diff options
| author | Jeff Burdges <burdges@gnunet.org> | 2018-05-01 10:03:41 +0200 |
|---|---|---|
| committer | Jeff Burdges <burdges@gnunet.org> | 2018-05-01 10:03:41 +0200 |
| commit | 810948feaf7f900ef3a6d18f3b38eaa9d9a7662a (patch) | |
| tree | 606e97100e545c3cfcc6b39084f9c5633bb600c5 | |
| parent | e0877b1e61e1f9db4d64250e4211c3b145527577 (diff) | |
| download | papers-810948feaf7f900ef3a6d18f3b38eaa9d9a7662a.tar.gz papers-810948feaf7f900ef3a6d18f3b38eaa9d9a7662a.tar.bz2 papers-810948feaf7f900ef3a6d18f3b38eaa9d9a7662a.zip | |
Address twists better
| -rw-r--r-- | games/games.tex | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/games/games.tex b/games/games.tex index 75ece2d..1f0f57f 100644 --- a/games/games.tex +++ b/games/games.tex @@ -877,10 +877,7 @@ $(\V{sk}_i,\V{pk}_i) \leftarrow \V{gen}_i$ honestly. In Taler's refresh, we prove honest key generation of the old coin $C$ by requiring a signature by $C$ on the initial commitment, which - proves that either Alice or Bob knows $c$ where $C = c G$, -and hence that $C$ lies on the Ed25519 curve, not its quadratic twist. -% https://en.wikipedia.org/wiki/EdDSA -% https://safecurves.cr.yp.to/twist.html + proves that either Alice or Bob knows $c$ where $C = c G$. We emphasize that naively adding another non-signing key to $C$ breaks honest key generation though. @@ -897,6 +894,15 @@ variant of the refresh during withdrawal, but we feel the user's commitment to buy from a particular merchant would prove constraining enough to limit applicability.} +Also Ed25519 verification must already checks that $C$ lies on the +Ed25519 curve, not some quadratic twist. +% https://en.wikipedia.org/wiki/EdDSA +% https://safecurves.cr.yp.to/twist.html +If signature verification permitted using points on the twist, like +key exchanges frequently do, ala X25519, then the exchange might +compute a point on the twist while the customer would compute +a point on the original curve. + \begin{definition} A {\em key exchange failure} consists of two honest key pairs $(\V{sk}_i,V{pk}_i)$ with $i \in \{ \textrm{Alice}, \textrm{Bob} \}$ @@ -908,8 +914,9 @@ there is no probabilistic polynomial time algorithm with non-negligible advantage for producing a failure. \end{definition} -In Taler's refresh, we avoid key exchange failures entirely because -the Edwards addition law is complete abelian group operation on the curve. +In Taler's refresh, we avoid key exchange failures entirely because the +Edwards addition law is complete abelian group operation on the curve, +and the signature scheme verifies that $C$ lies on the curve. % https://safecurves.cr.yp.to/refs.html#2007/bernstein-newelliptic % https://safecurves.cr.yp.to/complete.html We warn however that Weierstrass curves have incomplete addition formulas |