[tor-dev] Proposal 225: Strawman proposal: commit-and-reveal shared rng

[Kang]

As it currently is this suffers from something like the Byzantine
general's problem.
Attacks may be performed based on the fact that participants don't
necessarily transition between states at the same moment.
Error handling must be carefully considered and the SYNC round made
more robust to compensate.

For instance if an adversary is able to convince an honest participant
to restart while the rest of the participants keep going they could
drop the number of honest participants below the secret sharing
threshold and the protocol loses all security benefit.
Additionally, if restarts can be caused after _any_ honest participant
has revealed then that's equally exploitable; an attacker could wait
for the first honest reveals, calculate the result, and then cause an
error that triggers a restart if they didn't like it [provided they're
fast enough].
These are possible because participants aren't psychic so they don't
immediately know if somebody has revealed or reported an error.