Objective
A secure Arrow of Time with unpredictable future behaviour to stop attackers or DDoS BotNets from pre-calculating proof-of-work and other gateway protections for P2P/F2F. A distributed solution in so far as there isn't enough free centralised timestamp servers to pick randomly amongst them to foil attackers.
Due Diligence
I was looking for a distributed timestamp server as centralised solutions are often commerical (example) and easily coerced in any case. The only functional distributed one I could find was as an implicit behaviour of the Bitcoin network. Which while worthy, is too heavy for a distributed timestamp service and has different design goals.
So in frustration of absent(?) distributed solutions, it seems time to homebrew...
Homebrew
We want network consensus of a hash value / key pair per time interval that a randomly selected node will sign as a ad-hoc TSA server for that time interval only. The bigger the distributed network, the harder to subvert; assuming 50% subversion required to control the network result.
- Each node generates a random 32 byte network hash candidate as a ECC or RSA public key.
- Each node hashes the candidate through an expensive scrypt() call, using the previous network hash as the salt. A new network starts with a zero bit salt.
- All nodes send each other both their network hash candidate and the (32 byte) scrypt() result.
- Each node sorts all received entries in ascending order of scrypt result and picks the median* entry. Each node then publishes (votes) the hash candidate of that entry to other nodes**.
- Each node collects votes. Multiple votes and votes from IPs that didn't publish a Step 3 result are dropped.
- The most voted hash candidate is run through scrypt() again to check if the hash candidate was honest. If not the next most voted candidate is checked.
- The most voted valid hash candidate is the next network hash value.
- Any node may store or publish each authoritative network hash as they occur to some external directory for non-repudiation if desired. Each peer also supplies authoritative hashes to new nodes on request.
- The node that supplied the successful hash candidate signs any TSA-style requests with the associated ECC or RSA private key during the appropriate network time interval; then discards the private key. (Optionally if a winning node is liable to disappear if it wins, include a Step 3B where each node must send its private key to a few other redundant nodes.)
An attacker attempting to control the next network hash value would need to:
- Have many nodes or the ability to spoof extra IPs for dispatching colluding hash candidates that outcompete other alternate medians.
- Have a beefy supercomputer capable of ~
2^254 * scrypt_cost
processing power to create colluding hash entries within the network time interval. Pretty unlikely.
Question
Is this sane, or have I (re?)invented a square wheel?
* Or nearest neighbour below the median if an even set of values.
** The entries a given node received and thus the median may differ somewhat due to lost packets, dropped nodes, attacker interference and latency or congestion at the edge of network - hence the voting stage.