[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] On the security of a commit-and-reveal solution for #8244

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] On the security of a commit-and-reveal solution for #8244
From: Nicholas Hopper <hopper@xxxxxxxxxx>
Date: Fri, 10 Jan 2014 10:36:01 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 10 Jan 2014 11:36:16 -0500
In-reply-to: <CA+CHzS_gN+NOkKfK04Evxea8o5+2EWQhBVS=v39fp_51NVqxRw@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <871u28a0s4.fsf@xxxxxxxxxx> <CA+CHzS_gN+NOkKfK04Evxea8o5+2EWQhBVS=v39fp_51NVqxRw@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Thu, Dec 12, 2013 at 11:11 PM, Nicholas Hopper <hopper@xxxxxxxxxx> wrote:
> Your analysis looks correct to me.  But what's wrong with using
> threshold crypto or secret sharing?  Since you're already assuming
> some sort of bounded delay synchronization, I think we can eliminate
> any advantage in influencing the randomness with one extra round,
> using e.g. threshold Elgamal:
>
> 0. (Periodically, like once per month): authorities derive a shared
> Elgamal key pair (x, X = xB) for the group G.  (with prime order p)
>
> 1. each authority publishes a randomly chosen encrypted group element
> P_i:  (r_iB, r_iX+P_i) along with a proof of knowledge of r_i.  (an
> easy proof to implement)
>
> 2. After COMMIT_TIMEOUT: each authority takes all published
> ciphertexts (with valid proofs), and publishes a list of ciphertexts
> it received.
>
> 3. After AGREE_TIMEOUT: each authority takes all published, valid
> ciphertexts that appear in over half of the previous set of documents,
> and adds them componentwise to get an encryption of the sum of the
> group elements (sB, sX+Q).  Each authority publishes this ciphertext
> plus its decryption share of this ciphertext with a proof of correct
> decryption.  (this is also a pretty straightforward proof to
> implement)
>
> [ here s is the sum of the scalars r_i, Q is the sum of the group elements P_i ]
>
> 4. After REVEAL_TIMEOUT: each authority combines the valid decryption
> shares to get a random group element Q, and publishes a signed
> document containing the decryption shares and Q.

Kang pointed out to me in private email that *this* protocol doesn't
avoid the need for some sort of consensus about what was sent by other
authorities at each time period.  This can be solved but it gets
messy.   I started a separate thread that describes a solution that
doesn't have this issue.

------------------------------------------------------------------------
Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project
------------------------------------------------------------------------
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Projects to combat/defeat data correlation
Next by Author: [tor-dev] A threshold signature-based proposal for a shared RNG
Previous by thread: Re: [tor-dev] Proposal 225: Strawman proposal: commit-and-reveal shared rng
Next by thread: [tor-dev] A threshold signature-based proposal for a shared RNG
Index(es):
- Author
- Thread