[tor-talk] Regarding #8244; Including a string not under authority control?

Nick Mathewson nickm at alum.mit.edu
Mon Nov 25 18:10:44 UTC 2013

On Mon, Nov 25, 2013 at 11:53 AM, Nick Mathewson <nickm at alum.mit.edu> wrote:
> On Fri, Oct 11, 2013 at 9:44 AM, Sebastian G. <bastik.tor>
> <bastik.tor at googlemail.com> wrote:
>> Hello,
>> beside having each authority call in for their vote about the random
>> string, how about including a string in the consensus not under control
>> by any authority?
>> For example a hash from the bitcoin blockchain (its popular and I had no
>> other source in mind). The authorities get together at some point, lets
>> say 10 minutes before each full hour. They all take the hash from
>> hh:45:00 or the closest to that result, where the newest wins. (hh:46:00
>> wins over hh:44:00)
>> Clients and hidden-services use both the hash and the random string.
>> If for whatever reason an authority picks a different hash than the
>> others there is no error. Like with all(?) other votes the majority
>> wins, so the majority would need to be buggy or compromised in order to
>> vote for the 'desired' hash.
>> The bitcoin blockchain is observable and so it is known where the hash
>> in the consensus comes from. Anyone could see which hash is included
>> look it up in the blockchain and see if it matches the criteria that
>> were specified for selecting the hash.
> That's a pretty clever idea!

Oh, and to clarify: I rather like this approach. It's just that the
only way I know to do good security analysis is start with the
assumption that the idea must be broken somehow, and try to figure out
how what the attack is.

The fact that bitcoin blocks contain many transactions help us out
here, but makes the analysis less trivial than I'd thought before I
started re-reading the protocol.  Also, duh, it's not about getting
the last transaction -- it's about being the miner who happens to
generate the block.

So unless I'm missing my guess, the cost of setting N bits of the hash
with probability P here is equal to the cost of generating a target
bitcoin block with probability P, times 2^N ?


More information about the tor-talk mailing list