diff options
author | Jeffrey Burdges <burdges@gnunet.org> | 2017-05-16 16:42:11 +0200 |
---|---|---|
committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-05-16 16:42:11 +0200 |
commit | 3efde62c446dfe875aa9eb5ff2153ad2ef6f47b5 (patch) | |
tree | b11a0ce3ccb1bb59a60a23e2e3b6b09543205cb2 /doc/paper/taler.tex | |
parent | 9b1cd4b3fd82ccdf8f6750eecc458c9bf96ec69d (diff) | |
download | exchange-3efde62c446dfe875aa9eb5ff2153ad2ef6f47b5.tar.gz exchange-3efde62c446dfe875aa9eb5ff2153ad2ef6f47b5.tar.bz2 exchange-3efde62c446dfe875aa9eb5ff2153ad2ef6f47b5.zip |
Try to make this justification stronger and more precise
Diffstat (limited to 'doc/paper/taler.tex')
-rw-r--r-- | doc/paper/taler.tex | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index 488f01d06..bdc60e15b 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -1335,7 +1335,7 @@ exchange can even invent coins whole cloth. We may now remove the encrpytion by appealing to the random oracle model~\cite{BR-RandomOracles}. -\begin{lemma}[\cite{??}] +\begin{lemma}%[\cite{??}] Consider a protocol that commits to random data by encrypting it using a secret derived from a Diffe-Hellman key exchange. In the random oracle model, we may replace this encryption with @@ -1345,6 +1345,11 @@ functions to the same secret. % TODO: Too general probably? % TODO: IND-CPA again? +Indeed, we expect doing so to increase practical security as in +\cite{Abdalla2000}, and adding the random oracle assumption need not +reduce security if it focuses more attention on the usage of hash +functions throughout the protocol. + \begin{proof} We work with the usual instantiation of the random oracle model as returning a random string and placing it into a database for future @@ -1356,6 +1361,10 @@ that we encrypt in the old encryption based version of Taler. Now our random oracle scheme with $R$ gives the same result as our scheme that encrypts random data, so the encryption becomes superfluous and may be omitted. + +We require the security of the original encryption operation reduced +to the security of the Diffe-Hellman key exchange, which remains a +requirement of the derived protocol. \end{proof} We may now conclude that Taler remains unlinkable even with the refresh protocol. |