Hello, beside having each authority call in for their vote about the random string, how about including a string in the consensus not under control by any authority?
For example a hash from the bitcoin blockchain (its popular and I had no other source in mind). The authorities get together at some point, lets say 10 minutes before each full hour. They all take the hash from hh:45:00 or the closest to that result, where the newest wins. (hh:46:00 wins over hh:44:00) Clients and hidden-services use both the hash and the random string. If for whatever reason an authority picks a different hash than the others there is no error. Like with all(?) other votes the majority wins, so the majority would need to be buggy or compromised in order to vote for the 'desired' hash. The bitcoin blockchain is observable and so it is known where the hash in the consensus comes from. Anyone could see which hash is included look it up in the blockchain and see if it matches the criteria that were specified for selecting the hash. I'm unsure if that solves the case where a single authority can influence the result to a desired outcome. I think a non-voting authority will have an influence on the random string, but to what degree could it benefit a malicious authority not to vote? Authorities that drop out of the consensus seem to happen every now and then. I'm not sure how many time an authority has to calculate the outcome it desired. It can know the hash 5 minutes before it gets picked, wait for all the other authorities to vote for their part on the random string and then compute what it has to vote for to get a string that has the desired properties and vote. If the time for an authority to game this is too high, how about voting for the random string as soon as possible, then after all authorities voted in time, those that didn't are ignored, the next (upcoming) hash of the bitcoin blockchain is included, unless there is none within a given timeframe (as one can not guarantee that there will be a new block while voting) in which case the latest available hash will be used. So instead of picking the hash first, then vote doing it the other way around. I'm not sure if that's too complex, although to me it sounds easy. I mean I could think of it so it shouldn't give anyone with a cryptographic background headache to think this one through. I've read the thesis and tried to understand the text parts. Having a temporary secret so that each authority doesn't know what any other authority voted for until the time for voting is up sounds very safe to me. Regards, Sebastian G. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
