Hacker News new | ask | show | jobs
by mskd12 2485 days ago
So, in vanilla SSS, committee is fixed and the adversary is allowed to corrupt t-out-of-n nodes over the entire lifetime of the secret.

In CHURP, committees are dynamic---changes at every epoch---and the adversary is allowed to corrupt t nodes in each epoch.
1 comments
jMyles 2485 days ago
Sure, got that.

But doesn't it also mean that, as the committee cycles, the likelihood of compromised nodes eventually being part of the cohort increases?

If you have a minute, maybe evaluate this statement to see if I've got it right: The attack surface presented by CHURP, in contrast to vanilla SSS, is more robust against an attacker who, throughout the lifecycle of the secret, begins with few compromised nodes and increases her circle of influence throughout? It is, at least in some cases, weaker against an established attacker who begins the lifecycle already having compromised several nodes and who can afford to wait until the right combination of nodes is selected for committee participation.

Do I have that right?

Interesting stuff, either way.

Have we ever met? Were you at EthBerlin last week?

link
mskd12 2485 days ago
The adversary in your statement seems like a static one. Given enough nodes in the committee (100's), it should be possible to make sure the case you specify never happens.

And, I'd think fixing the committee is worse, as it presents a static point of attack from adversarial POV. If you want any amount of decentralization, handling churn seems essential.

No, I was thinking about Devcon, but I don't want to travel half way across the world ;)

link
jMyles 2485 days ago
We'd love to meet y'all. Devcon is a truly awesome time, but securing tickets is a non-trivial task.

> And, I'd think fixing the committee is worse, as it presents a static point of attack from adversarial POV. If you want any amount of decentralization, handling churn seems essential.

Interesting; I have often had the opposite sense: that involving a larger cohort of nodes generally increases the risk of collusion.

Of course, the consequences of collusion with Ursula are quite a lot less (she can refuse to revoke, but cannot recover the secret). This comes at a cost of needing to know Bob's public key prior to access being granted. It's really a very different formula.

We have often pondered (sometimes out loud) about adding some variety of Shamir's Character after Ursula hits mainnet.

link