[tor-dev] Proposal: Tor with collective signatures

Nicolas Gailly nicolas.gailly at epfl.ch
Tue May 3 13:19:30 UTC 2016

A quick response:

>>>> it also decreases the incentive to
>>>> launch such an
>>>>     attack because the threshold of witnesses that are required to sign the
>>>>     document for the signature to be accepted can be locally set on each
>>>> client.
>>> This does; however, give a pretty straightforward fingerprinting attack.
>> I'm afraid I don't see what you mean here. Are you talking about the
>> "locally set" threshold of witnesses that must have participated in the
>> CoSi signature in order to be considered valid ?
>>  -> Yes: If an attacker has successfully fingerprinted a Tor client by
>> knowing its "threshold", that means the attacker already has corrupted
>> the *majority of the D.A.s* (because the consensus document still need
>> to be signed as usual by a majority of D.A.s), AND at least *threshold*
>> witnesses.
>>  -> No: Could you elaborate then please ? :)
> Yes. Hardly an easy attack, but if Alice has set her threshold to N+20
> signers from the normal N, I can feed a client consensus documents
> with N+19 and N+20 witnesses and if the first doesn't stick and the
> second does - I've a good idea it's Alice (or someone else who has set
> their threshold to N+20).
My 2 cents about that ;)

1 - I think a fingerprinting attack over a range of ~100 discrete values
(there would be around ~100 witnesses) will be very inaccurate regarding
the size of Tor users.
2 - If an attacker already has the possibility of doing this, that means
he controls already a majority of the D.A. plus some CoSi witnesses.
    -> The attacker can only do this attack for as many witnesses it
controls. If Alice has set her threshold to 80, the attacker must
control at least 80 witnesses (which already a very very bad
situation!). The default threshold should be high (> 80, > 90) to
drastically increase the cost of such an attack.
    -> I'm also thinking there could be way much more damaging attacks
that the attacker can do in a situation like this (consensus containing
a majority of its relays etc).

> Teor's comments about Fallback Dirs are better than ones I could write. =)
Thanks a *lot* (both of you) for your comments, they've been very
fruitful! I'm already working on the next version in the few free time I

More feedback always welcome ;)

> -tom
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160503/99862b2e/attachment.sig>

More information about the tor-dev mailing list