[tor-dev] Tor with collective signatures
nicolas.gailly at epfl.ch
Thu May 26 15:39:18 UTC 2016
On 05/26/2016 03:47 PM, Tim Wilson-Brown - teor wrote:
> This is not possible, each authority only produces one consensus per hour.
> If a majority of authorities sign the same consensus, that consensus will be served by all authorities, and accepted by clients.
> Otherwise, there is a consensus failure, and no authority serves a consensus for that hour.
Ok - as replied to Tom Ritter previously, this was about the
I guess it's not so relevant in this context, I'll probably remove this
section in the next iteration then.
> If you wish to include extra "CoSi" lines in the consensus, they must be deterministically agreed.
> The process works something like this:
> * each authority includes information in its vote,
> * each authority deterministically uses the information in the votes to produce a consensus,
> * each authority signs the consensus it produced,
> * if a majority of authorities signed exactly the same consensus, that consensus is served to clients.
Thank you for the detailed explanation.
> As you mention, one way to work around this requirement is for authorities to round-robin as CoSi leader.
> A second is for each authority to validate the CoSi signatures provided by each other authority, and only include those signatures validated and voted for by a majority of authorities in the consensus. (CoSi validation is deterministic, even thought CoSi signing is not, due to network effects - a CoSi signer may sign one request, but go down before signing them all.)
Just a nitpick here: cosi signatures by definition *are* probabilistic
because each co-signers must generate a new random for each round (as
in Schnorr signatures). Having a signer failure also induces different
signatures, but they would already be different anyhow.
> A third is for CoSi signatures to be appended to the consensus, just like authority signatures are appended. Then authorities, mirrors, and clients only serve consensuses with a majority (5/9) of valid CoSi signatures.
Your third option is exactly what we had in mind; See section 6 about
compatibility: "[...] treating the new CoSi-generated collective
signature as just an additional signature that gets attached to and
distributed with consensus documents".
I see now that we may use an incorrect terminology in this context; we
should change "included" to "appended" as you suggests.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the tor-dev