[Cryptography] asymmetric attacks on crypto-protocols - the rough consensus attack

ianG iang at iang.org
Sun Aug 2 17:17:54 EDT 2015 

So, just to forestall any thoughts in a particular direction.

1.  It is fruitless to name a person who might be a shill.  The reason 
is quite logical - the attacker is better at this game than you are, and 
will use your attempt to name a shill as a way to create discord, and 
will (eg) also use the same noise to name YOU as a shill.  Or worse.  In 
case you're wondering, this is known art, I'm not just talking out my 
posterior.

tl;dr don't name a shill, you'll lose.  Attacker is better at it.

2.  Naming a WG is also amusing but distracting.  This is the security 
area.  The attacker exists.  He spends millions of dollars on this, he 
has been caught with his finger in the cookie jar before (nod to Watson 
on these points), and he's said in revealed docs he's going to do it. 
We all know that.

So, it's a systemic problem.  It might be happening today in a group, 
but actually it's more likely a honed process across 10 or more groups. 
  What's the systemic response?

3.  This only applies to security when there is a known attacker who's 
decided to stop this particular protocol from interfering with his 
actions.  That's a fairly narrow slice of WGs.  Probably less than 10 
(speculation).

I.e., I'm not arguing to dispose of the entirety of the IETF.  Not today 
at least :)


On 2/08/2015 20:09 pm, Stephen Farrell wrote:
> And before one argues to discard a significant part of such a process,
> especially on the basis of an invisible hand on the scales, I do think
> one has a duty to at least accurately describe what one is arguing to
> discard. And you have not done that.



So, assumptions:

1.  The attacker exists.
2.  The attacker has approximately infinite resources and is prepared to 
spend them.
3.  The attacker can call on a large network of people, including ones 
who might not agree with the call, and ones who don't spot the motives.
4.  The attacker cares not to be spotted, but not that much.  You're not 
going to sue him.
5.  The attacker has decided that deployment of protocol X on 
wide-spread basis is to be stopped.  (Somehow.)

Then the attack.

As described, attacker eases the WG into rough anti-consensus, a balance 
between two opposing forces by
   (i) proposing an alternate protocol, and
   (ii) stacking the group so there is roughly enough opposition.

The defence *I proposed* was to drop rough consensus.  I stopped there.

Stephen pointed out that any replacement of rough consensus with a 
directional method ("one czar" or AD or ...) would then shift the burden 
of the attack to another place.  I.e., could very will just work in the 
attacker's favour.  A very good point.

Jerry described the coin toss.  This "addresses" Stephen's dual-attack 
at some level.  What it does is actually give a 50% chance of the good 
protocol, and a 50% chance of the challenger.  So now we can refine our 
attack by saying, the challenger should be also a non-optimal protocol. 
  We've now got a 50% chance of killing it by putting in a non-working 
protocol, a familiar scenario to everyone who's been engaged in these 
efforts, sadly.

Now I'll propose another way, just thought of it:

Split the protocols.  Group A proceeds, so does group B.  Then both are 
standardised.  Now, the market works both over.  There is now a betamax 
story to get through as the market gets to have a second call on the 
rough consensus.

If you believe in rough consensus that much, let the market vote ;-)

Engineers of course will be horrified.  "We can do better!"  But 
actually, maybe we can't.  Betamax resolved more quickly in the 
marketplace than many standards groups took to come to rough consensus 
and produce their standards.

Maybe the question here is, where is the pain?  And perhaps a bit of 
user pain is the price we pay?

(None of these points are entirely new!)



> That is another part of why I think your argument here is ill-informed.


This is all by way of a thought experiment.  I set some parameters. 
Everyone's free to knock it down, and/or change the parameters to be 
more interesting (someone has already proposed an entirely new set of 
parameters in private email).

Where it gets "interesting" is when we inform a particular situation in 
reality.  That's of course a crapshoot.

But we don't know how close the thought experiment gets to reality 
unless we try.



> (Separately, I never said economic "progress" - I said interests which
> is just not the same:-)


(Right.  In this case, I reckon the interests are directly opposed. 
Attacker's mission is pretty clear.)



iang

More information about the cryptography mailing list