Proposal: Parallel Uploading with Parallel Hashing

[shizhMSFT]

Introduction

In the era of AI, registries are no longer limited to storing images and related artifacts. They are increasingly being used to store AI models as artifacts as well. For example, Ollama (registry.ollama.ai, although not OCI-compliant) and Docker (docker.io a.k.a. Docker Hub) both distribute AI models through their respective registries.

Note

By running oras manifest fetch docker.io/ai/phi4:latest --pretty, we can obtain a manifest of the Microsoft Phi-4 14B AI model distributed by Docker Hub.

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.docker.ai.model.config.v0.1+json",
    "size": 371,
    "digest": "sha256:7f4e11b43206e29e2dad7a47ac3c17a2a22c5576c5d9e1a2c0da13bd0fcfb8f4"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.ai.gguf.v3",
      "size": 9053114560,
      "digest": "sha256:4c20db82e7abcbd7e07b6f8a393fe82ced1b4c6e15dd87ed1122872331854c1c"
    },
    {
      "mediaType": "application/vnd.docker.ai.license",
      "size": 1105,
      "digest": "sha256:c49419617a6070bcb197cfe272f7007fdec3e790dbb529cb995473bd69c0bd51"
    }
  ]
}

As you can observe, the layer 0 is a GGUF format AI model of size 8.4 GiB.

Since the AI models are typically large, it is time consuming and even unstable (due to networking) to be uploaded to the registry. In fact, not just AI models, all large artifacts like VM images have this challenging issue.

To address this issue, the community has explored several approaches. In issue #546, @rchincha proposed support for out-of-order chunked uploading. However, this method may be ineffective because the registry server still needs to read the chunks sequentially to compute the digest, due to the sequential hashing nature of algorithms like SHA-256. Later, in issue #573, @syed introduced the concept of the chunk-index. This approach allows clients to upload chunks in parallel as individual blobs and then commit a chunk index that can be referenced in the manifest. While this method offers clear advantages in terms of upload flexibility and parallelism, it also introduces trade-offs. Specifically, it shifts the responsibility of reassembling the data to the client and increases the burden on the server's garbage collection system due to the additional blob management overhead.

In this proposal, I introduce an alternative approach for the community to evaluate by presenting the ParallelHash function.

Issue Analysis

As @syed noted in issue #573, supporting out-of-order chunked uploads is not a significant challenge, since most registry operators use object storage as their backend. These storage systems typically support large file uploads and allow blocks or parts to be uploaded in parallel.

Tip

Here are some cloud providers which support such large file uploads feature:

• Block blobs in Azure Storage
• Multipart upload in Amazon S3
• XML API multipart uploads in GCP
• Multipart upload in Alibaba Cloud

The fundamental challenge lies in the limitations of current cryptographic hash algorithms. As @sudo-bmitch pointed out in issue #573, there is a need for a hashing algorithm that supports concurrency. Such an algorithm should be capable of processing chunks out of order and computing the final digest without requiring all data to be received sequentially or waiting for the last chunk. @sudo-bmitch also suggested that BLAKE3 could be a potential candidate for this purpose.

Proposal

The proposal is to introduce a new hash algorithm ParallelHash for hashing out-of-order chunks in parallel.

The ParalellHash function is a SHA-3 Derived Function specified by NIST SP 800-185 based on cSHAKE, which is a customizable variant of the SHAKE functions defined in FIPS 202. It takes block size, data in blocks, output length, and an optional customization string as input to compute the hash digests. Meanwhile, ParallelHash supports two security strengths: ParallelHash128 for 128-bit security, and ParallelHash256 for 256-bit security.

Taking ParallelHash256 as example, Here's its algorithm. Given

• X: data to be hashed
• B: block size in bytes such that $0 \lt B \lt 2^{2040}$
• L: requested hash digest in bits
• S: optional customization string

To compute ParallelHash256(X, B, L, S),

1. Break the data X into n blocks such that $X = X_1 \Vert X_2 \Vert \cdots \Vert X_n$.
2. For each block $X_i$, compute its SHAKE256 hash $Z_i = SHAKE256(X_i, 512)$. The length of $Z_i$ is 512 bits (i.e. 64 bytes).
3. Construct $Z = \mathbf{leftEncode}(B) \Vert Z_1 \Vert Z_2 \Vert \cdots \Vert Z_n \Vert \mathbf{rightEncode}(n) \Vert \mathbf{rightEncode}(L)$.
4. Return $\mathbf{cSHAKE}(Z, L, \textbf{"ParallelHash"}, S)$ as the final hash.

Note

I have implemented ParallelHash in Go with code and documentation (see also multi-threading hash example) available using the SHAKE and cSHAKE functions from the golang built-in crypto/sha3 package.

Since ParallelHash takes B (block size) and L (hash output length), considering the blob deduplication feature of registries, it is better that B and L are fixed.

• For B, we can choose 4 MB, 256 MB or other values (we can decide later).
• For L, we can choose 256 for ParallelHash128 and 512 for ParallelHash256.

It is worth noting that each data block has a standard SHAKE hash instead of some internal states. Therefore, the following large blob upload scenario is made possible.

