diff options
| author | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-21 15:27:34 +0100 |
|---|---|---|
| committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-21 15:27:34 +0100 |
| commit | 556e8d7d3812afcd3127edc34891c881fdd9cff0 (patch) | |
| tree | b700528eb67a3b2a68a5db97c1f0200c3ae3b4b8 /games/games.tex | |
| parent | de084e79351fe80d96980df2e1fe2dd4d8f59758 (diff) | |
| download | papers-556e8d7d3812afcd3127edc34891c881fdd9cff0.tar.gz papers-556e8d7d3812afcd3127edc34891c881fdd9cff0.tar.bz2 papers-556e8d7d3812afcd3127edc34891c881fdd9cff0.zip | |
Add income theorem statements
Diffstat (limited to 'games/games.tex')
| -rw-r--r-- | games/games.tex | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/games/games.tex b/games/games.tex index 265cbf3..8d2255f 100644 --- a/games/games.tex +++ b/games/games.tex @@ -22,8 +22,9 @@ \title{Taler Security Proofs} \date{\today} -\newtheorem{lemma}{Lemma} -\newtheorem{theorem}{Theorem} +\newtheorem{lemma}{Lemma}[section] +\newtheorem{theorem}[lemma]{Theorem} +\newtheorem{corollary}[lemma]{Corollary} \theoremstyle{definition} \newtheorem{definition}{Definition}[section] @@ -523,6 +524,8 @@ the aid of authorities who can witness the attack, like our auditor. \subsection{Unforgeability} % Exculpability? +TODO: Copy in definitions + \begin{theorem} In the random oracle model, if the RSA known-target inversion problem (RSA-KTI) is hard, then @@ -567,7 +570,29 @@ RSA-KTI cannot be hard by \cite[Theorem 12]{RSA-FDH-KTIvCTI}. \subsection{Income Transparency} -\begin{proof}[Proof-sketch] +\begin{definition} +A {\em key exchange failure} consists of two key pairs + $A = a G$ and $B = b G$ such that $b A \neq a B$. +\comment{Find this in literature? Is it related to contributory behavior?} +\end{definition} + +\begin{theorem} +Assume Taler is polynomially-secure against +\begin{enumerate} +\item one-more forgery attacks, +\item collisions in the hash function the refresh protocol uses + to commit to planchets, and +\item key exchange failures in the ECDH operation used in the refresh. +\end{enumerate} +Then Taler is polynomially-secure against profitable attacks on +income transperency in the sense that +any probabilistic polynomially time adversary $\cal A$ has at best +$1\over\kappa \epsilon(k)$ odds of winning the income transparency +game where $\epsilon(k)$ is $k$ is a security parameter distinct +from $\kappa$. +\end{theorem} + +\begin{proof} In our actual refresh operation, our commitment phase sends only the hash of the planchets to reduce bandwidth. We could however commit to the full planchets without damaging anything else, including @@ -614,6 +639,13 @@ It follows that $P[{b \over w'} \ge (1-{1\over\kappa})] = 1/2 > {1\over\kappa}$. \end{proof} +\begin{corollary} +In the random oracle model, +if the RSA known-target inversion problem (RSA-KTI) is hard, then +Taler is polynomially-secure against profitable attacks on + income transperency. +\end{corollary} + We observe that $t C' = c' T$ provides a delicate requirement for implementations: An exchange might do the scalar multiplication by the basepoint $T = t G$ differently than the abritrary scalar |