Read Access and Confidentiality

Before we go into further details, we introduce some compact terminology around the data we want to keep confidential (NamespaceIds, SubspaceIds, and Paths), starting by giving such triplets a name:

Let p1 and p2 be PrivateInterests.

We say p1 is more specific than p2 if

• p1.namespace_id == p2.namespace_id, and
• p2.subspace_id == any or p1.subspace_id == p2.subspace_id, and
• p1.path is an extension of p2.subspace_id.

We say that p1 is strictly more specific than p2 if p1 is more specific than p2 and they are not equal.

We say that p1 is less specific than p2 if p2 is more specific than p1.

We say that p1 and p2 are comparable if p1 is more specific than p2or p2 is more specific than p1.

We say that p1 includes an Entry e if

• p1.namespace_id == e.namespace_id, and
• p1.subspace_id == any or p1.subspace_id == e.subspace_id, and
• p1.path is a prefix of e.path.

We say that p1 and p2 are disjoint there can be no Entry which is included in both p1 and p2.

We say that p1 and p2 are awkward if they are neither comparable nor disjoint. This is the case if and only if one of them has subspace_id any and a path p, and the other has a non-any subspace_id and a path which is a strict prefix of p.

We say that p1 includes an Area a if

• p1.subspace_id == any or p1.subspace_id == a.subspace_id, and
• p1.path is a prefix of a.path.

If p1 has a subspace_id that is not any, then we call the PrivateInterest that is equal to p1 except its subspace_id is any the relaxation of p1.

Peers want to find the non-empty intersections of their AreasOfInterest. We reduce this to first finding their non-disjoint PrivateInterests, and assume that TimeRanges and AreaOfInterest limitsCombining confidential PrivateInterest information with limits and TimeRanges in the clear might allow malicious peers to track correlations. We choose to err on the side of caution here. will be taken into consideration in a separate, later stage. The challenge then becomes to find overlapping PrivateInterests by comparing only small numbers of salted hashes. We assume there is a secure hash function h that maps pairs of salts (bytestrings) and PrivateInterests to bytestrings of some fixed width.

Explaining in advance how this solution came about is a bit difficult. So we are simply going to define it, and then argue that it is correct, without any real explanation. If that leaves you unhappy, you can at least take comfort in the fact that you did not have to come up with the solution yourself.For reasons that will become apparent later (spoiler: awkward PrivateInterests deserve their name), the peers exchange pairs of a salted hash and a boolean each, according to the following rules:

• For each PrivateInterest p with a subspace_id of any,
  • the initiator transmits the pair (h(ini_salt, p), true), and
  • the responderHere and below, responder and initiator send the same pairs, except they salt differently. transmits the pair (h(res_salt, p), true).
• For each PrivateInterest p with a subspace_id that is not any, let p_relaxed denote the relaxation of p. Then each peer transmits two pairs:
  • the initiator transmits the pair (h(ini_salt, p), true) and the pair (h(ini_salt, p_relaxed), false), and
  • the responder transmits the pair (h(res_salt, p), true) and the pair (h(res_salt, p_relaxed), false).
• Peers that wish to hide how many of their PrivateInterests have a subspace_id of any can further send a pair of a random hash and the boolean false for each of their PrivateInterests with a subspace_id of any.

The boolean, in other words, is true if the hash corresponds to a PrivateInterest that the sending peer is actually interested in, and false if the hash corresponds merely to a relaxation that must be sent for technical reasons.

Each peer locally computes some further pairs of salted hashes and booleans: the computations follow the same rules as for sending, except that

• the initiator now salts with res_salt and the responder now salts with ini_salt, and
• whenever a peer computes the pair for a PrivateInterest, it also computes the pairs for the PrivateInterests obtained by replacing the path of the original PrivateInterest with any of its prefixes (for example, if I am interested in Path blogrecipies in some namespace and subspace, then I also compute the hashes for blog and the empty Path for the same namespace and subspace).

Whenever a peer receives a hash-boolean pair, it compares it against its locally computed pairs. If it locally computed a pair with the same hash, and at least one of the two pairs has a boolean value of true, then the peer knows that there is an overlap between its own PrivateInterest that resulted in the matching pair and some PrivateInterest of the other peer. For each of its PrivateInterests that did not give rise to any matching pair, the peer knows it to be disjoint from all PrivateInterests of the other peer.

