diff options
| author | Jeffrey Burdges <burdges@gnunet.org> | 2017-05-15 16:28:00 +0200 | 
|---|---|---|
| committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-05-15 16:28:00 +0200 | 
| commit | b418b3080e30f48c9ae0723faf32508fca5103d6 (patch) | |
| tree | 64ce54203b9ccd8e353c49c9ce9793acad1a8ed4 /doc/paper/trash | |
| parent | 4c90a797da79376d7b1f5e764908a50386fe5374 (diff) | |
Just some trash
Diffstat (limited to 'doc/paper/trash')
| -rw-r--r-- | doc/paper/trash | 90 | 
1 files changed, 90 insertions, 0 deletions
| diff --git a/doc/paper/trash b/doc/paper/trash new file mode 100644 index 00000000..ced86833 --- /dev/null +++ b/doc/paper/trash @@ -0,0 +1,90 @@ + + + +\begin{proposition} +If there are no refresh operations, then any adversary who links +coins can recognize blinding factors. +\end{proposition} + +\begin{proof} +In effect, coin withdrawal transcripts consist of numbers $b m^d \mod n$ + +The blinding factor is created with a full domain hash  +\end{proof} + + +We say a blind signature  +linkable if some probabilistic polynomial  +time (PPT) adversary has a non-negligible advantage indentifying +the  + + +, given some withdrawal and refresh +transcripts + +  + + + +We say a coin $C_0$ is {\em linkable} to the withdrawal or refresh +operation in which it was created if some probabilistic polynomial  +time (PPT) adversary has a non-negligible advantage in guessing +which of $\{ C_0, C_1 \}$ were created in that operation, + where $C_1$ is an unrelated third coin. + +% TODO: Compare this definition with some from the literature +% TODO: Should this definition be broadened? + +.. reference literate about withdrawal .. + +\begin{proposition} +In the random oracle model,  +if a coin created by refresh is linkable to the refresh operation +that created it, then some PPT adversary has a non-negligible +advantage in determining the shared secret of an eliptic curve  +Diffie-Hellman key exchange on curve25519. +\end{proposition} + +% Intuitively this follows from \cite{Rudich88}[Theorem 4.1], but +% we provide slightly more formality. + +\begin{proof} +Assume a PPT adversary $A$ has a non-negligible advantage in solving +the linking problem. + +We have two curve points $C = c G$ and $T = t G$ for which +we wish to compute the shared secret $c t G$. + +We make $C$ into a coin by singing it with a denomination key +invented for this purpose.  We let $T^{(1)}$ denote $T$ and +invent $\kappa-1$ linking keys $T^{(2)},\ldots,T^{(\kappa)}$. + +We shall extract the shared secret by constructing an algorithm +that runs the refresh protocol and then runs $A$ using the natural +simulation of a random oracle, namely answering new queries with +random bits, yet recording the answers in a database so as to +provide idendical answers to identical queries. + +We may take $\gamma=1$ by restarting the exchange with a clean +database.  As a result, the exchange never checks the commitment +covering $T^{(1)}$, but this alone does not suffice to discount +the any information contained in the commitment.   + +Instead, we observe that our commitments consist of random oracle +queries distinct from anything else in the protocol, so they contain +no information of use to $A$, and can safely be omitted. + +We do not know $c t G$ so our simulation cannot run the KDF to +derive the new coin that $A$ can link.   + + +... random oracle .. +\end{proof} + +In principle, one might worry if coins created in the same withdrawal +or refresh opeartion might be linkable to one another without being +linkable to the operation, but addressing this concern would take us +somewhat far afield and require similar methods. + + + | 
