[tor-dev] A threshold signature-based proposal for a shared RNG
Ian Goldberg
iang at cs.uwaterloo.ca
Mon Jan 20 13:32:50 UTC 2014
On Fri, Jan 17, 2014 at 10:01:13PM -0600, Nicholas Hopper wrote:
> > Yes: Nick (who would probably be the one writing the code anyway)
> > generates the shares encrypted to keys generated by the authority
> > operators, sends them to the authority operators, and forgets the
> > intermediate results. ;-) (Only partially kidding.)
>
> Ha! Yes, byzantine agreement is much easier with a trusted party. :)
>
> > Then again, if *that* code is written, then just having each authority
> > operator run an instance of that code in the role of Nick, and having
> > everyone add their results, works fine if everyone is online. It's also
> > easy to check that the protocol succeeeded, by interpolating the
> > resulting public keys. An actively malicious adversary during this
> > phase would cause the protocol to fail, but I think it would be good to
> > know that we have an actively malicious authority. ;-)
>
> Let's call this the "optimistic approach", and it would certainly be
> an option, although one issue is that when it fails we can say that
> someone is malicious but not which authority(s). Although one
> possibility is to have the ability to fall back to a full
> byzantine-tolerant protocol in that event.
Actually, I think the above "optimistic" protocol _would_ let you
identify the misbehaving party if each message is signed by its sender.
- Ian
More information about the tor-dev
mailing list