Examples and proof sketches

The following examples show which data the peers compute and exchange in various situations. We assume the NamespaceId to always be equal for both peers (all involved hashes will trivially be distinct for PrivateInterests of distinct namespace_ids) and omit them.

If you replace the concrete examples with the equivalence classes that they represent, you obtain a proof sketch for the correctness of this approach.The examples cover the nine different (up to symmetry) combinations of how subspace_ids and paths can related to each other (equal, non-equal, or any for subspace_ids, prefix, extension, or unrelated for paths). Note that in all examples, both peers also locally compute hashes for PrivateInterests with the empty Path. For brevity we do not depict those, since in these examples they never match any transmitted hashes.

---

---

---

---

---

---

---

---

---

---

---

The previous scheme ensures that whenever two PrivateInterests submitted by different peers are not disjoint, one peer becomes aware of that fact. The next step is to let the peers exchange their corresponding read capabilities. This requires some care, however, since no information must be leaked if the other peer merely knew or guessed a PrivateInterest but does not have a read capability that certifies that the peer may learn information about corresponding Areas.

An example: Muriarty submits a PrivateInterest with path a, and Alfie detects an overlap with his PrivateInterest of path a (and the same namespace_ids and subspace_id). But Muriarty does not actually have a read capability for and Area with the path a. If Alfie simply transmitted his read capability first, then Muriarty would learn that b is a meaningful Path suffix in an Area in which he should not be able to learn anything.

In general, whenever there is an overlap in the two peer’s PrivateInterests, one of three situations occurs:

1. One of the PrivateInterests is strictly more specific than the other. The peer who has the more specific PrivateInterest is the one to detect the overlap. This peer sends an overlap announcement message to the other peer to announce the overlap, the other peer then sends its read capabilities which certify read access to Areas included in the less specific PrivateInterest.
   • There is one exception to this case: when the two PrivateInterests have equal namespace_ids and paths but one has a subspace_id of any whereas the other has a concrete subspace_id, then both peers will detect the overlap. In this special case, the peer with the subspace_id of any should not announce an overlap, and the peer with the concrete subspace_id simply sends its read capability immediately.
2. Both PrivateInterests are equal. Both peers are able to detect this — the matching hashes correspond to a PrivateInterest with a path in which they are themselves directly interested in. Both peers can and should immediately send their read capabilities.
3. The two PrivateInterests are awkward. We discuss this case later and ignore it for now.

Upon receiving an overlap announcement, a peer sends its read capabilities whose granted areas are included in the PrivateInterests in question. Upon receiving such a read capability, a peer answers with its own intersecting read capabilities (if it hadn’t sent them for other reasons already).

The scheme of replying with sensitive information to overlap announcements is obviously broken if peers can simply claim an overlap for arbitrary hashes. But we can prevent this by mandating that every overlap announcement contains an announcement authentication in the form of the hash of the corresponding PrivateInterest salted with the announcer’s salt. So when the initiator announces an overlap, that overlap announcement must contain the hash salted with ini_salt, and overlap announcements by the responder must contain the hash salted with res_salt. These salted hashes can only be produced by somebody who actually knows the PrivateInterest in question.

Naively transmitting read capabilities would allow an active eavesdropper to learn the information in the capabilities. Hence, the transmission of the capabilities must omit all sensitive information. This is possible because the two peers a have a shared context — the less specific of the non-disjoint PrivateInterests — whose information can be omitted from the capability encoding. We provide a suitable encoding44Our encoding also includes the well-known receiver in the shared context, in the form of a PersonalPrivateInterest. This is simply an optimisation to shave off a few more bytes, not a critical security feature. Things work out quite nicely here: omitting the shared information not only secures confidentiality, but also means transmitting fewer bytes. for Meadowcap capabilities, users of different capability systems need to define their own encodings.

Note that peers need to store a potentially unbounded number of hash-boolean pairs that they receive, but they do not have an unbounded amount of memory. In Confidential Sync, we employ LCMUX and the notion of resource handles to deal with this problem. When resource limits are communicated and enforced, how should peers select which PrivateInterests they submit?

