[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-exchange] 03/06: Some classical random oracle refere
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-exchange] 03/06: Some classical random oracle reference |
|
Date: |
Mon, 15 May 2017 17:46:57 +0200 |
This is an automated email from the git hooks/post-receive script.
burdges pushed a commit to branch master
in repository exchange.
commit 2036c42a779177a7c0225b6ecacb9363614c4d3e
Author: Jeffrey Burdges <address@hidden>
AuthorDate: Mon May 15 16:28:55 2017 +0200
Some classical random oracle reference
---
doc/paper/ro.bib | 74 ++++++++++++++++++++++++++++++++++++++++++++++
doc/paper/trash | 90 --------------------------------------------------------
2 files changed, 74 insertions(+), 90 deletions(-)
diff --git a/doc/paper/ro.bib b/doc/paper/ro.bib
new file mode 100644
index 0000000..d85b2e8
--- /dev/null
+++ b/doc/paper/ro.bib
@@ -0,0 +1,74 @@
+
+
+
+
address@hidden,
+ dblp = {DBLP:conf/ccs/BellareR93},
+ author = {Mihir Bellare and
+ Phillip Rogaway},
+ title = {Random Oracles are Practical: {A} Paradigm for Designing
Efficient
+ Protocols},
+ booktitle = {{CCS} '93, Proceedings of the 1st {ACM} Conference on Computer
and
+ Communications Security, Fairfax, Virginia, USA, November 3-5,
1993.},
+ pages = {62--73},
+ year = {1993},
+ crossref = {DBLP:conf/ccs/1993},
+ url = {http://doi.acm.org/10.1145/168588.168596},
+ doi = {10.1145/168588.168596},
+ timestamp = {Fri, 23 Dec 2011 14:54:25 +0100},
+ biburl = {http://dblp.uni-trier.de/rec/bib/conf/ccs/BellareR93},
+ bibsource = {dblp computer science bibliography, http://dblp.org}
+}
+
address@hidden:conf/ccs/1993,
+ editor = {Dorothy E. Denning and
+ Raymond Pyle and
+ Ravi Ganesan and
+ Ravi S. Sandhu and
+ Victoria Ashby},
+ title = {{CCS} '93, Proceedings of the 1st {ACM} Conference on Computer
and
+ Communications Security, Fairfax, Virginia, USA, November 3-5,
1993},
+ publisher = {{ACM}},
+ year = {1993},
+ url = {http://dl.acm.org/citation.cfm?id=168588},
+ isbn = {0-89791-629-8},
+ timestamp = {Fri, 09 Dec 2011 14:34:06 +0100},
+ biburl = {http://dblp.uni-trier.de/rec/bib/conf/ccs/1993},
+ bibsource = {dblp computer science bibliography, http://dblp.org}
+}
+
+
+
+
address@hidden,
+ dblp = {DBLP:conf/crypto/ImpagliazzoR88},
+ author = {Russell Impagliazzo and
+ Steven Rudich},
+ title = {Limits on the Provable Consequences of One-way Permutations},
+ booktitle = {Advances in Cryptology - {CRYPTO} '88, 8th Annual International
Cryptology
+ Conference, Santa Barbara, California, USA, August 21-25, 1988,
Proceedings},
+ pages = {8--26},
+ year = {1988},
+ crossref = {DBLP:conf/crypto/1988},
+ url = {http://dx.doi.org/10.1007/0-387-34799-2_2},
+ doi = {10.1007/0-387-34799-2_2},
+ timestamp = {Fri, 18 Sep 2009 08:51:10 +0200},
+ biburl = {http://dblp.uni-trier.de/rec/bib/conf/crypto/ImpagliazzoR88},
+ bibsource = {dblp computer science bibliography, http://dblp.org}
+}
+
address@hidden:conf/crypto/1988,
+ editor = {Shafi Goldwasser},
+ title = {Advances in Cryptology - {CRYPTO} '88, 8th Annual International
Cryptology
+ Conference, Santa Barbara, California, USA, August 21-25, 1988,
Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {403},
+ publisher = {Springer},
+ year = {1990},
+ isbn = {3-540-97196-3},
+ timestamp = {Thu, 07 Feb 2002 09:41:39 +0100},
+ biburl = {http://dblp.uni-trier.de/rec/bib/conf/crypto/1988},
+ bibsource = {dblp computer science bibliography, http://dblp.org}
+}
+
+
diff --git a/doc/paper/trash b/doc/paper/trash
deleted file mode 100644
index ced8683..0000000
--- a/doc/paper/trash
+++ /dev/null
@@ -1,90 +0,0 @@
-
-
-
-\begin{proposition}
-If there are no refresh operations, then any adversary who links
-coins can recognize blinding factors.