1. POST /v2/<name>/blobs/uploads/ to obtain an UUID for blob uploading
2. Break the blob into chunks of block size, and upload the chunks in parallel in an out-of-order fashion: PATCH /v2/<name>/blobs/uploads/<uuid>?digest=<shake_digest>.
   • In the future, the chunk size can be the multiple of the block size, but I need to think about how to transfer multiple digests to a PATCH request or equivalent alternatives.
   • If ?digest=<shake_digest> is not provided, the chunks MUST be uploaded in sequential order and follow today's distribution spec. That is, we have backward compatibility if the registry accepts ParallelHash as digest algorithm but does not support out-of-order chunk uploads.
3. POST /v2/<name>/blobs/uploads/<uuid>?digest=<parallelhash_digest> to finalize the blob upload with a list of SHAKE digests for the uploaded chunks in the request body.
   • If the block size is 4 MiB, a 40 GiB blob will require $10,240 \times 64 = 655,360$ bytes (i.e. 640 KiB) of hash metadata. Even those metadata are base64 encoded, they are still less than 1 MiB.

Additionally, it opens a possibility that clients can upload the blocks as standard blobs to the registry if the registry accepts SHAKE algorithms for digests so that those blocks can be directly referenced by a manifest or a chunked-index blob. Later, the clients can ask the registry to assemble those blocks to a larger blob (see also Put Block From URL (Azure Storage) and UploadPartCopy (Amazon S3)).

[jonjohnsonjr]

Why define a new hash function instead of using BLAKE3?

[xnox]

Why define a new hash function instead of using BLAKE3?

ParallelHash has similar properties as Blake3 and is FIPS approved.

Blake2 was part of the SHA-3 contest and lost. Blake3 is a lot more performant. But it is not possible to use for providing cryptographic security.

Thus one can use Blake3 hash for hash addressed content - and effectively just a steaming CRC. But cryptographic verification would have to use a different hash for signing. Which would increase complexity and reduce some of the performance benefits if the content addressable hash was used for streamable verification and cryptographic protection.

Note that neither Blake3 nor ParallelHash are widely available yet, nor supported in signatures. At some point I was submitting OIDs for Blake but not sure if that propagated everywhere. For example Shake signature support is being added to OpenSSL, but not yet ParallelHash - and some interesting API extensions are needed to support it. FIPS 186-5 does not yet allow ParallelHash in signatures by default. It would be interesting to see if we could get it implemented everywhere.

[jcarter3]

Are we in agreement that this is a problem that needs solved yet? Working with the team at Docker that manages these models, upload performance has never come up, but download performance certainly has. We already have mechanisms to resume uploads on failure, so this already "works". Improving performance is always a nice goal as long as the trade offs are worth it, but I haven't yet seen any data or scenarios around why the current setup is lacking in the real world.

Given that there are already difficulties in getting blake3 fully supported, there should be a decently high bar for showing how much this is needed and what the potential upload gains would even be.

[jonjohnsonjr]

ParallelHash has similar properties as Blake3 and is FIPS approved.

Ah, apologies, I misread this:

The proposal is to introduce a new hash algorithm ParallelHash

As introducing a new hash algorithm.

[xnox]

If we need speed, xxhash is even faster than either Blake3 or ParallelHash.

For signing you would still refer to things by SHA-2 and use regular digital signatures.

If we want to have really good security properties the whole image layer construction could be referenced with tuple hashes, such that layers, their number, and order is encoded by the TupleHash.

But yes, performance bottlenecks and the problem that needs solving here is interesting to know. Because so far hardware accelerated sha256 beats I/O speed, and thus is typically not the performance bottleneck.

[shizhMSFT]

Thank you for reviewing my proposal.

By storing Z during the step 3 of the ParallelHash256(X, B, L, S) computation alongside the blob, we can enhance blob download performance. This approach enables clients to download blob blocks in parallel and out of order, while still allowing for the integrity verification of individual blocks. In this context, Z effectively serves as a chunk-index.

[jcarter3]

Newer client implementations (like containerd) already download large blobs in parallel by using multiple range requests

[rchincha]

@shizhMSFT thx for bringing ParallelHash to our attention.

If you agree that in the general case, pulls are orders more frequent than pushes, then the following pattern (or something like it) should suffice?

https://learn.microsoft.com/en-us/samples/azure-samples/functions-java-push-static-contents-to-cdn/functions-java-push-static-contents-to-cdn/

[shizhMSFT]

If you agree that in the general case, pulls are orders more frequent than pushes, then the following pattern (or something like it) should suffice?

I think using CDNs is orthogonal to above solutions.

[sudo-bmitch]

I have a concern that we are dispersing discussions on this across multiple issues, making it hard to follow and forcing people to repeat concerns in each issue.

Looking specifically at this proposal, I have a few concerns:

1. A hash per patch request implies a verification per patch request. This also requires clients regenerate the hash per chunk before sending the chunk, either storing the chunk in memory or scanning it from the source twice.
2. I don't think it's possible for the registry to respond that it already has content before the body of the patch request is sent, which means any chunk level deduplication would only happen server-side, and that's something servers can do independently of any OCI changes.
3. Forcing the the chunked pushes to happen on block size boundaries forces some additional negotiation between the client and server (or hard coded in the spec). It also excludes client workflows that split a large blob into $n equal size chunks.
4. The final digest for content addressability needs to be a fixed and reasonable length. I'd worry about a DoS attack if digest lengths were arbitrarily long. Is there any client tooling with maximum length limits on the hash in a reference?

Most importantly, I share @jcarter3's concern that we are spending a lot of effort trying to solve a problem without clear evidence it needs to be solved. Yes, it's possible to speed up an upload, but the download is where most of the time in a blob lifecycle is spent, and we already have a solution for that. We're also pushing more overhead onto the registry server, with a spikier CPU utilization, caused by a minority of the clients.

[xnox]

Separately I wonder how Netflix / rsync use https://xxhash.com/ and if that offers better solutions for any upload/download issues. @Cyan4973 do you have any pointers to prior art w.r.t. large and small uploads and downloads? And if that at all could help OCI or not?