Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: f56529b4b2
Branches Tags
tor
/
doc
/
spec
/
proposals
/
165-simple-robust-voting.txt

165-simple-robust-voting.txt 5.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133 
  1. Filename: 165-simple-robust-voting.txt
    2. 

  2. Title: Easy migration for voting authority sets
    3. 

  3. Author: Nick Mathewson
    4. 

  4. Created: 2009-05-28
    5. 

  5. Status: Open
    6. 

  6. 

  7. Overview:
    8. 

  8. 

  9.   This proposal describes any easy-to-implement, easy-to-verify way to
    10. 

  10.   change the set of authorities without creating a "flag day" situation.
    11. 

  11. 

  12. Motivation:
    13. 

  13. 

  14.   From proposal 134 ("More robust consensus voting with diverse
    15. 

  15.   authority sets") by Peter Palfrader:
    16. 

  16. 

  17.       Right now there are about five authoritative directory servers
    18. 

  18.       in the Tor network, tho this number is expected to rise to about
    19. 

  19.       15 eventually.
    20. 

  20. 

  21.       Adding a new authority requires synchronized action from all
    22. 

  22.       operators of directory authorities so that at any time during the
    23. 

  23.       update at least half of all authorities are running and agree on
    24. 

  24.       who is an authority.  The latter requirement is there so that the
    25. 

  25.       authorities can arrive at a common consensus: Each authority
    26. 

  26.       builds the consensus based on the votes from all authorities it
    27. 

  27.       recognizes, and so a different set of recognized authorities will
    28. 

  28.       lead to a different consensus document.
    29. 

  29. 

  30.   In response to this problem, proposal 134 suggested that every
    31. 

  31.   candidate authority list in its vote whom it believes to be an
    32. 

  32.   authority.  These A-says-B-is-an-authority relationships form a
    33. 

  33.   directed graph.  Each authority then iteratively finds the largest
    34. 

  34.   clique in the graph and remove it, until they find one containing
    35. 

  35.   them.  They vote with this clique.
    36. 

  36. 

  37.   Proposal 134 had some problems:
    38. 

  38. 

  39.     - It had a security problem in that M hostile authorities in a
    40. 

  40.       clique could effectively kick out M-1 honest authorities.  This
    41. 

  41.       could enable a minority of the original authorities to take over.
    42. 

  42. 

  43.     - It was too complex in its implications to analyze well: it took us
    44. 

  44.       over a year to realize that it was insecure.
    45. 

  45. 

  46.     - It tried to solve a bigger problem: general fragmentation of
    47. 

  47.       authority trust.  Really, all we wanted to have was the ability to
    48. 

  48.       add and remove authorities without forcing a flag day.
    49. 

  49. 

  50. Proposed protocol design:
    51. 

  51. 

  52.    A "Voting Set" is a set of authorities.  Each authority has a list of
    53. 

  53.    the voting sets it considers acceptable.  These sets are chosen
    54. 

  54.    manually by the authority operators. They must always contain the
    55. 

  55.    authority itself.  Each authority lists all of these voting sets in
    56. 

  56.    its votes.
    57. 

  57. 

  58.    Authorities exchange votes with every other authority in any of their
    59. 

  59.    voting sets.
    60. 

  60. 

  61.    When it is time to calculate a consensus, an authority votes with
    62. 

  62.    whichever voting set it lists that is listed by the most members of
    63. 

  63.    that set.  In other words, given two sets S1 and S2 that an authority
    64. 

  64.    lists, that authority will prefer to vote with S1 over S2 whenever
    65. 

  65.    the number of other authorities in S1 that themselves list S1 is
    66. 

  66.    higher than the number of other authorities in S2 that themselves
    67. 

  67.    list S2.
    68. 

  68. 

  69.    For example, suppose authority A recognizes two sets, "A B C D" and
    70. 

  70.    "A E F G H".  Suppose that the first set is recognized by all of A,
    71. 

  71.    B, C, and D, whereas the second set is recognized only by A, E, and
    72. 

  72.    F.  Because the first set is recognize by more of the authorities in
    73. 

  73.    it than the other one, A will vote with the first set.
    74. 

  74. 

  75.    Ties are broken in favor of some arbitrary function of the identity
    76. 

  76.    keys of the authorities in the set.
    77. 

  77. 

  78. How to migrate authority sets:
    79. 

  79. 

  80.    In steady state, each authority operator should list only the current
    81. 

  81.    actual voting set as accepted.
    82. 

  82. 

  83.    When we want to add an authority, each authority operator configures
    84. 

  84.    his or her server to list two voting sets: one containing all the old
    85. 

  85.    authorities, and one containing the old authorities and the new
    86. 

  86.    authority too.  Once all authorities are listing the new set of
    87. 

  87.    authorities, they will start voting with that set because of its
    88. 

  88.    size.
    89. 

  89. 

  90.    What if one or two authority operators are slow to list the new set?
    91. 

  91.    Then the other operators can stop listing the old set once there are
    92. 

  92.    enough authorities listing the new set to make its voting successful.
    93. 

  93.    (Note that these authorities not listing the new set will still have
    94. 

  94.    their votes counted, since they themselves will be members of the new
    95. 

  95.    set.  They will only fail to sign the consensus generated by the
    96. 

  96.    other authorities who are using the new set.)
    97. 

  97. 

  98.    When we want to remove an authority, the operators list two voting
    99. 

  99.    sets: one containing all the authorities, and one omitting the
    100. 

  100.    authority we want to remove.  Once enough authorities list the new
    101. 

  101.    set as acceptable, we start having authority operators stop listing
    102. 

  102.    the old set.  Once there are more listing the new set than the old
    103. 

  103.    set, the new set will win.
    104. 

  104. 

  105. Data format changes:
    106. 

  106. 

  107.    Add a new 'voting-set' line to the vote document format.  Allow it to
    108. 

  108.    occur any number of times.  Its format is:
    109. 

  109. 

  110.       voting-set SP 'fingerprint' SP 'fingerprint' ... NL
    111. 

  111. 

  112.    where each fingerprint is the hex fingerprint of an identity key of
    113. 

  113.    an authority.  Sort fingerprints in ascending order.
    114. 

  114. 

  115.    When the consensus method is at least 'X' (decide this when we
    116. 

  116.    implement the proposal), add this line to the consensus format as
    117. 

  117.    well, before the first dir-source line.  [This information is not
    118. 

  118.    redundant with the dir-source sections in the consensus: If an
    119. 

  119.    authority is recognized but didn't vote, that authority will appear in
    120. 

  120.    the voting-set line but not in the dir-source sections.]
    121. 

  121. 

  122.    We don't need to list other information about authorities in our
    123. 

  123.    vote.
    124. 

  124. 

  125. Migration issues:
    126. 

  126. 

  127.    We should keep track somewhere of which Tor client versions
    128. 

  128.    recognized which authorities.
    129. 

  129. 

  130. Acknowledgments:
    131. 

  131. 

  132.    The design came out of an IRC conversation with Peter Palfrader.  He
    133. 

  133.    had the basic idea first.
    134.