[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-exchange] 02/02: Merge branch 'master' of ssh://tale
From: |
gnunet |
Subject: |
[GNUnet-SVN] [taler-exchange] 02/02: Merge branch 'master' of ssh://taler.net/exchange |
Date: |
Tue, 16 May 2017 14:04:15 +0200 |
This is an automated email from the git hooks/post-receive script.
burdges pushed a commit to branch master
in repository exchange.
commit 88d633526d704c4ab9193cb23e01a41f0225e1ba
Merge: 468a373 7ce6700
Author: Jeffrey Burdges <address@hidden>
AuthorDate: Tue May 16 14:03:41 2017 +0200
Merge branch 'master' of ssh://taler.net/exchange
I need to refine the text for real after this sloppy merge
doc/paper/taler.tex | 164 +++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 124 insertions(+), 40 deletions(-)
diff --cc doc/paper/taler.tex
index 1a695e1,9cff69e..607390e
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@@ -1284,8 -1353,10 +1353,10 @@@ We thank people (anonymized)
%Jacob Appelbaum for productive discussions and support.
\newpage
- \bibliographystyle{alpha}
- \bibliography{taler,rfc,ro}
+ \bibliographystyle{ACM-Reference-Format}
-\bibliography{taler}
++\bibliography{taler,ro} % rfc
+
-\end{document}
++\end{document} %TODO: What?!?
%\vfill
%\begin{center}
@@@ -1491,41 -1563,36 +1562,47 @@@ any adversary with an advantage for lin
rise to an adversary with an advantage for recognizing SHA512 output.
\end{corollary}
- There was an earlier encryption-based version of the Taler protocol
- in which refresh operated consisted of $\kappa$ normal coin withdrawals
- encrypted using the secret $t^{(i)} C$ where $C = c G$ is the coin being
- refreshed and $T^{(i)} = t^{(i)} G$ is the transfer key.
+ We will now consider the impact of the refresh operation. For the
+ sake of the argument, we will first consider an earlier
+ encryption-based version of the protocol in which refresh operated
+ consisted of $\kappa$ normal coin withdrawals where the commitment
+ consisted of the blinding factors and private keys of the fresh coins
+ encrypted using the secret $t^{(i)} C_s$ where $C_s = c_s G$ of the
+ dirty coin $C$ being refreshed and $T^{(i)} = t^{(i)} G$ is the
+ transfer key.\footnote{We abandoned that version as it required
+ slightly more storage space and the additional encryption
+ primitive.}
\begin{proposition}
-Assuming the encryption used is ??? secure, and that
- the independence of $c_s$, $t$, and the new coins' key materials, then
-any PPT adversary with an advantage for linking Taler coins gives
-rise to an adversary with an advantage for recognizing SHA512 output.
+Assuming the encryption used is semantically (IND-CPA) secure, and
- that the independence of $c$, $t$, and the new coins key materials,
++that the independence of $c_s$, $t$, and the new coins' key materials,
+then any probabilistic polynomial time (PPT) adversary with an
+advantage for linking Taler coins gives rise to an adversary with
+ an advantage for recognizing SHA512 output.
\end{proposition}
+In fact, the exchange can launch an chosen cphertext attack against
+the customer by providing different ciphertexts. Yet, the resulting
+plaintext is implicitly authenticated becuase after decryption
+the customer unblinds and checks the signature by the denomination
+key.
+
+If this check does not check out, then the wallet must abandon
+this coin and report the exchange's fraudulent activity.
+
% TODO: Is independence here too strong?
- We may now remove the encrpytion by appealing to the random oracle model
- \cite{BR-RandomOracles}.
+ We may now remove the encrpytion by appealing to the random oracle
+ model~\cite{BR-RandomOracles}.
\begin{lemma}[\cite{??}]
Consider a protocol that commits to random data by encrypting it
using a secret derived from a Diffe-Hellman key exchange.
In the random oracle model, we may replace this encryption with
- a hash function derives the random data by applying hash functions
- to the same secret.
+ a hash function which derives the random data by applying hash
+ functions to the same secret.
\end{lemma}
+% TODO: IND-CPA again? Anything else?
\begin{proof}
We work with the usual instantiation of the random oracle model as
--
To stop receiving notification emails like this one, please contact
address@hidden