[tor-talk] Regarding #8244; Including a string not under authority control?
Sebastian G. <bastik.tor>
bastik.tor at googlemail.com
Fri Oct 11 13:44:35 UTC 2013
beside having each authority call in for their vote about the random
string, how about including a string in the consensus not under control
by any authority?
For example a hash from the bitcoin blockchain (its popular and I had no
other source in mind). The authorities get together at some point, lets
say 10 minutes before each full hour. They all take the hash from
hh:45:00 or the closest to that result, where the newest wins. (hh:46:00
wins over hh:44:00)
Clients and hidden-services use both the hash and the random string.
If for whatever reason an authority picks a different hash than the
others there is no error. Like with all(?) other votes the majority
wins, so the majority would need to be buggy or compromised in order to
vote for the 'desired' hash.
The bitcoin blockchain is observable and so it is known where the hash
in the consensus comes from. Anyone could see which hash is included
look it up in the blockchain and see if it matches the criteria that
were specified for selecting the hash.
I'm unsure if that solves the case where a single authority can
influence the result to a desired outcome. I think a non-voting
authority will have an influence on the random string, but to what
degree could it benefit a malicious authority not to vote? Authorities
that drop out of the consensus seem to happen every now and then.
I'm not sure how many time an authority has to calculate the outcome it
desired. It can know the hash 5 minutes before it gets picked, wait for
all the other authorities to vote for their part on the random string
and then compute what it has to vote for to get a string that has the
desired properties and vote.
If the time for an authority to game this is too high, how about voting
for the random string as soon as possible, then after all authorities
voted in time, those that didn't are ignored, the next (upcoming) hash
of the bitcoin blockchain is included, unless there is none within a
given timeframe (as one can not guarantee that there will be a new block
while voting) in which case the latest available hash will be used.
So instead of picking the hash first, then vote doing it the other way
I'm not sure if that's too complex, although to me it sounds easy. I
mean I could think of it so it shouldn't give anyone with a
cryptographic background headache to think this one through.
I've read the thesis and tried to understand the text parts. Having a
temporary secret so that each authority doesn't know what any other
authority voted for until the time for voting is up sounds very safe to me.
More information about the tor-talk