diff options
Diffstat (limited to 'games')
-rw-r--r-- | games/games.tex | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/games/games.tex b/games/games.tex index 47af485..2c633f6 100644 --- a/games/games.tex +++ b/games/games.tex @@ -758,10 +758,11 @@ Taler satisfies {Unforgeability}. \begin{proof} We consider a probabilistic polynomially time adversary $\cal A$ with a non-negligible advantage for winning the unforgeability game - $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, \kappa)$. -We describe an RSA Chosen-Target Inversion Problem (RSA-CTI) - \cite[Definition 3]{RSA-FDH-KTIvCTI} % or \cite[DEfinition 6.1]{OneMoreInversion}. -won by $\cal A$. + $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, \kappa)$ against Taler. +% +% We describe an RSA Chosen-Target Inversion Problem (RSA-CTI) +% \cite[Definition 3]{RSA-FDH-KTIvCTI} % or \cite[Definition 6.1]{OneMoreInversion}. +% won by $\cal A$. We let $C_{\ell+1}, \ldots, C_m$ denote all the spent coins arising from the operation of $\cal A$. % Also let $C_{m+1}, ..., C_n$ denote @@ -770,13 +771,17 @@ from the operation of $\cal A$. % Also let $C_{m+1}, ..., C_n$ denote % DISCUSS: We could exploit some of the power of RSA-CTI to dispose % of these planchets. I think this seems unnecessary, but maybe it % might refines our usage of ROM or something. -We know $\cal A$ made at most $m$ withdrawal and refresh oracle -queries to obtain the $l+1$ RSA signatures %, aka inversions, - on the $Y_i := FDA_N(C_i)$ with $0 \le i \le m$. +We know $\cal A$ made at most $l$ withdrawal and refresh oracle +queries to obtain the $l+1$ coins $C_1, \ldots, C_\ell$, so +$\cal A$ made at most $m$ withdrawal and refresh oracle +queries to obtain the $m+1$ RSA signatures %, aka inversions, + on the $Y_i := \testrm{FDH}_N(C_i)$ with $0 \le i \le m$. % It follows that $\cal A$ has produced one-more forgery in the sense - of \cite[Definition 4 \& 5, pp. 369]{Pointcheval_n_Stern}, so -RSA-KTI cannot be hard by \cite[Theorem 12]{RSA-FDH-KTIvCTI}. + of \cite[Definition 11]{RSA-FDH-KTIvCTI} , + also \cite[Definition 4 \& 5, pp. 369]{Pointcheval_n_Stern}, +so RSA-KTI cannot be hard by \cite[Theorem 12]{RSA-FDH-KTIvCTI}, + and our random oracle assumption. % % So $\cal A$ wins this RSA-CTI game with its random sampling to produce % $Y_i$ replaced by our PRF $FDA_N$, which requires nothing since we're |