Rejecting proposal 134
nickm at torproject.org
Wed May 27 18:34:26 UTC 2009
I'm rejecting proposal 134 after a conversation with Peter. The
max-clique idea is fundamentally flawed from a security POV.
Suppose that we have a clique of size N, and M hostile members in the
clique. If these hostile members stop declaring trust for up to M-1
good members of the clique, the clique with the hostile members will
in it will be larger than the one without them.
The M hostile members will constitute a majority of this new clique
when M > (N-(M-1)) / 2, or when M > (N + 1) / 3. This breaks our
requirement that an adversary must compromise a majority of authorities
in order to control the consensus.
We talked about a simpler approach that I'll try to write up as a
proposal in the next day or two.
More information about the tor-dev