The requirements for the ERIS are:

• Availability of content: Content can be replicated and cached.
• Authenticity: Authenticity of content can be verified.
• Plausible deniability for peers: Peers that transport, store and cache data blocks can do this without being able to read the content.
• URN reference: Content can be reference with a single URN.
• Simplicity: The encoding should be as simple as possible in order to allow correct implementation on various platforms and in various languages.

A concept is tolerated inside the microkernel only if moving it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the system’s required functionality.

— Jochen Liedtke, On μ-Kernel Construction [liedtke1995micro]

ERIS describes how arbitrary content (sequence of bytes) can be encoded into a set of uniformly sized blocks and an identifier with which the content can be decoded from the set of blocks.

ERIS does not prescribe how the blocks should be stored or transported over network. The only requirement is that a block can be referenced and accessed (if available) by the hash value of the contents of the block. In section Storage and Transport we show how existing technology (including IPFS) can be used to store and transport blocks.

There is also no support for grouping content or mutating content. In section Namespaces we describe how such functionality can be implemented on top of ERIS.

The lack of certain functionalities is intentional. ERIS is an attempt to find a minimal common basis on which higher functionality can be built. Lacking functionality in ERIS is an acknowledgment that there are many ways of implementing such functionality at a different layer that may be optimized for certain use-cases. In section Applications we illustrate how such functionality may be implemented using ERIS.

ERIS uses two keys to encrypt content:

read key

The key used to encrypt the content. The read key is BLAKE2b(content). If a convergence secret is given the read key is BLAKE2b(content, key=covergence-secret) (using keyed hashing).

verification key

Derived from the read key using the subkey id 1 and personalization context set to the UTF-8 encoding of the string "eris.key".

The encoding process takes the content (as sequence of bytes), the read key and the verification key and returns a root reference (32 bytes) and a level count (positive integer with maximum value 12) which denotes the height of the Merkle tree.

The encoding process is:

1. Content is first padded (see Cryptographic Primitives) to a multiple of 4kB.
2. Content is then encoded with the symmetric key cypher using the read key and nonce set to 0. If content is larger than 256 GB use nonce 0 for first 256 GB and increment nonce for successive chunks of 256 GB.
3. Encrypted content is split into blocks of size 4kB. The blocks holding encrypted content are called data blocks.
4. Store data blocks in content-addressable storage and get data block references.
5. Combine the data block references in a Merkle tree and return the reference to the root node (root reference) and the height of the Merkle tree (level).

The construction of the Merkle tree is described in the following section.

To read and/or verify content following information is required:

• The root reference (as returned by the encode process)
• The level of the Merkle tree (as returned by the encode process)
• The read or verify key

All this information can be packed in an URN, allowing ERIS encoded content to be referenced with a single identifier. We call such an identifier a capability as it gives holder capability to read or verify the content.

The root reference, level and key are encoded (with some additional information) to a binary capability as follows:

The capability URN is:

urn:eris:X

Where X is the Base32 encoding of the binary capability encoding.

For example the read capability for the string “Hail ERIS!” is:

urn:erisx:AAAAABM5XFVEHHR45X3YKU4ARK6MBHOZ4W22OTG5ME4NGO32H5P4SP3MCL3TK373WD53WSE6BOJACMNLBMKKFDKI25TAPP3SRY54QZ5WDX6Q

Note that we are currently using urn:erisx instead of urn:eris to denote experimental nature of the encoding. Once encoding is stabilized we will use urn:eris.

Given a read capability the content can be decoded by following child references of the nodes in the Merkle tree starting at the root.

Note that the level (encoded in capability) is essential for decoding the content as the nonce for decrypting nodes is computed from the level and count of node in level.

Integrity of content can be checked while decoding by re-computing the hash value of block and comparing them to the references.

The verification capability allows everything the read capability allows except decrypting of the data blocks and thus reading of the content.

In particular a list of data blocks (and Merkle tree nodes) can be enumerated. This allows peers holding the verification capability to cache the content without being able to read it (plausible deniability for caching peers).

The integrity of all blocks required to decrypt the content can be verified with the verification capability.

640K ought to be enough for anybody.

— Misattributed to Bill Gates

The size of content that ERIS is able to encode is limited by the maximum depth of the Merkle tree.

The maximum depth of the Merkle tree is 13 levels (including data block level). This is because for every internal node maps to a unique nonce of 12 bytes (see Nonce from position).

The maximum size of content that ERIS can encode is thus \(128^{13} \cdot 4 \mathrm{kB}\), more than \(10^{20} \mathrm{GB}\).

