diff --git a/doc/paper/rom.bib b/doc/paper/rom.bib index d85b2e891..cd4105218 100644 --- a/doc/paper/rom.bib +++ b/doc/paper/rom.bib @@ -72,3 +72,21 @@ } + + +@Inbook{Abdalla2000, + author="Abdalla, Michel and Bellare, Mihir", + editor="Okamoto, Tatsuaki", + title="Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques", + bookTitle="Advances in Cryptology --- ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3--7, 2000 Proceedings", + year="2000", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="546--559", + isbn="978-3-540-44448-0", + doi="10.1007/3-540-44448-3_42", + doi_url="http://dx.doi.org/10.1007/3-540-44448-3_42", + url="https://link.springer.com/chapter/10.1007/3-540-44448-3_42" +} + + diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index 488f01d06..bdc60e15b 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -1335,7 +1335,7 @@ exchange can even invent coins whole cloth. We may now remove the encrpytion by appealing to the random oracle model~\cite{BR-RandomOracles}. -\begin{lemma}[\cite{??}] +\begin{lemma}%[\cite{??}] Consider a protocol that commits to random data by encrypting it using a secret derived from a Diffe-Hellman key exchange. In the random oracle model, we may replace this encryption with @@ -1345,6 +1345,11 @@ functions to the same secret. % TODO: Too general probably? % TODO: IND-CPA again? +Indeed, we expect doing so to increase practical security as in +\cite{Abdalla2000}, and adding the random oracle assumption need not +reduce security if it focuses more attention on the usage of hash +functions throughout the protocol. + \begin{proof} We work with the usual instantiation of the random oracle model as returning a random string and placing it into a database for future @@ -1356,6 +1361,10 @@ that we encrypt in the old encryption based version of Taler. Now our random oracle scheme with $R$ gives the same result as our scheme that encrypts random data, so the encryption becomes superfluous and may be omitted. + +We require the security of the original encryption operation reduced +to the security of the Diffe-Hellman key exchange, which remains a +requirement of the derived protocol. \end{proof} We may now conclude that Taler remains unlinkable even with the refresh protocol.