[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients
From: stifle_savage042--- via tor-dev <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 26 Oct 2024 19:20:18 +0000
Arc-authentication-results: i=1; mail.protonmail.ch
Arc-message-signature: i=1; a=rsa-sha256; d=simplelogin.co; s=arc-20230626; t=1729970426; c=relaxed/simple; bh=oNwbfWQg4//Ji9iXpyRoE3rwK8leftkBOXxiBnIezWU=; h=Date:Subject:In-Reply-To:From:To:Cc:References; b=hj6J+cPIfy7W++pHi/hTNw08nlgFXN4oeBLGlfFZIY4z4RHGTC0TwNlrM03QYtKZvAHFQxybXJYoxVUXf3iTvT96AOTubdgBdEY1jInG0Al7ffdTQu9cgL/YyliYwOAkwhWSnZRx/dfqi+fQ7/MAmwgKLCPAj2qGacfQyQyPyuxgxIjDjh9jSQ890g7f9pgYzSgz0UHXk5YeVuww87RmsQCtXH4X/RKGoDw4zm0fadVNbndYBHbRvZhS5lqCx/dxlIrrdHXxhSIaeJ/BwO9udMpLHE1r9lmO4HqU3FOtoONyRafdOEXIBcykct+GwUJpF7jn+kWlFUZlaLG+7huWwg==
Arc-seal: i=1; a=rsa-sha256; d=simplelogin.co; s=arc-20230626; t=1729970426; cv=none; b=YBQApAeoDxz7kQYEhwPMfneE9pkeTzW/C+D6o9N4a73SGUxlsYhbP79eLLYHBUInWNn0t41uW0WVOouMolxrCdawPjbaQpYjFBoIC5KTlo+TfrYZLzEhvYXRwL/auJ+QiKpfUtUyZ44cJ5ArFVmqvJM27/NDUzjCLh3yuO7XnIp0X7vgNjhGu3pf58F/aj+slPamOltlrg+mYncLk4FQddPjQ1eBRagLT+aro+vrynSSMQuNV2OmF8o/2MjQZ8fG0EidvuaFImtPBhlKhRqESrBjwaYjBkhZPoXMyx8Wt+yq4p9R6wh9l8M8NsxaXwZcmVBEK9tN/seaPghOoAIHQQ==
Cc: stifle_savage042@xxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 29 Oct 2024 04:05:27 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1730189062; bh=npg3OHVhWYvSN5AT7ZB1ypXf4u41rdwln7+uwir4NhQ=; h=Date:In-Reply-To:To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=0JG5GZ3skR069P4NR8j7RVoKOFvjtdsAbh+rWhT6CoxinJ1TqR+HyWS7LsA2zRosE 2BQ7ieFXGLb0ukxzQEyfpEUel0OBoDI73Ka8NZIEqN7sJTIFOra4q98rRh2+CAv4WX ZhDby7xHFua1RkzMocFoMbbo11u5G9pZr9BwWftdIONeG06+tnLyJe1HQyKOkvNQXj mkpqxW63wGfLEr1+Rs7tuxwRVh1ce+f7FoUbU2FuM+4KYfaq/TC4UDISFIFGN6jZSU 5m+XJETDBOcHfYIA65+i99xV1lV1Y1aYATk++58Z5oubezcQdmazQXgpNeU81zcb22 dYSut/zX5tPmg==
In-reply-to: <CACsn0ckYiRxRQCqT03PkVEVmi++8zXtMJ+_HNK03wYUBprZFgw@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <172956531737.7.7576968361250790649.470267841@silomails.com> <CACsn0c=QDvaHLtH0KjML-5R6YmAwuZjGRwJvn6574qsMWNpBGQ@mail.gmail.com> <172963893641.7.4903826455430924680.471252000@silomails.com> <CACsn0ckYiRxRQCqT03PkVEVmi++8zXtMJ+_HNK03wYUBprZFgw@mail.gmail.com>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tuesday, October 22nd, 2024 at 11:24 PM UTC, Watson Ladd wrote:

