More on RSA-KTI

doc/paper/taler.bib

@@ -368,7 +368,7 @@
 }
 
 
-@inbook{RSA-HDF-KTIvCTI,
+@inbook{RSA-FDH-KTIvCTI,
   author="Bellare, Mihir and Namprempre, Chanathip and Pointcheval, David and Semanko, Michael",
   editor="Syverson, Paul",
   chapter="The Power of RSA Inversion Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme",

doc/paper/taler.tex

@@ -509,7 +509,7 @@ financial reserve.  In addition, Taler includes an \emph{auditor} who
 assures customers and merchants that the exchange operates correctly.
 
 %\vspace{-0.3cm}
-\subsection{Security considerations}
+\subsection{Security considerations}\label{subsec:security_rough}
 %\vspace{-0.3cm}
 
 As a payment system, Taler naturally needs to make sure that coins are
@@ -559,7 +559,7 @@ limiting the exchange's financial liability.
 On the cryptographic side, a Taler exchange demands that coins use a
 full domain hash (FDH) to make so-called ``one-more forgery'' attacks
 provably hard, assuming the RSA known-target inversion problem is
-hard~\cite[Theorem 12]{RSA-HDF-KTIvCTI}.  For a withdrawn coin,
+hard~\cite[Theorem 12]{RSA-FDH-KTIvCTI}.  For a withdrawn coin,
 violating the customers anonymity cryptographically requires recognizing
 a random blinding factor from a random element of the group of
 integers modulo the denomination key's RSA modulus, which appears
@@ -1466,6 +1466,14 @@ protocol is never used.
 
 \subsection{Exculpability arguments}
 
+In \S\ref{subsec:security_rough},
+we quoted \cite[Theorem 12]{RSA-FDH-KTIvCTI} that RSA-FDH blind
+signatures are secure against ``one-more forgery'' attacks, assuming
+ the RSA known-target inversion problem is hard.
+We note as well that ``one-more forgery'' attacks cover both the
+refresh operation as well as the withdrawal operarion
+ \cite[Definition 12]{RSA-FDH-KTIvCTI,OneMoreInversion}.
+
 \begin{lemma}\label{lemma:double-spending}
 The exchange can detect, prevent, and prove double-spending.
 \end{lemma}