[freehaven-dev] Shepherds and Buddies

[dmolnar <dmolnar@hcs.harvard.edu>]

Here's what I have in my notes as "fatal flaws" for both the 
Shepherd model and the Buddy model :

BUDDY : A bad server with a buddy can cause the buddy to accuse a server
	which has never even seen the share. A bad server can also cause
        the buddy to silently fail and not check on its buddy. 

SHEPHERD : A shepherd permanently associates 1 reply block with a share.
	   A bad shepherd can falsely accuse any server.


For the shepherd model, we didn't find a way to prevent a bad shepherd
from falsely accusing servers. This was considered a serious problem. On
the other hand, we agreed that if the mixnet is "good enough", then it's
OK to have a static reply block for the shepherd (although not a stellar
idea). We also noted that if the shepherd's computer is ever raided, his
private key will link him to a share. 

For the buddy model, the problem is that there is no one to check on a
possible evil server holding the buddy. So we considered having multiple
independent buddies, each of which checks on the first buddy. 

The idea is that we might be able to use a kind of "buddy voting ritual"
to see if the servnet node holding the share is good or not. The
conjecture is that we will need a majority of nodes to be both

	a) evil
and
	b) collaborating with each other

before the node holding the share can be falsely shown to be "guilty",
OR any other node can be falsely accused of having lost the share. 

I'm working on an example. At this point I am having difficulty 
adequately distinguishing the cases of 
	1) trying to accuse the server holding the share S 
	   of losing the share

and	2) a bad buddy accusing some third party X of having
	"lost" the share S, when in fact X never had it.

It seems to me that if in case 2) the other, not corrupted, buddy
sees the accusation, it can broadcast a counter-accusation saying 
that it is somewhere else and never was at X.

Thanks, 
-David