Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 2c8b56c029
Branches Tags
tor
/
doc
/
spec
/
proposals
/
165-simple-robust-voting.txt

165-simple-robust-voting.txt 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. Filename: 165-simple-robust-voting.txt
    2. 

  2. Title: Easy migration for voting authority sets
    3. 

  3. Author: Nick Mathewson
    4. 

  4. Created: 2009-05-28
    5. 

  5. Status: Open
    6. 

  6. 

  7. Overview:
    8. 

  8. 

  9.   This proposal describes any easy-to-implement, easy-to-verify way to
    10. 

  10.   change the set of authorities without creating a "flag day" situation.
    11. 

  11. 

  12. Motivation:
    13. 

  13. 

  14.   From proposal 134 ("More robust consensus voting with diverse
    15. 

  15.   authority sets") by Peter Palfrader:
    16. 

  16. 

  17.       Right now there are about five authoritative directory servers
    18. 

  18.       in the Tor network, tho this number is expected to rise to about
    19. 

  19.       15 eventually.
    20. 

  20. 

  21.       Adding a new authority requires synchronized action from all
    22. 

  22.       operators of directory authorities so that at any time during the
    23. 

  23.       update at least half of all authorities are running and agree on
    24. 

  24.       who is an authority.  The latter requirement is there so that the
    25. 

  25.       authorities can arrive at a common consensus: Each authority
    26. 

  26.       builds the consensus based on the votes from all authorities it
    27. 

  27.       recognizes, and so a different set of recognized authorities will
    28. 

  28.       lead to a different consensus document.
    29. 

  29. 

  30.   In response to this problem, proposal 134 suggested that every
    31. 

  31.   candidate authority list in its vote whom it believes to be an
    32. 

  32.   authority.  These A-says-B-is-an-authority relationships form a
    33. 

  33.   directed graph.  Each authority then iteratively finds the largest
    34. 

  34.   clique in the graph and remove it, until they find one containing
    35. 

  35.   them.  They vote with this clique.
    36. 

  36. 

  37.   Proposal 134 had some problems:
    38. 

  38. 

  39.     - It had a security problem in that M hostile authorities in a
    40. 

  40.       clique could effectively kick out M-1 honest authorities.  This
    41. 

  41.       could enable a minority of the original authorities to take over.
    42. 

  42. 

  43.     - It was too complex in its implications to analyze well: it took us
    44. 

  44.       over a year to realize that it was insecure.
    45. 

  45. 

  46.     - It tried to solve a bigger problem: general fragmentation of
    47. 

  47.       authority trust.  Really, all we wanted to have was the ability to
    48. 

  48.       add and remove authorities without forcing a flag day.
    49. 

  49. 

  50. Proposed protocol design:
    51. 

  51. 

  52.    A "Voting Set" is a set of authorities.  Each authority has a list of
    53. 

  53.    the voting sets it considers acceptable.  These sets must always
    54. 

  54.    contain the authority itself.  Each authority lists all of these
    55. 

  55.    voting sets in its votes.
    56. 

  56. 

  57.    Authorities exchange votes with every other authority in any of their
    58. 

  58.    voting sets.
    59. 

  59. 

  60.    When it comes time to calculate a consensus, an authority votes with
    61. 

  61.    whichever voting set it lists that is listed by the most members of
    62. 

  62.    that set.
    63. 

  63. 

  64.    For example, suppose authority A recognizes two sets, "A B C D" and
    65. 

  65.    "A E F G H".  Suppose that the first set is recognized by all of A,
    66. 

  66.    B, C, and D, whereas the second set is recognized only by A, E, and
    67. 

  67.    F.  Because the first set is recognize by more of the authorities in
    68. 

  68.    it than the other one, A will vote with the first set.
    69. 

  69. 

  70.    Ties are broken in favor of some arbitrary function of the identity
    71. 

  71.    keys of the authorities in the set.
    72. 

  72. 

  73. How to migrate authority sets:
    74. 

  74. 

  75.    In steady state, each authority should list only the current actual
    76. 

  76.    voting set as accepted.
    77. 

  77. 

  78.    When we want to add an authority, we list two voting sets: one
    79. 

  79.    containing all the old authorities, and one containing the old
    80. 

  80.    authorities and the new authority too.  Once all authorities are
    81. 

  81.    listing the new set of authorities, they will start preferring that
    82. 

  82.    set because of its size.
    83. 

  83. 

  84.    When we want to remove an authority, we list two voting sets: one
    85. 

  85.    containing all the authorities, and one omitting the authority we
    86. 

  86.    want to remove.  Once enough authorities list the new set as
    87. 

  87.    acceptable, we start having authorities stop listing the old set.
    88. 

  88.    Once there are more listing the new set than the old set, the new set
    89. 

  89.    will win.
    90. 

  90. 

  91. Data format changes:
    92. 

  92. 

  93.    Add a new 'voting-set' line to the vote document format.  Allow it to
    94. 

  94.    occur any number of times.  Its format is:
    95. 

  95. 

  96.       voting-set SP 'fingerprint' SP 'fingerprint' ... NL
    97. 

  97. 

  98.    where each fingerprint is the hex fingerprint of an identity key of
    99. 

  99.    an authority.  Sort fingerprints in ascending order.
    100. 

  100. 

  101.    When the consensus method is at least 'X' (decide this when we
    102. 

  102.    implement the proposal), add this line to the consensus format as
    103. 

  103.    well, before the first dir-source line.  [This information is not
    104. 

  104.    redundant with the dir-source sections in the consensus: If an
    105. 

  105.    authority is recognized didn't vote, that authority will appear in
    106. 

  106.    the voting-set line but not in the dir-source sections.]
    107. 

  107. 

  108.    We don't need to list other information about authorities in our
    109. 

  109.    vote.
    110. 

  110. 

  111. Migration issues:
    112. 

  112. 

  113.    We should keep track somewhere of which Tor client versions
    114. 

  114.    recognized which authorities.
    115. 

  115. 

  116. Acknowledgments:
    117. 

  117. 

  118.    The design came out of an IRC conversation with Peter Palfrader.  He
    119. 

  119.    had the basic idea first.
    120.