On Fri, Jan 17, 2014 at 10:01:13PM -0600, Nicholas Hopper wrote: > > Yes: Nick (who would probably be the one writing the code anyway) > > generates the shares encrypted to keys generated by the authority > > operators, sends them to the authority operators, and forgets the > > intermediate results. ;-) (Only partially kidding.) > > Ha! Yes, byzantine agreement is much easier with a trusted party. :) > > > Then again, if *that* code is written, then just having each authority > > operator run an instance of that code in the role of Nick, and having > > everyone add their results, works fine if everyone is online. It's also > > easy to check that the protocol succeeeded, by interpolating the > > resulting public keys. An actively malicious adversary during this > > phase would cause the protocol to fail, but I think it would be good to > > know that we have an actively malicious authority. ;-) > > Let's call this the "optimistic approach", and it would certainly be > an option, although one issue is that when it fails we can say that > someone is malicious but not which authority(s). Although one > possibility is to have the ability to fall back to a full > byzantine-tolerant protocol in that event.
Actually, I think the above "optimistic" protocol _would_ let you identify the misbehaving party if each message is signed by its sender. - Ian _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
