91 lines
2.8 KiB
Plaintext
91 lines
2.8 KiB
Plaintext
|
|
|
|
|
|
\begin{proposition}
|
|
If there are no refresh operations, then any adversary who links
|
|
coins can recognize blinding factors.
|
|
\end{proposition}
|
|
|
|
\begin{proof}
|
|
In effect, coin withdrawal transcripts consist of numbers $b m^d \mod n$
|
|
|
|
The blinding factor is created with a full domain hash
|
|
\end{proof}
|
|
|
|
|
|
We say a blind signature
|
|
linkable if some probabilistic polynomial
|
|
time (PPT) adversary has a non-negligible advantage indentifying
|
|
the
|
|
|
|
|
|
, given some withdrawal and refresh
|
|
transcripts
|
|
|
|
|
|
|
|
|
|
|
|
We say a coin $C_0$ is {\em linkable} to the withdrawal or refresh
|
|
operation in which it was created if some probabilistic polynomial
|
|
time (PPT) adversary has a non-negligible advantage in guessing
|
|
which of $\{ C_0, C_1 \}$ were created in that operation,
|
|
where $C_1$ is an unrelated third coin.
|
|
|
|
% TODO: Compare this definition with some from the literature
|
|
% TODO: Should this definition be broadened?
|
|
|
|
.. reference literate about withdrawal ..
|
|
|
|
\begin{proposition}
|
|
In the random oracle model,
|
|
if a coin created by refresh is linkable to the refresh operation
|
|
that created it, then some PPT adversary has a non-negligible
|
|
advantage in determining the shared secret of an eliptic curve
|
|
Diffie-Hellman key exchange on curve25519.
|
|
\end{proposition}
|
|
|
|
% Intuitively this follows from \cite{Rudich88}[Theorem 4.1], but
|
|
% we provide slightly more formality.
|
|
|
|
\begin{proof}
|
|
Assume a PPT adversary $A$ has a non-negligible advantage in solving
|
|
the linking problem.
|
|
|
|
We have two curve points $C = c G$ and $T = t G$ for which
|
|
we wish to compute the shared secret $c t G$.
|
|
|
|
We make $C$ into a coin by singing it with a denomination key
|
|
invented for this purpose. We let $T^{(1)}$ denote $T$ and
|
|
invent $\kappa-1$ linking keys $T^{(2)},\ldots,T^{(\kappa)}$.
|
|
|
|
We shall extract the shared secret by constructing an algorithm
|
|
that runs the refresh protocol and then runs $A$ using the natural
|
|
simulation of a random oracle, namely answering new queries with
|
|
random bits, yet recording the answers in a database so as to
|
|
provide idendical answers to identical queries.
|
|
|
|
We may take $\gamma=1$ by restarting the exchange with a clean
|
|
database. As a result, the exchange never checks the commitment
|
|
covering $T^{(1)}$, but this alone does not suffice to discount
|
|
the any information contained in the commitment.
|
|
|
|
Instead, we observe that our commitments consist of random oracle
|
|
queries distinct from anything else in the protocol, so they contain
|
|
no information of use to $A$, and can safely be omitted.
|
|
|
|
We do not know $c t G$ so our simulation cannot run the KDF to
|
|
derive the new coin that $A$ can link.
|
|
|
|
|
|
... random oracle ..
|
|
\end{proof}
|
|
|
|
In principle, one might worry if coins created in the same withdrawal
|
|
or refresh opeartion might be linkable to one another without being
|
|
linkable to the operation, but addressing this concern would take us
|
|
somewhat far afield and require similar methods.
|
|
|
|
|
|
|