The block size of 4kB was chosen for following reasons:

• Small content: Content smaller than 4kB still requires at least 4kB of storage as data block is padded to 4kB. A larger block size would make this worse.
• Reasonable overhead when encoding large files: The number of nodes required to combine data blocks into a single root reference is proportional to the number of references a node can hold. As nodes should be indistinguishable from data blocks they need to be the same size. Choosing 4kB (128 32 byte references) results in an overhead of less than 1% of the content size (see Size of Merkle tree).

Using multiple block sizes has also been considered. We believe that the additional complexity (in deterministically choosing the right block size) is not worth the storage efficiency.

Implementations of ERIS are available for following programming languages:

• Guile: The initial implementation
• Javascript

We have also implemented a JavaScript web application to demonstrate ERIS: Encoding for Robust Immutable Storage (ERIS).

ERIS is agnostic of storage and transport layers for blocks and only requires the ability to store uniformly stored blocks and access blocks by their hash code (see Content-addressable storage).

Storage layers can be implemented with:

• An in-memory hash-map.
• A key-value store (the Guile implementation uses LevelDB)
• A relational database
• IPFS

Blocks may be transported over network via:

• HTTP(S): A HTTP endpoint can be used to dereference blocks.
• Sneakernet: Blocks can be stored on a physical medium and transferred.
• Peer-to-Peer networks

ERIS does not encode any metadata about the content. Metadata that references the content can be separately encoded and stored.

The image above can be encoded in ERIS and be referenced with the URN:

urn:erisx:AAAADEQ445USOXW3JWYK255G4CQABSGYHAOQB7WA46APBTRBNWFAXAOPMK6OOYEN73BNFVWR6YNU6YN2SFQPRCUOHXSOPIZKCULJTR5XP5QQ

Which could be referenced from encoding of metadata:

"image": {
    "comment": "A duck.",
    "href": "urn:erisx:AAAADEQ445USOXW3JWYK255G4CQABSGYHAOQB7WA46APBTRBNWFAXAOPMK6OOYEN73BNFVWR6YNU6YN2SFQPRCUOHXSOPIZKCULJTR5XP5QQ",
    "mediaType": "image/png"
}

Somebody might however disagree and think this is more appropriate metadata:

"image": {
    "comment": "A rabbit.",
    "href": "urn:erisx:AAAADEQ445USOXW3JWYK255G4CQABSGYHAOQB7WA46APBTRBNWFAXAOPMK6OOYEN73BNFVWR6YNU6YN2SFQPRCUOHXSOPIZKCULJTR5XP5QQ",
    "mediaType": "image/png"
}

Both are valid descriptions (metadata) of the image. By not supporting metadata in the content such ambiguities can be handled without duplicating the content itself.

The format in which metadata is encoded is also not prescribed. We suggest using an RDF based description that is well adapted for content-addressing (see Content-addressable RDF).

ERIS can be used to ensure integrity of content. To ensure authenticity we propose using a RDF vocabulary for Ed25519 cryptographic keys and signatures: RDF signify.

Namespaces are groupings of content that themselves have an identifier. The members of a namespace may be dynamic. Namespaces are a fundamental building block for organizing content and building applications.

There are many legitimate ways of implementing namespaces. ERIS does not provide a built-in mechanism.

In the following we give an overview of some mechanism and illustrate how ERIS can be used.

We believe that a key value of ERIS is the usability from very different namespace mechanisms. A collection of ERIS encoded content can be served from a HTTP server or be added to a Secure Scuttlebutt feed. By referencing the same content with the same identifier from different systems we can make content interoperable.

It is possible to encode an entire file system in ERIS by first packing the files and directories in an appropriate container and then encoding and storing. This would allow similar functionality to IPFS (which uses UnixFS).

Individual files can be accessed efficiently as ERIS allows random read access to content (see Radon Access).

Possible container formats include tar or SquashFS.

ECRS [Grothoff_2003] is the encoding used in the file-sharing application of GNUNet. ERIS is very much inspired by ECRS.

Similar to ERIS, ECRS splits up content into uniform sized blocks (32kB) and combines them to a single root reference.

Unlike ERIS, ECRS encrypts using the hash code of the block as a key (instead of a signle read key). Building the Merkle tree is simpler than in ERIS as there is no distinction between data blocks and tree nodes. However in addition to the reference to the block the key needs to be stored in a parent node (content-hash key).

The reason for developing ERIS in contrast to just using ECRS is the verification capability. This allows blocks that are required to reassemble some content to be cached by a peer holding the verification capability, without being able to read the content.

ECRS also provides two namespace mechanisms (SBlock and KBlock). Both mechanisms can be implemented with ERIS as well.

Datashards is a secure storage foundation for the web. Work on ERIS was inspired by Datashards. It provides means for immutable as well as mutable storage.

Datashards (immutable) splits encrypted content into uniformly sized blocks (called chunks) and combines them in a hash list. There is no verification capability for immutable storage.

