[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Shared random value calculation edge cases (proposal 250)

To: George Kadianakis <desnacked@xxxxxxxxxx>
Subject: Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
From: s7r <s7r@xxxxxxxxxx>
Date: Thu, 19 Nov 2015 18:46:26 +0200
Cc: tor-dev@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 19 Nov 2015 11:46:45 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1447951599; bh=RFFUSYQfLQ3WkIW0pplB89YqKJghYf+JabKg3atvNes=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=fMdHio6pyMUwOJJsrQCTuvN3o6SobKti+RNA2wiUZ2WztvjmEfP7waKp/OoneXGEI LrXtGY27B8DEZeV8J4aWJ1jDB96mLN3tQwmqT8pwFQXcq0ED/vIPQ3X9s3AM+s7YiD KKPwj3bXFNxVJm8hQWCRxUeMH1c4SA8T96G6jQUo=
In-reply-to: <87vb8yozwa.fsf@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <87mvuj70rk.fsf@xxxxxxxxxx> <564B668E.7020203@xxxxxxxxxx> <87vb8yozwa.fsf@xxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/19/2015 3:57 PM, George Kadianakis wrote:
> s7r <s7r@xxxxxxxxxx> writes:
> 
> I'm not sure exactly what you are suggesting here. That the
> participation flag should not simply be 0 or 1, and that it should
> have more purposes?
> 

Sorry for the confusion. The participation flag should be 0 or 1 yes,
but it should only refer to current consensus SR value. If our
participation flag is 0, we don't vote a SR value for the next
consensus. This doesn't prevent us from participating in the protocol
run related to the SR value for the next day (after 00:00 UTC).

>> One way to do this is: the dirauth which is not participating
>> will take the SR value voted by the majority of the participating
>> dirauths and include that in its consensus and sign. We need at
>> least 3 dirauths agreeing on a SR value in order to accept it.
>> 
>> Is this crazy? It shouldn't open the door new attacks, since
>> this doesn't allow a single actor to game it, only the majority
>> could game it.
>> 
> 
> Yes, that *could* be a way to do it. Have dirauths who don't know
> the current/previous SRV get it from votes.
> 
> I think we all agree that dirauths who don't know the
> current/previous SRV should get it from the previous consensus
> (even though this logic has not been implemented yet). Getting it
> directly from the votes would be a different scheme that maybe we
> should think about.
> 

Yes, agreed.

I have another crazy idea which maybe will help, or if not, hopefully
at least will inspire us with another, better idea. Here goes:

Divide the consensus into 2 sections with separate signatures:

1) main section - general consensus with all the data as we have it today
2) SR section - which will include previous consensus SR value,
current consensus SR value and separate signatures.

In the consensus main section we include in addition:
Each dirauth participation flag (0 or 1) for current SR value and
commits/reveals for the next SR value.

Dirauths who don't know previous SR value / current SR value or if the
consensus at 00:00 UTC was created or not (disaster or not), simply
publish a participation flag 0. They don't vote anything in the SR
section.

In the consensus SR section we include:
- - participating dirauths and their identities (ed25519, RSA)
- - previous consensus SR value, current consensus SR value
- - separate signatures for this section

The number of signatures required for the SR section to be valid will
be the exact number of dirauths that published a participation flag 1,
but not less than 3 signatures will be accepted.

Please don't shoot me if this is terrible - I am only trying hard to
ensure a dirauth cannot break consensus accidentally if it is just out
of sync and misses some information (edge cases) while also using a
logic that won't over complicate stuff.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJWTfziAAoJEIN/pSyBJlsRd2gH/1TgJawIc1dOEabN2kzfn7Q+
RNQQxawge+XM3vLjf4mkkUp+uvUd98Qe49vmT8gHRyeTO/lfjYrZdbNoCiv3iGSE
y7FJ2Zg0r6tw32ggRm812tyufcYrFwN1eV8OVxvKz0QUiAhchFFwHZCWGsICU63y
NqsWc5mB98Y5ptTnP85Fwdn0rv3nH6lzt95pxjL6/SO0gE4s/QuzeaYAwwxtxkG+
Nx5U5emz8paIsMRa/668LlNG+lwkEuHR3VondZHUTe+OfLc4UqlKNsHNjNEdMoJ6
h4Is4a1mjH/SqSKwTOkrVvtzq5avnP3rgWG3Ukmt/bEdtMQUHZGVKX0SnFqE/ac=
=VgM1
-----END PGP SIGNATURE-----
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: George Kadianakis
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: s7r
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: George Kadianakis

Prev by Author: Re: [tor-dev] OfflineMasterKey / ansible-relayor
Next by Author: Re: [tor-dev] OfflineMasterKey / ansible-relayor
Previous by thread: Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
Next by thread: Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
Index(es):
- Author
- Thread