path: root/doc/paper/taler.tex
diff options
authorJeffrey Burdges <>2017-06-02 15:55:49 +0200
committerJeffrey Burdges <>2017-06-02 15:55:49 +0200
commit9f7e3bb2bd494860c31aa534942de85636cb91a8 (patch)
tree7daf93f69cfbe14cd77aa82ebad72ea6c3a649cb /doc/paper/taler.tex
parentb21705882156f73c6623f76b719fcaadc3d26555 (diff)
More on RSA-KTI
Diffstat (limited to 'doc/paper/taler.tex')
1 files changed, 10 insertions, 2 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 96db7c6d..bfe8987b 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -509,7 +509,7 @@ financial reserve. In addition, Taler includes an \emph{auditor} who
assures customers and merchants that the exchange operates correctly.
-\subsection{Security considerations}
+\subsection{Security considerations}\label{subsec:security_rough}
As a payment system, Taler naturally needs to make sure that coins are
@@ -559,7 +559,7 @@ limiting the exchange's financial liability.
On the cryptographic side, a Taler exchange demands that coins use a
full domain hash (FDH) to make so-called ``one-more forgery'' attacks
provably hard, assuming the RSA known-target inversion problem is
-hard~\cite[Theorem 12]{RSA-HDF-KTIvCTI}. For a withdrawn coin,
+hard~\cite[Theorem 12]{RSA-FDH-KTIvCTI}. For a withdrawn coin,
violating the customers anonymity cryptographically requires recognizing
a random blinding factor from a random element of the group of
integers modulo the denomination key's RSA modulus, which appears
@@ -1466,6 +1466,14 @@ protocol is never used.
\subsection{Exculpability arguments}
+In \S\ref{subsec:security_rough},
+we quoted \cite[Theorem 12]{RSA-FDH-KTIvCTI} that RSA-FDH blind
+signatures are secure against ``one-more forgery'' attacks, assuming
+ the RSA known-target inversion problem is hard.
+We note as well that ``one-more forgery'' attacks cover both the
+refresh operation as well as the withdrawal operarion
+ \cite[Definition 12]{RSA-FDH-KTIvCTI,OneMoreInversion}.
The exchange can detect, prevent, and prove double-spending.