[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] A threshold signature-based proposal for a shared RNG

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] A threshold signature-based proposal for a shared RNG
From: Nicholas Hopper <hopper@xxxxxxxxxx>
Date: Tue, 21 Jan 2014 16:21:55 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jan 2014 17:22:13 -0500
In-reply-to: <20140120133250.GH14819@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CA+CHzS-ivpZ6tDk0X2RFNTuSPvTfhyYi1irTG99aodRqgN4v3g@xxxxxxxxxxxxxx> <20140110190736.GN5906@xxxxxxxxxxxxxxxxxxxxx> <CA+CHzS8N7A1vU78Vr1PqV1T0ryV2NFx59-4GteEGQwXvfW5hLA@xxxxxxxxxxxxxx> <20140120133250.GH14819@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Mon, Jan 20, 2014 at 7:32 AM, Ian Goldberg <iang@xxxxxxxxxxxxxxx> wrote:
>> > Then again, if *that* code is written, then just having each authority
>> > operator run an instance of that code in the role of Nick, and having
>> > everyone add their results, works fine if everyone is online.  It's also
>> > easy to check that the protocol succeeeded, by interpolating the
>> > resulting public keys.  An actively malicious adversary during this
>> > phase would cause the protocol to fail, but I think it would be good to
>> > know that we have an actively malicious authority.  ;-)
>>
>> Let's call this the "optimistic approach", and it would certainly be
>> an option, although one issue is that when it fails we can say that
>> someone is malicious but not which authority(s).  Although one
>> possibility is to have the ability to fall back to a full
>> byzantine-tolerant protocol in that event.
>
> Actually, I think the above "optimistic" protocol _would_ let you
> identify the misbehaving party if each message is signed by its sender.

This runs into problems when parties claim *not* to have received
messages from others.  (e.g. imagine that floor(n/2) authorities are
corrupted and claim that an uncorrupted party did not send them any
input)


-- 
------------------------------------------------------------------------
Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project
------------------------------------------------------------------------
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] A threshold signature-based proposal for a shared RNG
  - From: Nicholas Hopper
- Re: [tor-dev] A threshold signature-based proposal for a shared RNG
  - From: Ian Goldberg
- Re: [tor-dev] A threshold signature-based proposal for a shared RNG
  - From: Nicholas Hopper
- Re: [tor-dev] A threshold signature-based proposal for a shared RNG
  - From: Ian Goldberg

Prev by Author: Re: [tor-dev] A threshold signature-based proposal for a shared RNG
Next by Author: Re: [tor-dev] Key revocation in Next Generation Hidden Services
Previous by thread: Re: [tor-dev] A threshold signature-based proposal for a shared RNG
Next by thread: Re: [tor-dev] A threshold signature-based proposal for a shared RNG
Index(es):
- Author
- Thread