-\end{proposition}
-
-\begin{proof}
-In effect, coin withdrawal transcripts consist of numbers $b m^d \mod n$
-
-The blinding factor is created with a full domain hash
-\end{proof}
-
-
-We say a blind signature
-linkable if some probabilistic polynomial
-time (PPT) adversary has a non-negligible advantage indentifying
-the
-
-
-, given some withdrawal and refresh
-transcripts
-
-
-
-
-
-We say a coin $C_0$ is {\em linkable} to the withdrawal or refresh
-operation in which it was created if some probabilistic polynomial
-time (PPT) adversary has a non-negligible advantage in guessing
-which of $\{ C_0, C_1 \}$ were created in that operation,
- where $C_1$ is an unrelated third coin.
-
-% TODO: Compare this definition with some from the literature
-% TODO: Should this definition be broadened?
-
-.. reference literate about withdrawal ..
-
-\begin{proposition}
-In the random oracle model,
-if a coin created by refresh is linkable to the refresh operation
-that created it, then some PPT adversary has a non-negligible
-advantage in determining the shared secret of an eliptic curve
-Diffie-Hellman key exchange on curve25519.
-\end{proposition}
-
-% Intuitively this follows from \cite{Rudich88}[Theorem 4.1], but
-% we provide slightly more formality.
-
-\begin{proof}
-Assume a PPT adversary $A$ has a non-negligible advantage in solving
-the linking problem.
-
-We have two curve points $C = c G$ and $T = t G$ for which
-we wish to compute the shared secret $c t G$.
-
-We make $C$ into a coin by singing it with a denomination key
-invented for this purpose. We let $T^{(1)}$ denote $T$ and
-invent $\kappa-1$ linking keys $T^{(2)},\ldots,T^{(\kappa)}$.
-
-We shall extract the shared secret by constructing an algorithm
-that runs the refresh protocol and then runs $A$ using the natural
-simulation of a random oracle, namely answering new queries with
-random bits, yet recording the answers in a database so as to
-provide idendical answers to identical queries.
-
-We may take $\gamma=1$ by restarting the exchange with a clean
-database. As a result, the exchange never checks the commitment
-covering $T^{(1)}$, but this alone does not suffice to discount
-the any information contained in the commitment.
-
-Instead, we observe that our commitments consist of random oracle
-queries distinct from anything else in the protocol, so they contain
-no information of use to $A$, and can safely be omitted.
-
-We do not know $c t G$ so our simulation cannot run the KDF to
-derive the new coin that $A$ can link.
-
-
-... random oracle ..
-\end{proof}
-
-In principle, one might worry if coins created in the same withdrawal
-or refresh opeartion might be linkable to one another without being
-linkable to the operation, but addressing this concern would take us
-somewhat far afield and require similar methods.
-
-
-
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [taler-exchange] branch master updated (d307ddb -> 1a2facb), gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 01/06: Just some trash, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 06/06: Merge branch 'master' of ssh://taler.net/exchange, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 04/06: Add note on linking protocol, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 05/06: Spelling, gnunet, 2017/05/15
- [GNUnet-SVN] [taler-exchange] 03/06: Some classical random oracle reference,
gnunet <=
- [GNUnet-SVN] [taler-exchange] 02/06: Approach to the privacy argument, gnunet, 2017/05/15