aboutsummaryrefslogtreecommitdiff
path: root/spec/srv-spec/security-analysis.md
diff options
context:
space:
mode:
Diffstat (limited to 'spec/srv-spec/security-analysis.md')
-rw-r--r--spec/srv-spec/security-analysis.md8
1 files changed, 7 insertions, 1 deletions
diff --git a/spec/srv-spec/security-analysis.md b/spec/srv-spec/security-analysis.md
index 698cac5..658c2f8 100644
--- a/spec/srv-spec/security-analysis.md
+++ b/spec/srv-spec/security-analysis.md
@@ -1,7 +1,9 @@
<a id="srv-spec.txt-5"></a>
+
# Security Analysis
<a id="srv-spec.txt-5.1"></a>
+
## Security of commit-and-reveal and future directions
The security of commit-and-reveal protocols is well understood, and has
@@ -16,6 +18,7 @@ crypto and more complex protocols so this seems like an acceptable solution
for now.
Here are some examples of possible future directions:
+
- Schemes based on threshold signatures (e.g. see [HOPPER])
- Unicorn scheme by Lenstra et al. [UNICORN]
- Schemes based on Verifiable Delay Functions [VDFS]
@@ -24,6 +27,7 @@ For more alternative approaches on collaborative random number generation
also see the discussion at [RNGMESSAGING].
<a id="srv-spec.txt-5.2"></a>
+
## Predicting the shared random value during reveal phase
The reveal phase lasts 12 hours, and most authorities will send their
@@ -39,6 +43,7 @@ Any other protocols using the shared random value from this system should
be aware of this property.
<a id="srv-spec.txt-5.3"></a>
+
## Partition attacks
This design is not immune to certain partition attacks. We believe they
@@ -50,6 +55,7 @@ attacks. Nevertheless, this section describes all possible partition attack
and how to detect them.
<a id="srv-spec.txt-5.3.1"></a>
+
### Partition attacks during commit phase
A malicious directory authority could send only its commit to one single
@@ -67,6 +73,7 @@ coming from an authority should NEVER be different between authorities. If
so, this means an attack is ongoing or very bad bug (highly unlikely).
<a id="srv-spec.txt-5.3.2"></a>
+
### Partition attacks during reveal phase
Let's consider Alice, a malicious directory authority. Alice could wait
@@ -95,4 +102,3 @@ will cause quite some noise. Furthermore, the authority needs to send
different votes to different auths which is detectable. Like the commit
phase attack, the detection here is to make sure that the commitment values
in a vote coming from an authority are always the same for each authority.
-
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion