Add support for getting recommended block_len/strong_len based on filesize.

[dbaarda]

The current default block length and strongsum lengths are not ideal for best performance. The rsync binary includes a recommended block size of sqrt(file size), and a strong_sum length based on the block size and file size to give a compact signature without risking blocksum collisions. This makes it significantly faster for large files.

We should include these optimized defaults, baring in mind librsync doesn't have a whole-file checksum yet (rsync does) to avoid corruption from blocksum collisions, or a way to recover even if it did (rsync retries the transfer using different checksum seeds 3x before falling back to just copying the whole file). This means our strongsum length needs to be more conservative than rsync, particularly for protection against crafted attacks.

This requires extending the API to support providing the basis file size as a hint when generating the signature.

Note a signature filesize hint would also be nice for pre-allocating the signature blocksum data (the code currently doesn't expose a public API for this, but does have support under the hood).

[dbaarda]

More thoughts on strongsum length and crafted attacks.

Pretty much by definition, crafted attacks are always going to require the longest strongsum lengths. This means the strongsum length required if you are going to protect against crafted attacks is independent of the file length or block size, and determined exclusively by the current limits of attackers to generate blocksum collisions.

So what are the current limits for blocksum collision? In #5 therealmik showed that 8byte hashes are trivial to find collisions for, and even in non-hostile environments librsync has a good chance of hitting them when calculating deltas for files larger than 64GB using a 256byte blocksize. Organizations like Google have demonstrated brute-force collision attacks against 16byte hashes, but they were not easy.

Another way to think of the attack size is in terms of the amount of data required. A 12byte AKA 96bit hash requires around 2^48 hashes to find a collision using a brute-force birthday attack. This would require rolling through 256TB of random data, and need 3PB to store all the hashes (though you don't need to store them all to find collisions). This is probably beyond feasible in a reasonable amount of time for a single computer, but a dedicated individual could easily buy the cloud resources needed. So I would say the current state is;

hash size: minimum attacker size
8bytes: single computer
12bytes: single cloud customer
16bytes: large institution/state

The other question is what kind of attacks are relevant for librsync? The following article is a little dated, but talks about the difference between a collision attack (finding 2 blocks with the same hash) and a pre-image attack (finding a block that matches a given hash), with even md4 still considered safe against a pre-image attack;

https://electriccoin.co/blog/lessons-from-the-history-of-attacks-on-secure-hash-functions/

I'm not sure we can make assumptions about what attacks are relevant, because that depends on the application. The users of librsync are probably in the best position to decide what attacks are relevant and what level of security they need. We should probably default to a reasonable compromise between security and signature size, and users can override the default if they want more/less protection.

This suggests to me that a reasonable default strongsum size is 12bytes. People genuinely concerned about state/institution attacks can use --sum-size=20 or higher if they want. We should allow people to say --sum-size=0 to indicate they don't care about crafted attacks and just want the minimum size necessary to be safe for the given file size.

This issue also touches on #9. Without a whole-file hash we have the unfortunate problem of hash collisions silently causing corruption, so you won't even notice it has happened. I feel that we probably shouldn't add this feature until we have whole-file hashes in place.

[dbaarda]

More thoughts;

Currently '0' means 'max strength' of 32bytes for blake2, or 16bytes for md4. Perhaps we should not change that.

People can always set -S1 to mean "as small as possible for the filesize", or -S 12 for "resistant to most minor attacks', or -S 16 for "resistant to most major attacks". We could also say people need to use -S 32 if they want "as strong as possible", but sizes >16 require blake2 so it's kinda nice to have -S 0 mean "as strong as possible for the given hash type".

So if we do that, the only big question left is; what should the default be? Should we default to -S 1 so signatures are as small as possible and people must explicitly set something else if they want security? Or should we default to -S 0 for max security and require people to set it lower if they prefer small signatures? Or do we compromise between the extremes with medium security -S 12?

I'm thinking most people will be saying the default should be max security.

[dbaarda]

Another problem; filesize=0 is currently used for "unknown" when determining the recommended blocklen and stronglen. This typically means the input is a stream of unknown size. In that case we want to use a reasonable compromise blocklen (currently 2KB) and a conservative stronglen to avoid corruption. Ignoring attacks, a stronglen of 12B should be safe for files up to 16TB with a 256B blocklen, or ~45TB for the default 2KB blocklen.

So if the input for stronglen=8 AKA "at least 8 bytes", and filesize=0 AKA "unknown", should we return stronglen=12? How do we say "I don't care about the filesize, I just want to use stronglen=8"?

Perhaps we should use filesize=-1 to indicate "unknown", and filesize=0 can then mean "use exactly this stronglen". Or should we treat filesize=0 to mean "filesize of zero" and use filesize=-2 for "use my figures exactly?

Part of the problem here is in the pull request rs_sig_args() is used both to recommend default args, and to check them, being used under the hood inside rs_signature_init() to adjust and check it's initialization arguments. However, rs_sig_begin(), which uses rs_signature_init(), is not documented as adjusting the arguments except that stronglen=0 means "full strength". Even if we do make these functions smarter and capable of adjusting the arguments, they both don't take the filesize as an argument, so we cannot give them a valid filesize to base those adjustments on.

Perhaps a fix is to split rs_sig_args() into separate "recommender" and "checker" functions, and keep rs_signature_init() and rs_sig_begin() dumb, requiring explicit use of rs_sig_args() for the smart recommendations.

[dbaarda]

FTR, in an email conversation with @therealmik he said the following;

"I agree full strength should be the default, although I think the less conservative recommendation should be 20 bytes (even Sergey can't request that much quota) - I don't feel like 16 bytes is really enough these days."

[dbaarda]

This was fixed in #109 which was just merged.