Re: [Taler] post-quantum blinding in the refresh protocol

[Christian Grothoff]

Well, overall we never said that we considered quantum computer-based
attacks.  We might make it more explicit that we need ECC DLOG and
factoring to be hard.  The fact that blinding survives quantum computing
doesn't help much for the overall security.

But yes, you're right that the post-quantum security of RSA blinding is
voided by the refresh protocol.

Regardless, I do not think it makes sense for Taler to worry about
post-quantum at all at this stage, and even in the research paper this
becomes a bit obscure. Maybe Florian can mention it in his thesis ;-).

On 02/25/2016 04:26 AM, Jeff Burdges wrote:
> 
> I've found a hiccup in blinding of the refresh protocol :
> 
> At least in the paper, the transfer public key T_p is submitted to
> the exchange/mint before the cut n' choose.  A quantum computer could
> break either T_p or C_p to identify the coin's unblinded key, and
> save it to later link transactions.
> 
> We could just mark it as a weakness in the paper and suggest that
> anyone so concerned about quantum attacks modify their wallet as
> follows:
> 
> Add an option for post-quantum transactions to the wallet.  In
> post-quantum transactions, wallets may only use coins fresh from the
> reserve, and try harder to minimize change.  Any coins tainted by a
> post-quantum transactions are never refreshed, instead they're either
> abandoned or donated to a random charity.
> 
> In addition, the exchange/mint should be configured to allow change
> that is small relative to the total value to be deposited to an
> anonymous reserve, possibly paying the maximal tax rate.
> 
> Best, Jeff
>

0xE29FC3CC.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature