diff options
Diffstat (limited to 'spec/srv-spec/security-analysis.md')
-rw-r--r-- | spec/srv-spec/security-analysis.md | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/spec/srv-spec/security-analysis.md b/spec/srv-spec/security-analysis.md index 698cac5..658c2f8 100644 --- a/spec/srv-spec/security-analysis.md +++ b/spec/srv-spec/security-analysis.md @@ -1,7 +1,9 @@ <a id="srv-spec.txt-5"></a> + # Security Analysis <a id="srv-spec.txt-5.1"></a> + ## Security of commit-and-reveal and future directions The security of commit-and-reveal protocols is well understood, and has @@ -16,6 +18,7 @@ crypto and more complex protocols so this seems like an acceptable solution for now. Here are some examples of possible future directions: + - Schemes based on threshold signatures (e.g. see [HOPPER]) - Unicorn scheme by Lenstra et al. [UNICORN] - Schemes based on Verifiable Delay Functions [VDFS] @@ -24,6 +27,7 @@ For more alternative approaches on collaborative random number generation also see the discussion at [RNGMESSAGING]. <a id="srv-spec.txt-5.2"></a> + ## Predicting the shared random value during reveal phase The reveal phase lasts 12 hours, and most authorities will send their @@ -39,6 +43,7 @@ Any other protocols using the shared random value from this system should be aware of this property. <a id="srv-spec.txt-5.3"></a> + ## Partition attacks This design is not immune to certain partition attacks. We believe they @@ -50,6 +55,7 @@ attacks. Nevertheless, this section describes all possible partition attack and how to detect them. <a id="srv-spec.txt-5.3.1"></a> + ### Partition attacks during commit phase A malicious directory authority could send only its commit to one single @@ -67,6 +73,7 @@ coming from an authority should NEVER be different between authorities. If so, this means an attack is ongoing or very bad bug (highly unlikely). <a id="srv-spec.txt-5.3.2"></a> + ### Partition attacks during reveal phase Let's consider Alice, a malicious directory authority. Alice could wait @@ -95,4 +102,3 @@ will cause quite some noise. Furthermore, the authority needs to send different votes to different auths which is detectable. Like the commit phase attack, the detection here is to make sure that the commitment values in a vote coming from an authority are always the same for each authority. - |