced to
send a minimum of 64 MACs for this message. The tradeoff is allowing
the receiver to detect malformed data sooner and have a lower max
buffering window **against** slightly higher bandwidth and CPU
requirements due to the additional headers+MACs (the CPU requirements
should primarily be in "finalizing each Poly1305").
An alternative way to think about the suggestion is tunnelling Bitcoin
messages over TLS or SSH. TLS 1.2 has a 2-byte length field and SSH 2.0
a 4-byte length field, but neither prevents larger Bitcoin messages from
being tunnelled; the lengths are independent.
[...]
>
> </jonas>
>
Lee
Lee Clagett [ARCHIVE] /
npub1z2ā¦g5e2u
2023-06-07 17:50:52
in reply to nevent1qā¦pq0c
Author Public Key
npub1z24hg2p3n4uca0h5ct2yq2c66hcfaxx3n8xd86hcrs3tqrgywk2s8g5e2uSeen on
wss://relay.nostr.bandPublished at
2023-06-07 17:50:52Event JSON
{
"id": "f0dc8e7a2ba0c8a0c1ebe5288413d3d78c0358656be0108a573d5d112b3d569c",
"pubkey": "12ab7428319d798ebef4c2d4402b1ad5f09e98d199ccd3eaf81c22b00d047595",
"created_at": 1686160252,
"kind": 1,
"tags": [
[
"e",
"b7b4eb8e71de20724dc74af92bee6341a6515c95d0632469b54bc01b5c66f360",
"",
"root"
],
[
"e",
"5a25bc6b2427f3c1d4b843f0a806aa62786af3255f696870dd4d48f1aeb80981",
"",
"reply"
],
[
"p",
"9a463e0fab8963b013698c15a0f2449d19c97f3b88458e5874095b5006df9a0c"
]
],
"content": "š
Original date posted:2016-05-24\nš Original message:On Wed, 18 May 2016 10:00:44 +0200\nJonas Schnelli via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e\nwrote:\n\n\u003e Hi Lee\n\u003e \n\u003e Thank you very much for the valuable input.\n\u003e I'm still processing your feedback....\n\n[...]\n\n\u003e \u003e Why have a fixed MAC length? I think the MAC length should be\n\u003e \u003e inferred from the cipher + authentication mode. And the Poly1305\n\u003e \u003e tag is 16 bytes.\n\u003e \u003e \n\u003e \u003e *Unauthenticated Buffering*\n\u003e \u003e Implementations are unlikely to (i.e. should not) process the\n\u003e \u003e payload until authentication succeeds. Since the length field is 4\n\u003e \u003e bytes, this means an implementation may have to buffer up to 4 GiB\n\u003e \u003e of data _per connection_ before it can authenticate the length\n\u003e \u003e field. If the outter length field were reduced to 2 or 3 bytes, the\n\u003e \u003e unauthenticated buffering requirements drop to 64 KiB and 16 MiB\n\u003e \u003e respectively. Inner messages already have their own length, so they\n\u003e \u003e can span multiple encrypted blocks without other changes. This will\n\u003e \u003e increase the bandwidth requirements when the size of a single\n\u003e \u003e message exceeds 64 KiB or 16 MiB, since it will require multiple\n\u003e \u003e authentication tags for that message. I think an additional 16\n\u003e \u003e bytes per 16 MiB seems like a good tradeoff.\n\u003e \u003e \n\u003e \n\u003e Good point.\n\u003e I have mentioned this now in the BIP but I think the BIP should allow\n\u003e message \u003e 16 MiB.\n\u003e I leave the max. message length up to the implementation while keeping\n\u003e the 4 byte length on the protocol level.\n\nI expect the implementation defined max size to work (SSH 2.0 does this\nafter all), but I want to make sure my suggestion is understood\ncompletely.\n\nThere is a length field for the encrypted data, and length field(s)\ninside of the encrypted data to indicate the length of the plaintext\nBitcoin messages. I am suggesting that the outter (encrypted) length\nfield be reduced, which will _not limit_ the length of Bitcoin\nmessages. For example, if a 1 GiB Bitcoin message needed to be sent\nand the encrypted length field was 3 bytes - the sender is forced to\nsend a minimum of 64 MACs for this message. The tradeoff is allowing\nthe receiver to detect malformed data sooner and have a lower max\nbuffering window **against** slightly higher bandwidth and CPU\nrequirements due to the additional headers+MACs (the CPU requirements\nshould primarily be in \"finalizing each Poly1305\").\n\nAn alternative way to think about the suggestion is tunnelling Bitcoin\nmessages over TLS or SSH. TLS 1.2 has a 2-byte length field and SSH 2.0\na 4-byte length field, but neither prevents larger Bitcoin messages from\nbeing tunnelled; the lengths are independent.\n\n[...]\n\n\u003e \n\u003e \u003c/jonas\u003e\n\u003e \n\nLee",
"sig": "f64f8938d16500d99f93b74f79d07f17e272bc5320b0d8f55030b20fa6791d739842b2db1a697aa6afd29618bbe8b28014f705c928d35dadc5b73a8fb6c6ca53"
}