[tor-dev] A threshold signature-based proposal for a shared RNG

Nicholas Hopper hopper at cs.umn.edu
Tue Jan 21 22:21:55 UTC 2014

On Mon, Jan 20, 2014 at 7:32 AM, Ian Goldberg <iang at cs.uwaterloo.ca> wrote:
>> > Then again, if *that* code is written, then just having each authority
>> > operator run an instance of that code in the role of Nick, and having
>> > everyone add their results, works fine if everyone is online.  It's also
>> > easy to check that the protocol succeeeded, by interpolating the
>> > resulting public keys.  An actively malicious adversary during this
>> > phase would cause the protocol to fail, but I think it would be good to
>> > know that we have an actively malicious authority.  ;-)
>> Let's call this the "optimistic approach", and it would certainly be
>> an option, although one issue is that when it fails we can say that
>> someone is malicious but not which authority(s).  Although one
>> possibility is to have the ability to fall back to a full
>> byzantine-tolerant protocol in that event.
> Actually, I think the above "optimistic" protocol _would_ let you
> identify the misbehaving party if each message is signed by its sender.

This runs into problems when parties claim *not* to have received
messages from others.  (e.g. imagine that floor(n/2) authorities are
corrupted and claim that an uncorrupted party did not send them any

Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project

More information about the tor-dev mailing list