For my application of the history trees (tansparency log) there are additional measures that help to ensure a global consistency view eventually. The authorithy would need to publish the final tally at the end of the vote which also would contain a tree root. The tree root would be distributed in print, in official anouncements thus any user can check that the tree root shown on the client coresponds to that with anounced tally and thus the authorithy would not know who does the check. Thus it would be unreasonably hard for adversary to deploy a deception attack at such scale.
Additional measure is that the TOR integration with the help of Arti project is deployed with the client. That ensures that every client does make the requests in the same way. It is surelly important to not disclose the server any local data or make identity revealing requests within the same session like giving away clients local commitment index before the server has shown their current commitment. Using anonymous channel for ensuring global consitency for sure is not universal but for some applications it is doable if the problem is approached holistically particularly in situations where anonymous channel is already needed within the protocol.
> Witness cosigning is secure even if the way you fetch the proofs is completely attacker-controlled
Opting for this approach makes sense if the protocol doesn't initially require an anonymous communication channel. However, if the protocol already uses it, introducing an additional assumption for trusted witnesses adds complexity.
Additional measure is that the TOR integration with the help of Arti project is deployed with the client. That ensures that every client does make the requests in the same way. It is surelly important to not disclose the server any local data or make identity revealing requests within the same session like giving away clients local commitment index before the server has shown their current commitment. Using anonymous channel for ensuring global consitency for sure is not universal but for some applications it is doable if the problem is approached holistically particularly in situations where anonymous channel is already needed within the protocol.
> Witness cosigning is secure even if the way you fetch the proofs is completely attacker-controlled
Opting for this approach makes sense if the protocol doesn't initially require an anonymous communication channel. However, if the protocol already uses it, introducing an additional assumption for trusted witnesses adds complexity.