Mutability is implemented with an append-only log (similar to Hypercore and Scuttlebut).

A key functionality ERIS shares with Datashards is the usability from the web by encoding capabilities as URNs.

Datashards is still in development and in further work we hope to converge ideas and encoding.

Cryptosphere was an experimental research project for securely publishing and distributing content based on Tahoe-LAFS and Freenet (among others).

The key innovation in Cryptosphere is the “repair capability” which allows enumeration of all block required to reassemble content as well as verifying integrity.

To enable the repair capability two (linked) Merkle trees are constructed, one allowing read capability and one allowing repair capability.

The constructions of the tree is slightly more involved than in ERIS.

Other related projects include Tahoe-LAFS and Freenet. We refer the reader to the ECRS paper [Grothoff_2003] which provides an excellent description and comparison.

How big is the Merkle tree in relation to the size of the content to be stored? This relation captures the storage overhead and the computational overhead of the Merkle tree.

The parameters are:

• \(s_h\): size of the hash code
• \(s_b\): block size
• \(s_d\): size of the data to be stored

To simplify the calculations we assume that the block size is always chosen as a multiple of \(s_h\):

\[ s_b = k s_h \]

Nodes in the Merkle tree have size \(s_b\) and can hold at most \(k\) child references. \(k\) is the arity of the Merkle tree (in diagrams we have \(k=2\)).

We also assume that the size of the data to be stored is a multiple of the block size:

\[ s_d = n s_b \]

\(n\) is the number of blocks the data is split into.

For example the data we want to store is split up into 8 blocks (\(n = 8\)) and two child references fit into a block (\(k = 2\)):

We are interested in the number of nodes in the Merkle tree (the yellow boxes) in relation to the number of data blocks (white boxes).

Let us call the number of nodes in the Merkle tree \(m\).

We can start counting the number of nodes in the Merkle tree from the top:

\[ m = 1 + k + k^2 + k^3 ... + \frac{n}{k} \]

At the root level there is one node, at the level below \(k\) and below \(k^2\) - at every level we go down there are \(k\) times more nodes. At the bottom level (level 0) there are \(\frac{n}{k}\) nodes (this is also \(log_k(n) - 1\)).

\(m\) is a geometric serie and can be simplified:

The size of the Merkle tree is linearly proportional to \(n\) with \(\frac{1}{k}\). In big O notation: The size of the Merkle tree is \(O(\frac{n}{k})\).

If we choose a block size that fits exactly 2 child references (\(k=2\)), the Merkle tree will consist of at most half the number of data blocks - the storage overhead is 50%.

Assuming \(s_h = 32 \mathrm{B}\) (\(256 \mathrm{bit}\)) we have following block sizes and storage overheads:

Bibliography

• [Polleres_Kamdar_Fernández_Tudorache_Musen_2020] Polleres, Kamdar, Fernández, Javier David, Tudorache & Musen, A more decentralized vision for Linked Data, Semantic Web, 11(1), 101–113 (2020). link. doi.
• [liedtke1995micro] Liedtke, On micro-kernel construction, ACM SIGOPS Operating Systems Review, 29(5), 237-250 (1995).
• [aumasson2013blake2] Aumasson, Neves, Wilcox-O’Hearn, Zooko & Winnerlein, BLAKE2: simpler, smaller, fast as MD5, 119-135, in in: International Conference on Applied Cryptography and Network Security, edited by (2013)
• [saarinen2015blake2] Saarinen & Aumasson, The BLAKE2 cryptographic hash and message authentication code (MAC), Internet Engineering Task Force, (2015). link.
• [nir2015chacha20] Nir & Langley, ChaCha20 and Poly1305 for IETF Protocols, Internet Engineering Task Force, (2018). link.
• [Zooko2008] Wilcox-O'Hearn, Drew Perttula and Attacks on Convergent Encryption (2008)
• [shapiro2011comprehensive] Shapiro, Pregui\cca, Baquero, & Zawirski, A comprehensive study of convergent and commutative replicated data types, , (2011).
• [alvaro2010dedalus] Alvaro, Marczak, Conway, , Hellerstein, Maier & Sears, Dedalus: Datalog in time and space, 262-281, in in: International Datalog 2.0 Workshop, edited by (2010)
• [karlsson2018vegvisir] Karlsson, Jiang, Wicker, , Adams, Ma, van Renesse, & Weatherspoon, Vegvisir: A partition-tolerant blockchain for the internet-of-things, 1150-1158, in in: 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), edited by (2018)
• [Grothoff_2003] Grothoff, Grothoff, Horozov, & Lindgren, An encoding for censorship-resistant sharing (2003)

An Encoding for Robust Immutable Storage by openEngiadina is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.