On 05/26/2016 03:47 PM, Tim Wilson-Brown - teor wrote:
This is not possible, each authority only produces one consensus per hour. If a majority of authorities sign the same consensus, that consensus will be served by all authorities, and accepted by clients. Otherwise, there is a consensus failure, and no authority serves a consensus for that hour.
Ok - as replied to Tom Ritter previously, this was about the https://lists.torproject.org/pipermail/tor-dev/2014-July/007092.html. I guess it's not so relevant in this context, I'll probably remove this section in the next iteration then.
If you wish to include extra "CoSi" lines in the consensus, they must be deterministically agreed. The process works something like this:
- each authority includes information in its vote,
- each authority deterministically uses the information in the votes to produce a consensus,
- each authority signs the consensus it produced,
- if a majority of authorities signed exactly the same consensus, that consensus is served to clients.
Thank you for the detailed explanation.
As you mention, one way to work around this requirement is for authorities to round-robin as CoSi leader.
A second is for each authority to validate the CoSi signatures provided by each other authority, and only include those signatures validated and voted for by a majority of authorities in the consensus. (CoSi validation is deterministic, even thought CoSi signing is not, due to network effects - a CoSi signer may sign one request, but go down before signing them all.)
Just a nitpick here: cosi signatures by definition *are* probabilistic because each co-signers must generate a new random for each round (as in Schnorr signatures). Having a signer failure also induces different signatures, but they would already be different anyhow.
A third is for CoSi signatures to be appended to the consensus, just like authority signatures are appended. Then authorities, mirrors, and clients only serve consensuses with a majority (5/9) of valid CoSi signatures.
Your third option is exactly what we had in mind; See section 6 about compatibility: "[...] treating the new CoSi-generated collective signature as just an additional signature that gets attached to and distributed with consensus documents". I see now that we may use an incorrect terminology in this context; we should change "included" to "appended" as you suggests.
Thanks,
Nicolas