diff options
| author | Florian Dold <florian.dold@gmail.com> | 2018-04-23 13:57:04 +0200 |
|---|---|---|
| committer | Florian Dold <florian.dold@gmail.com> | 2018-04-23 13:57:04 +0200 |
| commit | 71b679b1062a122bb5f4e6c80963486a285a87b1 (patch) | |
| tree | 05923907da9453be463ebbaac89b13bc538c76a9 | |
| parent | bdf79592ec0ab6c39d146901b7c21bc57771315b (diff) | |
| download | papers-71b679b1062a122bb5f4e6c80963486a285a87b1.tar.gz papers-71b679b1062a122bb5f4e6c80963486a285a87b1.tar.bz2 papers-71b679b1062a122bb5f4e6c80963486a285a87b1.zip | |
remove 'junk' and properly conclude proof
| -rw-r--r-- | games/games.tex | 48 |
1 files changed, 3 insertions, 45 deletions
diff --git a/games/games.tex b/games/games.tex index fa8b423..a277255 100644 --- a/games/games.tex +++ b/games/games.tex @@ -646,51 +646,6 @@ Let $G \in \mathbb{E}$ be the generator of the Ed25519 curve (with Edwards coord \subsection{Anonymity} - -BEGIN JUNK - -We first describe a simple RSA blindness game for an RSA key pair $(n,e,d)$ and -generators $M(\cdot)$ and $B(\cdot)$ for elements of $\Z/n\Z$ whose -parameters we need not specify: -We take $m_0,m_1$ from $M$ and $b_0,b_1$ from $B$ and give our adversary -$\cal A$ the unordered pairs of withdrawals $\{ m_0^d b_0, m_1^d b_1 \}$ -and deposits $\{ m_0^d, m_1^d \}$. $\cal A$ wins if it can correctly -match the withdrawals and deposits. - -\begin{proposition} -Any probabilistic polynomial-time adversary $\cal A$ with - an advantage in this RSA blindness game for some $M$ and $B$ -yields a probabilistic polynomial-time adversary $\cal A'$ for - distinguishing $B(z)$ from $M(x)/M(y)$. - either $M$ or $B$ from a uniform distribution on $Z/nZ$. -\end{proposition} - -\begin{proof} -$\cal A'$ plays the blinding game with $\cal A$ taking $M$ to be $M_0$ -and $B$ to be $X$. $\cal A$ either guesses correctly or incorrectly. -If $\cal A$ guesses correctly, then $\cal A'$ guesses that yes $X$ is -$B_0$. - -If $X$ is $B_0$ then $\cal A$ guesses correctly with advantage $\epsilon$, meaning - $P[ \textrm{$\cal A$ correct} | X=B_0 ] = 1/2+\epsilon$ -and - $P[ \textrm{$\cal A$ correct} | X=U ] = 1/2$. -We imagine A' is given uniform trials to guess X=F vs X=U, so that - $P[X=F] = 1/2$ too, -and - $P[\textrm{$\cal A$ correct}] = 1/2 + \epsilon/2$. -Now $\cal A'$ has an advantage in guessing if $X$ is $B_0$ or uniform correctly by -Bays rule - $P[ \textrm{$\cal A$ correct} | X=B_0 ] P[X=B_0] = P[ X=B_0 | \textrm{$\cal A$ correct} ] P[A correct]$ -so - $P[ X=F | \textrm{$\cal A$ correct} ] - = 1/2 (1/2+\epsilon) / (1/2 + \epsilon/2) - = (1/2+\epsilon) / (1+\epsilon) - = 1 - 1/2 / (1+\epsilon)$. -\end{proof} - -END JUNK - \begin{theorem} If Taler's refresh is instantiated with a PRF, a key exchange satisfying DDH, and a collision-resistant hash function, @@ -773,6 +728,9 @@ computational Diffie-Hellman assumption. \comment{The DDH game we use here is non-standard (stream of values to decide on instead of one, so maybe we need to use the number of refresh oracle invocations as a factor in front of $\epsilon_{DDH}$?} + This concludes the proof, since we observe in $\mathbb{G}_3$ all blinding factors and coin private keys are independent and uniformly random. + Thus the blinding is information-theoretically secure in $\mathbb{G}_3$. + \end{proof} |