-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Tony,
The following article talks about using secret sharing and threshold signatures to make quorom decisions in a distributed system: L. Zhou and Z.J. Haas, Securing ad hoc networks. IEEE Network 13(6):24?30, November 1999. http://people.ece.cornell.edu/haas/Publications/NM-zhou-haas-1999-11+12.pdf Cheers, Michael On 19/07/13 04:57, Tony Arcieri wrote: > Has there been any work with combining Shamir-style secret sharing > with consensus protocols like Paxos and Raft (or leader election > protocols like Omega Meets Paxos)? > > The idea would be to have a network of n peers, who share a secret > where t=2 shares are required to reassemble the original secret. > This secret is used to sign new values when a group consensus is > reached via a Paxos-like protocol. > > In this scheme, a "proposer" would give its secret share, along > with a proposed new value, to "acceptor" nodes, who can reassemble > the entire secret. If they accept the new value, they can sign it > with the secret, then immediately erase it. If we use a > deterministic signature algorithm like Ed25519, every acceptor > taking part in the consensus protocol can produce the same signed > version of the proposed new value. They can then continue with the > consensus protocol's accept phase. The result will be a quorum on a > signed value (or a consensus failure if quorum can't be reached, of > course) > > Let's assume a malicious entity gains control of one and only one > of the nodes. They are now able to propose new values, so they can > manipulate the peer network by proposing malicious values which > will get accepted by the rest of the group. > > However, they do not *immediately* learn the private key. They > would only learn the private key if any other node were to propose > a value which contained their secret share. > > -- alternatively -- > > Secret sharing could be combined with a leader election protocol. > In this scheme, the leader and only the leader would learn the > shared secret. All proposed values would have to be approved and > signed by the leader. > > I'm not sure I like this as much though. The leader is a single > point of failure, and an attacker could maliciously force a leader > election through e.g. DoS, having compromised only one other host > directly. > > -- Tony Arcieri > > > _______________________________________________ cryptography > mailing list cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR6RG2AAoJEBEET9GfxSfMOBkH/ii34FKcPrXnOp7nJJlgROlZ MbCv/lf2dzevVgWwCpCnm1bAPkRxl/pDuvTFS+BcvaBnNcDIiuEF7HiT92MQrUAH XPBxnJwuwQa/TFCSXlfu3uX99XZMWiUBKVZKjJAksBKeeCneGlkmQQRvwFwASSBG a8NREeca97041xAXxQfZ9KOwidWz5GfDlY81BZEZGw44ld9DxQaiJDCujOhc2ul5 RvRGQ7oJUMyNnQNM/7uAxt5fkSiBtPpOH+CKH0wMRHjPemmHIT8+E8914pkeXYN4 7KqWYSV1Xpv50HEOTqenHapGD7kb87D6zzdpqdW7OSndCG1ENu5NkqdxV5B5iEA= =DlFK -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography