[cryptography] A secret sharing consensus protocol (or leader election protocol)

Michael Rogers michael at briarproject.org
Fri Jul 19 06:15:18 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tony,

The following article talks about using secret sharing and threshold
signatures to make quorom decisions in a distributed system:

L. Zhou and Z.J. Haas, Securing ad hoc networks. IEEE Network
13(6):24?30, November 1999.

http://people.ece.cornell.edu/haas/Publications/NM-zhou-haas-1999-11+12.pdf

Cheers,
Michael

On 19/07/13 04:57, Tony Arcieri wrote:
> Has there been any work with combining Shamir-style secret sharing
> with consensus protocols like Paxos and Raft (or leader election
> protocols like Omega Meets Paxos)?
> 
> The idea would be to have a network of n peers, who share a secret
> where t=2 shares are required to reassemble the original secret.
> This secret is used to sign new values when a group consensus is
> reached via a Paxos-like protocol.
> 
> In this scheme, a "proposer" would give its secret share, along
> with a proposed new value, to "acceptor" nodes, who can reassemble
> the entire secret. If they accept the new value, they can sign it
> with the secret, then immediately erase it. If we use a
> deterministic signature algorithm like Ed25519, every acceptor
> taking part in the consensus protocol can produce the same signed
> version of the proposed new value. They can then continue with the
> consensus protocol's accept phase. The result will be a quorum on a
> signed value (or a consensus failure if quorum can't be reached, of
> course)
> 
> Let's assume a malicious entity gains control of one and only one
> of the nodes. They are now able to propose new values, so they can
> manipulate the peer network by proposing malicious values which
> will get accepted by the rest of the group.
> 
> However, they do not *immediately* learn the private key. They
> would only learn the private key if any other node were to propose
> a value which contained their secret share.
> 
> -- alternatively --
> 
> Secret sharing could be combined with a leader election protocol.
> In this scheme, the leader and only the leader would learn the
> shared secret. All proposed values would have to be approved and
> signed by the leader.
> 
> I'm not sure I like this as much though. The leader is a single
> point of failure, and an attacker could maliciously force a leader
> election through e.g. DoS, having compromised only one other host
> directly.
> 
> -- Tony Arcieri
> 
> 
> _______________________________________________ cryptography
> mailing list cryptography at randombit.net 
> http://lists.randombit.net/mailman/listinfo/cryptography
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR6RG2AAoJEBEET9GfxSfMOBkH/ii34FKcPrXnOp7nJJlgROlZ
MbCv/lf2dzevVgWwCpCnm1bAPkRxl/pDuvTFS+BcvaBnNcDIiuEF7HiT92MQrUAH
XPBxnJwuwQa/TFCSXlfu3uX99XZMWiUBKVZKjJAksBKeeCneGlkmQQRvwFwASSBG
a8NREeca97041xAXxQfZ9KOwidWz5GfDlY81BZEZGw44ld9DxQaiJDCujOhc2ul5
RvRGQ7oJUMyNnQNM/7uAxt5fkSiBtPpOH+CKH0wMRHjPemmHIT8+E8914pkeXYN4
7KqWYSV1Xpv50HEOTqenHapGD7kb87D6zzdpqdW7OSndCG1ENu5NkqdxV5B5iEA=
=DlFK
-----END PGP SIGNATURE-----


More information about the cryptography mailing list