From 2c529f2118eda6ccac94ef681aaf42ecf32a7313 Mon Sep 17 00:00:00 2001 From: Pankaj Garg Date: Mon, 26 Nov 2018 19:26:54 -0800 Subject: [PATCH] Ancestor verification for vote signing (#1919) --- rfcs/0009-enclave.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rfcs/0009-enclave.md b/rfcs/0009-enclave.md index 761c487845..1febe9ea94 100644 --- a/rfcs/0009-enclave.md +++ b/rfcs/0009-enclave.md @@ -31,6 +31,19 @@ Secure Enclaves (such as SGX) provide a layer of memory and computation protecti * The sign request contains the entry ID for the new vote * Enclave verifies that new vote's entry ID is on the correct branch (following the rules #1 and #2 above) +## Ancestor Verification + +This is alternate, albeit, less certain approach to verifying voting branch. +1. The validator maintains an active set of nodes in the network +2. It observes the votes from the active set in the last voting period +3. It stores the ancestor/last_tick at which each node voted +4. It sends new vote request to vote-signing service + * It includes previous votes from nodes in the active set, and their corresponding ancestors +5. The signer checks if the previous votes contains a vote from the validator, and the vote ancestor matches with majority of the nodes + * It signs the new vote if the check is successful + * It asserts (raises an alarm of some sort) if the check is unsuccessful + +The premise is that the validator can be spoofed at most once to vote on incorrect data. If someone hijacks the validator and submits a vote request for bogus data, that vote will not be included in the PoH (as it'll be rejected by the network). The next time the validator sends a request to sign the vote, the signing service will detect that validator's last vote is missing (as part of #5 above). ## Branch determination