[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-exchange] 01/06: Just some trash
From: |
gnunet |
Subject: |
[GNUnet-SVN] [taler-exchange] 01/06: Just some trash |
Date: |
Mon, 15 May 2017 17:46:55 +0200 |
This is an automated email from the git hooks/post-receive script.
burdges pushed a commit to branch master
in repository exchange.
commit b418b3080e30f48c9ae0723faf32508fca5103d6
Author: Jeffrey Burdges <address@hidden>
AuthorDate: Mon May 15 16:28:00 2017 +0200
Just some trash
---
doc/paper/trash | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
diff --git a/doc/paper/trash b/doc/paper/trash
new file mode 100644
index 0000000..ced8683
--- /dev/null
+++ b/doc/paper/trash
@@ -0,0 +1,90 @@
+
+
+
+\begin{proposition}
+If there are no refresh operations, then any adversary who links
+coins can recognize blinding factors.
+\end{proposition}
+
+\begin{proof}
+In effect, coin withdrawal transcripts consist of numbers $b m^d \mod n$
+
+The blinding factor is created with a full domain hash
+\end{proof}
+
+
+We say a blind signature
+linkable if some probabilistic polynomial
+time (PPT) adversary has a non-negligible advantage indentifying
+the
+
+
+, given some withdrawal and refresh
+transcripts
+
+
+
+
+
+We say a coin $C_0$ is {\em linkable} to the withdrawal or refresh
+operation in which it was created if some probabilistic polynomial
+time (PPT) adversary has a non-negligible advantage in guessing
+which of $\{ C_0, C_1 \}$ were created in that operation,
+ where $C_1$ is an unrelated third coin.
+
+% TODO: Compare this definition with some from the literature
+% TODO: Should this definition be broadened?
+
+.. reference literate about withdrawal ..
+
+\begin{proposition}
+In the random oracle model,
+if a coin created by refresh is linkable to the refresh operation
+that created it, then some PPT adversary has a non-negligible
+advantage in determining the shared secret of an eliptic curve
+Diffie-Hellman key exchange on curve25519.
+\end{proposition}
+
+% Intuitively this follows from \cite{Rudich88}[Theorem 4.1], but
+% we provide slightly more formality.
+
+\begin{proof}
+Assume a PPT adversary $A$ has a non-negligible advantage in solving
+the linking problem.
+
+We have two curve points $C = c G$ and $T = t G$ for which
+we wish to compute the shared secret $c t G$.
+
+We make $C$ into a coin by singing it with a denomination key
+invented for this purpose. We let $T^{(1)}$ denote $T$ and
+invent $\kappa-1$ linking keys $T^{(2)},\ldots,T^{(\kappa)}$.
+
+We shall extract the shared secret by constructing an algorithm
+that runs the refresh protocol and then runs $A$ using the natural
+simulation of a random oracle, namely answering new queries with
+random bits, yet recording the answers in a database so as to
+provide idendical answers to identical queries.
+
+We may take $\gamma=1$ by restarting the exchange with a clean
+database. As a result, the exchange never checks the commitment
+covering $T^{(1)}$, but this alone does not suffice to discount
+the any information contained in the commitment.
+
+Instead, we observe that our commitments consist of random oracle
+queries distinct from anything else in the protocol, so they contain
+no information of use to $A$, and can safely be omitted.
+
+We do not know $c t G$ so our simulation cannot run the KDF to
+derive the new coin that $A$ can link.
+
+
+... random oracle ..
+\end{proof}
+
+In principle, one might worry if coins created in the same withdrawal
+or refresh opeartion might be linkable to one another without being
+linkable to the operation, but addressing this concern would take us
+somewhat far afield and require similar methods.
+
+
+
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [taler-exchange] branch master updated (d307ddb -> 1a2facb), gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 01/06: Just some trash,
gnunet <=
- [GNUnet-SVN] [taler-exchange] 06/06: Merge branch 'master' of ssh://taler.net/exchange, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 04/06: Add note on linking protocol, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 05/06: Spelling, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 03/06: Some classical random oracle reference, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 02/06: Approach to the privacy argument, gnunet, 2017/05/15