Imagine two peers, with the exact same 400 PrivateInterests, but they can each submit only 20 into the private overlap detection process due to resource limits. If they each selected 20 of their interests at random, they would likely part ways thinking they don't share any common interests. If they both sorted their PrivateInterests (say, lexicographically according to some agreed-upon encoding) and transmitted the first 20 ones, then observers might be able to reconstruct some information about their interests.

As a solution, both peers should send the PrivateInterests whose hashes, salted with ini_salt, are their numerically least hashes. This way, the sorting order is an independent, random permutation in each session, yet peers with large overlaps in their PrivateInterests are likely to detect that overlap.

The exchange of read capabilities that we have described so far works for pairs of PrivateInterests where one is more specific than the other. This is not the case for awkward pairs, however. The peer who detects the overlap cannot send its own read capability for the same reason as in all other cases: the Path is an extension of the Path that the other peer knows about, so it must not be transmitted blindly. But the other peer cannot send its read capability either, because it contains a SubspaceId that must not be disclosed blindly.

To resolve this standoff, we allow the peer who detected the overlap to prove that it is allowed to learn about arbitrary SubspaceIds that are in use in some namespace, without leaking any specific Paths. To this end, we introduce a separate kind of capability: the enumeration capability.

An enumeration capability is an unforgeable token with two types of semantics:

• each enumeration capability must have a single receiver (a public key of some signature scheme),
• it must have a single granted namespace (a NamespaceId).

Whenever some entity is granted a read capability, it should also55This is not necessary if the read capability is of a form that makes it impossible to be part of an awkward pair. be granted an enumeration capability with the same receiver. When, during sync, a peer detects an awkward pair, it attaches to its overlap announcement its enumeration capability for the namespace in question, using an encoding that omits all sensitive information66We provide a Meadowcap-like capability type at the end of this document, and a suitable, confidentiality-preserving encoding here. (i.e., typically, the NamespaceId of the granted namespace). The other peer replies to the overlap announcement only if the receiver matches the ini_pk or the res_pk (depending on role) and the granted namespace matches the namespace_id of the PrivateInterest.

Since the announcer does not know the subspace_id of the other peer’s PrivateInterest in this case, the announcer cannot provide the correctly salted hash of the other’s PrivateInterest as a announcement authentication. For awkward pairs, the announcement authentication is thus the salted hash over the PrivateInterest that was submitted by the other peer, except its subspace_id is replaced with any.

We consider two primary scenarios:

• Alfie and Muriarty sync, and Muriarty tries to glean as much information from/about Alfie as possible.
• Alfie and Betty sync without knowing any long-term secrets of each other, and Epson attacks the session and tries to glean as much information from/about Alfie and Betty.

Note that Epson can simulate a Muriarty, or they could even be the same person. Epson is only interesting for cases where Alfie syncs with somebody who has more knowledge than Epson, so we do not consider the cases where Muriarty and Epson collaborate.

If Alfie and Betty know longterm public keys, they can exclude an active attacker during the handshake. If only one of them knows a longterm secret of the other, Epson is less powerful than in the setting where neither knows a longterm secret of the other; hence we only analyze the prior scenario.

We now list the information we wish to keep confidential. We group it in four levels, based on which kind of peer or attacker is allowed to glean which information.

We consider fingerprinting, tracking, and deanonymisation based on information from L3 to be out of scope of this document.

We now describe which kind of information can be learned by which kind of attacker. A rough summary:

• With a valid read capability, you can access all corresponding information (L0 and below). This is a feature.
• If you know or guess a PrivateInterest without holding a corresponding read capability, you can access information at L1 and below.
• An active eavesdropper can access everything at L2 without holding a corresponding read capability.

Consequently, NamespaceIds, SubspaceIds, and Paths that cannot be guessed are never leaked by using Confidential Sync. Conversely, attackers can confirm their guesses about PrivateInterests to some degree. Hence, it is important to keep NamespaceIds, SubspaceIds, and Paths unguessable by introducing sufficient entropy.

Syncing with Muriarty

Syncing Attacked By Epson