path: root/doc/serverless.mdwn

idea, unfinished and unreviewed

Storage:

* Input password and name from user. The name is a combination of their
  own name and a more obscure name (such as the name of their high-school
  sweetheart).
* Generate N by argon2(name), tuned to take 10 minutes.
* Generate list I by sha256 of N+1,2,3.. , hashes truncated to 10 bytes.
* Generate P, a byte chosen at random.
* Generate K by argon2(password+name, salt=P), tuned to take 0.195 (50/256)
  minutes.
* Generate padding to obscure the length of the data. For example,
  pad all keys to be as long as a rsa4096 gpg secret key as exported by
  paperkey (2724 bytes), to prevent targeting types of keys by size.
* AES encrypt (length + checksum + data + padding) with K as the key,
  generating D.
* Split D into 70 byte chunks, call this list C.
* Generate 36 item list T of 80 byte values
  (size of bitcoin's `OP_RETURN`), by concating I[x] with D[x].
* Generate 36 bitcoin transactions storing list T in `OP_RETURN`
* Store the transactions in bitcoin blockchain.

Retrieval:

* Input password and name from user.
* Generate N by argon2(name) (takes 10 minutes)
* Generate list I by sha256 of N+1,2,3.. , hashes truncated to 10 bytes.
* Begin retrieving transactions from bitcoin blockchain, looking for ones
  with `OP_RETURN` starting with values from I. Extract the 70 byte
  chunks from the `OP_RETURN`, generating ordered list C.
* At the same time, generate K by argon2(password+name, salt=p), guessing
  values for P until the right one is found (takes 25 minutes on average)
* Once K and C are available, decrypt (concat C) with K and verify
  checksum.

Password guessing:

Password guessing cost is unchanged from original keysafe. Eg, 25 CPU-years
for a super-weak 19 entropy password.

Before password guessing can begin, the keysafe transactions for a key
need to be found in the blockchain.

The attacker can assume that transactions from around the same time are
grouped together. But, the attacker needs to order the transactions
correctly to recover D. If they get the order wrong, their password
cracking will never succeed. With 36 transactions, and 36 factorial possible
combinations, guessing the right order is infeasible. So, grouping
transactions does not benefit an attacker. The attacker needs to guess the
name and generate I to find the right ordering.

Each guess of a name takes 10 minutes CPU work. This is the same attack
cost as guessing names to download shares from keysafe servers, and a
name that attackers are unlikely to guess prevents this attack, and so
prevents password cracking from starting.

(keysafe servers also impose a proof of work when lots of requests for
shares are being made, which adds to the cost. That PoW is capped at 8
minutes per request. This new design doesn't have that so is somewhat weaker.
To get equal strength as original keysafe, could increase the
work needed to guess a name to 18 minutes?)

Storage servers:

A storage server can be sent the bitcoin transactions, 
and broadcast them to the bitcoin network. This way keysafe does not
need to run a full bitcoin node. It may be possible to use eg, electrum
servers as keysafe storage servers.

Keysafe would need to verify that the transactions reached the
network (by querying retrieval servers).

Retrieval servers:

Retrieval could download the entire bitcoin blockchain and scan it, but
that would be gigabytes of download and take probably days. So instead,
there can be retrieval servers, which the user connects to via tor and
requests keysafe transactions tagged with I.

Retrieval servers learn which transactions contain keys with still active
users who have needed to restore their key. These might be more interesting
transations to try to guess the passwords of. For example, if people are
using keysafe to safely transit borders with their gpg keys, a government
might focus on transactions retrieved soon after a person of interest
crossed a border.

Retrieval servers could provide innaccurate or slow results, or too many
transactions, to try to prevent key restore. But keysafe can know about a
lot of retrieval servers, and query several at once. Get a list of
transaction ids from each, and then go through all the lists in parallel
and request transactions from each server until it has retrieved enough.

Storage cost:

Current cost per bitcoin transaction is $1, so storing a key in keysafe
would cost $36.

Of course, keysafe could also use a blockchain other than bitcoin, eg
lightcoin or dodgecoin have much smaller transaction fees. Using those
would allow storing the whole gpg public+private key, not only the paperkey
minimised private key.

The risk is that all copies of a less widely used blockchain could be lost,
preventing restore of a gpg key. Litecoin is probably big enough and
dodgecoin amusing enough to avoid such a fate for long enough for keysafe
backups to be useful.

Name collisions:

If an attacker can guess the name that a user used with keysafe, and their
password, then as well as decrypting their gpg key, they can add new
transactions using the same name and encrypred with the same password.
Keysafe won't be able to tell which to use, and so the user might restore
a gpg key controlled by the attacker.

Keysafe could prevent this by preferring earlier bitcoin transactions to
later ones.

On the other hand, a user might reuse a name and password when storing an
updated/new gpg key. Then they might expect keysafe to restore the newest
version of the key they stored. 

Keysafe might want to try to retrieve old transactions when storing a key,
to detect if the user is doing that. It could tell the user they need to
pick a different name if it finds any transactions using the name they
chose. This would also guard against several of users picking the same name,
which could otherwise make keysafe restore need to download a lot of
transactions.