> On Tue, Oct 22, 2024, 4:15 PM <stifle_savage042@xxxxxxxxxxxxx> wrote:

> On Tuesday, October 22nd, 2024 at 9:04 PM UTC, Watson Ladd wrote:

> > On Tue, Oct 22, 2024 at 3:47 AM stifle_savage042--- via tor-dev

> > tor-dev@xxxxxxxxxxxxxxxxxxxx wrote:

> >

> > > Hi all,

> > >

> > > I want to promote some recent work of mine in the hope that someone here will find it interesting or useful. In my most concise language, it is a "decentralized, asynchronous entropy generator protocol." I've made a somewhat complete demo implementation so far. Here's the repository: https://github.com/devnetsec/rand-num-consensus. The integrity of the entropy can only be compromised if all nodes in the ring are malicious and coinciding. Currently, a Tor client cannot anonymously connect to an onion service by directly contacting the rendezvous point, because that relay could have been chosen maliciously by the onion server. I wager that a scheme like this could enable onion servers and clients to share the same circuit. Both parties would have a guarantee that their relays were chosen randomly.

> > >

> > > The most similar solution I could find to this was in the TorCoin paper, but it appears to require a more complicated zero-knowledge proof. If there is serious interest in this, I'd be willing to write a proposal draft. Besides implementation difficulty, is there any outstanding flaw in this idea?

> >

> > Uh, yes. Depending on how we class implementation difficulty.

> > - A node can go offline before revealing to influence the random

> > choice. This is very hard to deal with in general.

> > - Encryption isn't a commitment, particularly not with AES-GCM

> >

> I don't think my README explanation is quite clear enough. The purpose of encrypting "blocks" is to allow each node to be confident that its peers cannot manipulate the consensus in a way that jeopardizes its randomness (I suppose the consensus can be manipulated, but the result would still be random). It's as if a group of people each secretly write down a number 0 through n on a slip of paper, put those slips in a hat, then publicly sum these numbers once enough people have added their slips, and consider the remainder of that sum, when divided by n, the consensus. Then they can each truthfully testify that the consensus is random, so long as they are confident in the randomness of their own random number. A participant would have to know all the numbers their peers chose to successfully make the consensus equal the malicious target value. If a node is offline during the routine, the client will simply see one less signature on the consensus. I partially agree with your first point though. Currently, a node can stall the consensus by refusing to publish its reveal key.

> AES-GCM is not committing. There are messages that can be decrypted two different ways with different keys.

The commitment isn't the encryption of the random number, it's the signature on that ciphertext.

See message::Block. The AES-GCM nonce makes sure that decryption fails if the incorrect reveal key is used.

That's what I'm guessing you mean by "commitment," can you explain a bit more?

Dylan Downey [devnetsec]

> I apologize for that broken link.

> Dylan Downey [devnetsec]

> > Sincerely,

> > Watson Ladd

> >

> > > Best Regards,

> > >

> > > Dylan Downey [devnetsec]

> > > _______________________________________________

> > > tor-dev mailing list

> > > tor-dev@xxxxxxxxxxxxxxxxxxxx

> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

> >

> > --

> > Astra mortemque praestare gradatim

Attachment: gpg.key
Description: Binary data

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Sharing Circuits Between Onion Servers and Clients
  - From: stifle_savage042--- via tor-dev
- Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients
  - From: Watson Ladd
- Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients
  - From: stifle_savage042--- via tor-dev
- Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients
  - From: Watson Ladd

Prev by Author: [tor-dev] Sharing Circuits Between Onion Servers and Clients
Next by Author: Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients
Previous by thread: Re: [tor-dev] Sharing Circuits Between Onion Servers and Clients
Next by thread: [tor-dev] [tor-project] Reminder: mailman 3 upgrade imminent (TPA-RFC-71)
Index(es):
- Author
- Thread