David R. Conrad writes
Scott Brickner <sjb@austin.ibm.com> writes:
don@cs.byu.edu writes
A random (instead of sequential) allocation _by the keyserver_ (out of unallocated piecemeal segments) would also take some work to implement.
The problem is that it's irrelevant to the problem. Random allocation at the server is equivalent to simply "shuffling" the segments before assignment, which doesn't affect the rate at which the space is searched.
The point is that if J. Random Badguy knows that the key lies in segment 0x1bad and wants to get this segment and send a false NAK for it, he can watch as key segments are doled out (perhaps with clients running on a number of machines) and when 0x1bad gets close, say, when 0x1b0b comes out, he can instruct all his clients to start hammering the server for all they're worth in an attempt to get the key segment assigned to one of his clients.
If the segments are shuffled before they are handed out then this attack becomes impossible, since the attacker has no way of knowing when segment 0x1bad will be handed out.
An excellent point. One I'd missed. I agree that a random shuffle of segments is appropriate.