summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Burdges <burdges@gnunet.org>2018-09-15 15:41:28 +0200
committerJeff Burdges <burdges@gnunet.org>2018-09-15 15:41:28 +0200
commit7ab5f8759ff93e8152b88eda5e14fad7a925c43f (patch)
treec89de12f32703d22a9ada3a35b6061d9a476d67f
parent542881fab046e294b302596eba5e80cf35f1c29b (diff)
downloadpapers-7ab5f8759ff93e8152b88eda5e14fad7a925c43f.tar.gz
papers-7ab5f8759ff93e8152b88eda5e14fad7a925c43f.tar.bz2
papers-7ab5f8759ff93e8152b88eda5e14fad7a925c43f.zip
Add sigma to blindness property
-rw-r--r--taler-fc19/paper.tex14
1 files changed, 12 insertions, 2 deletions
diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex
index fde7bf4..8ea12ed 100644
--- a/taler-fc19/paper.tex
+++ b/taler-fc19/paper.tex
@@ -780,10 +780,20 @@ We require the following two security properties for $\textsc{BlindSign}$:
\begin{itemize}
\item \emph{blindness}: Let $M$ be the set of all possible messages and $\overline{M}$ be the
set of all possible blinded messages. Then the distribution of
- \[ \left\{ (m, \overline{m}) \,\middle| m\, \randsel M, \overline{m} \leftarrow \algo{Blind}_{BS}(\mathcal{S}(\V{sk}), m) \right\} \]
+ \[ \left\{ (m, \simga, \overline{m}, \overline{\simga}) \,\middle|
+ m\, \randsel M,
+ \overline{m} \leftarrow \algo{Blind}_{BS}(\mathcal{S}(\V{sk}), m),
+ \overline{\simga} \leftarrow \algo{Sign}_{BS}(\V{sk}, \overline{m}),
+ \sigma \leftarrow \algo{UnblindSig}_{BS}(r, m, \overline{\sigma})
+ \right\} \]
must be computationally
indistinguishable from
- \[ \left\{ (m, x) \,\middle|\, m \randsel M, x \randsel \overline{M} \right\}. \]
+ \[ \left\{ (m, \simga, x, \simga_x) \,\middle|\,
+ m \randsel M,
+ \sigma \eftarrow \algo{UnblindSig}_{BS}(r, m, \algo{Sign}_{BS}(\V{sk}, \algo{Blind}_{BS}(\mathcal{S}(\V{sk}), m)) )
+ x \randsel \overline{M},
+ \sigma_x \leftarrow \algo{UnblindSig}_{BS}(r, x, \algo{Sign}_{BS}(\V{sk}, \algo{Blind}_{BS}(\mathcal{S}(\V{sk}), x)) )
+ \right\}. \]
\item \emph{unforgeability}: An adversary that requests $k$ signatures with $\algo{Sign}_{BS}$
is unable to produce $k+1$ valid signatures with non-negligible probability.
\end{itemize}