On Mon, Jan 20, 2014 at 7:32 AM, Ian Goldberg <[email protected]> wrote: >> > Then again, if *that* code is written, then just having each authority >> > operator run an instance of that code in the role of Nick, and having >> > everyone add their results, works fine if everyone is online. It's also >> > easy to check that the protocol succeeeded, by interpolating the >> > resulting public keys. An actively malicious adversary during this >> > phase would cause the protocol to fail, but I think it would be good to >> > know that we have an actively malicious authority. ;-) >> >> Let's call this the "optimistic approach", and it would certainly be >> an option, although one issue is that when it fails we can say that >> someone is malicious but not which authority(s). Although one >> possibility is to have the ability to fall back to a full >> byzantine-tolerant protocol in that event. > > Actually, I think the above "optimistic" protocol _would_ let you > identify the misbehaving party if each message is signed by its sender.
This runs into problems when parties claim *not* to have received messages from others. (e.g. imagine that floor(n/2) authorities are corrupted and claim that an uncorrupted party did not send them any input) -- ------------------------------------------------------------------------ Nicholas Hopper Associate Professor, Computer Science & Engineering, University of Minnesota Visiting Research Director, The Tor Project ------------------------------------------------------------------------ _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
