From 9f7e3bb2bd494860c31aa534942de85636cb91a8 Mon Sep 17 00:00:00 2001 From: Jeffrey Burdges Date: Fri, 2 Jun 2017 15:55:49 +0200 Subject: More on RSA-KTI --- doc/paper/taler.bib | 2 +- doc/paper/taler.tex | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/paper/taler.bib b/doc/paper/taler.bib index bafce49a9..db9886553 100644 --- a/doc/paper/taler.bib +++ b/doc/paper/taler.bib @@ -368,7 +368,7 @@ } -@inbook{RSA-HDF-KTIvCTI, +@inbook{RSA-FDH-KTIvCTI, author="Bellare, Mihir and Namprempre, Chanathip and Pointcheval, David and Semanko, Michael", editor="Syverson, Paul", chapter="The Power of RSA Inversion Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme", diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index 96db7c6d6..bfe8987b0 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -509,7 +509,7 @@ financial reserve. In addition, Taler includes an \emph{auditor} who assures customers and merchants that the exchange operates correctly. %\vspace{-0.3cm} -\subsection{Security considerations} +\subsection{Security considerations}\label{subsec:security_rough} %\vspace{-0.3cm} As a payment system, Taler naturally needs to make sure that coins are @@ -559,7 +559,7 @@ limiting the exchange's financial liability. On the cryptographic side, a Taler exchange demands that coins use a full domain hash (FDH) to make so-called ``one-more forgery'' attacks provably hard, assuming the RSA known-target inversion problem is -hard~\cite[Theorem 12]{RSA-HDF-KTIvCTI}. For a withdrawn coin, +hard~\cite[Theorem 12]{RSA-FDH-KTIvCTI}. For a withdrawn coin, violating the customers anonymity cryptographically requires recognizing a random blinding factor from a random element of the group of integers modulo the denomination key's RSA modulus, which appears @@ -1466,6 +1466,14 @@ protocol is never used. \subsection{Exculpability arguments} +In \S\ref{subsec:security_rough}, +we quoted \cite[Theorem 12]{RSA-FDH-KTIvCTI} that RSA-FDH blind +signatures are secure against ``one-more forgery'' attacks, assuming + the RSA known-target inversion problem is hard. +We note as well that ``one-more forgery'' attacks cover both the +refresh operation as well as the withdrawal operarion + \cite[Definition 12]{RSA-FDH-KTIvCTI,OneMoreInversion}. + \begin{lemma}\label{lemma:double-spending} The exchange can detect, prevent, and prove double-spending. \end{lemma} -- cgit v1.2.3