Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 66039d9843
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
134-robust-voting.txt

134-robust-voting.txt 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 
  1. Filename: 134-robust-voting.txt
    2. 

  2. Title: More robust consensus voting with diverse authority sets
    3. 

  3. Author: Peter Palfrader
    4. 

  4. Created: 2008-04-01
    5. 

  5. Status: Rejected
    6. 

  6. 

  7. History:
    8. 

  8.   2009 May 27: Added note on rejecting this proposal -- Nick
    9. 

  9. 

  10. Overview:
    11. 

  11. 

  12.   A means to arrive at a valid directory consensus even when voters
    13. 

  13.   disagree on who is an authority.
    14. 

  14. 

  15. 

  16. Motivation:
    17. 

  17. 

  18.   Right now there are about five authoritative directory servers in the
    19. 

  19.   Tor network, tho this number is expected to rise to about 15 eventually.
    20. 

  20. 

  21.   Adding a new authority requires synchronized action from all operators of
    22. 

  22.   directory authorities so that at any time during the update at least half of
    23. 

  23.   all authorities are running and agree on who is an authority.  The latter
    24. 

  24.   requirement is there so that the authorities can arrive at a common
    25. 

  25.   consensus:  Each authority builds the consensus based on the votes from
    26. 

  26.   all authorities it recognizes, and so a different set of recognized
    27. 

  27.   authorities will lead to a different consensus document.
    28. 

  28. 

  29. 

  30. Objective:
    31. 

  31. 

  32.   The modified voting procedure outlined in this proposal obsoletes the
    33. 

  33.   requirement for most authorities to exactly agree on the list of
    34. 

  34.   authorities.
    35. 

  35. 

  36. 

  37. Proposal:
    38. 

  38. 

  39.   The vote document each authority generates contains a list of 
    40. 

  40.   authorities recognized by the generating authority.  This will be 
    41. 

  41.   a list of authority identity fingerprints.
    42. 

  42. 

  43.   Authorities will accept votes from and serve/mirror votes also for
    44. 

  44.   authorities they do not recognize.  (Votes contain the signing,
    45. 

  45.   authority key, and the certificate linking them so they can be 
    46. 

  46.   verified even without knowing the authority beforehand.)
    47. 

  47. 

  48.   Before building the consensus we will check which votes to use for
    49. 

  49.   building:
    50. 

  50. 

  51.    1) We build a directed graph of which authority/vote recognizes
    52. 

  52.       whom.
    53. 

  53.    2) (Parts of the graph that aren't reachable, directly or
    54. 

  54.       indirectly, from any authorities we recognize can be discarded
    55. 

  55.       immediately.)
    56. 

  56.    3) We find the largest fully connected subgraph.
    57. 

  57.       (Should there be more than one subgraph of the same size there
    58. 

  58.       needs to be some arbitrary ordering so we always pick the same.
    59. 

  59.       E.g. pick the one who has the smaller (XOR of all votes' digests)
    60. 

  60.       or something.)
    61. 

  61.    4) If we are part of that subgraph, great.  This is the list of 
    62. 

  62.       votes we build our consensus with.
    63. 

  63.    5) If we are not part of that subgraph, remove all the nodes that
    64. 

  64.       are part of it and go to 3.
    65. 

  65. 

  66.   Using this procedure authorities that are updated to recognize a
    67. 

  67.   new authority will continue voting with the old group until a
    68. 

  68.   sufficient number has been updated to arrive at a consensus with
    69. 

  69.   the recently added authority.
    70. 

  70. 

  71.   In fact, the old set of authorities will probably be voting among
    72. 

  72.   themselves until all but one has been updated to recognize the
    73. 

  73.   new authority.  Then which set of votes is used for consensus 
    74. 

  74.   building depends on which of the two equally large sets gets 
    75. 

  75.   ordered before the other in step (3) above.
    76. 

  76. 

  77.   It is necessary to continue with the process in (5) even if we
    78. 

  78.   are not in the largest subgraph.  Otherwise one rogue authority
    79. 

  79.   could create a number of extra votes (by new authorities) so that
    80. 

  80.   everybody stops at 5 and no consensus is built, even tho it would
    81. 

  81.   be trusted by all clients.
    82. 

  82. 

  83. 

  84. Anonymity Implications:
    85. 

  85. 

  86.   The author does not believe this proposal to have anonymity
    87. 

  87.   implications.
    88. 

  88. 

  89. 

  90. Possible Attacks/Open Issues/Some thinking required:
    91. 

  91. 

  92.  Q: Can a number (less or exactly half) of the authorities cause an honest
    93. 

  93.     authority to vote for "their" consensus rather than the one that would
    94. 

  94.     result were all authorities taken into account?
    95. 

  95. 

  96. 

  97.  Q: Can a set of votes from external authorities, i.e of whom we trust either
    98. 

  98.     none or at least not all, cause us to change the set of consensus makers we
    99. 

  99.     pick?
    100. 

  100.  A: Yes, if other authorities decide they rather build a consensus with them
    101. 

  101.     then they'll be thrown out in step 3.  But that's ok since those other
    102. 

  102.     authorities will never vote with us anyway.
    103. 

  103.     If we trust none of them then we throw them out even sooner, so no harm done.
    104. 

  104. 

  105.  Q: Can this ever force us to build a consensus with authorities we do not
    106. 

  106.     recognize?
    107. 

  107.  A: No, we can never build a fully connected set with them in step 3.
    108. 

  108. 

  109. ------------------------------
    110. 

  110. 

  111. I'm rejecting this proposal as insecure.
    112. 

  112. 

  113. Suppose that we have a clique of size N, and M hostile members in the
    114. 

  114. clique.  If these hostile members stop declaring trust for up to M-1
    115. 

  115. good members of the clique, the clique with the hostile members will
    116. 

  116. in it will be larger than the one without them.
    117. 

  117. 

  118. The M hostile members will constitute a majority of this new clique
    119. 

  119. when M > (N-(M-1)) / 2, or when M > (N + 1) / 3.  This breaks our
    120. 

  120. requirement that an adversary must compromise a majority of authorities
    121. 

  121. in order to control the consensus.
    122. 

  122. 

  123. -- Nick
    124.