[GNUnet-SVN] [taler-exchange] 02/06: Approach to the privacy argument

[gnunet]

This is an automated email from the git hooks/post-receive script.

burdges pushed a commit to branch master
in repository exchange.

commit 0359e829f3bdbc371c7e6a5b20265b79f8afe44b
Author: Jeffrey Burdges <address@hidden>
AuthorDate: Mon May 15 16:28:24 2017 +0200

    Approach to the privacy argument
---
 doc/paper/taler.tex | 68 ++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 14 deletions(-)

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 4ef76ca..c2458fb 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -1444,27 +1444,67 @@ At a result, there is no way for a user to loose 
control over a coin,
 
 \section{Privacy arguments}
 
-We consider two coins $C_1$ and $C_2$ created by the same withdrawal
-or refresh operation.  We say they are {\em linkable} if
-some probabilistic polynomial time adversary has a non-negligible
-advantage in guessing which two of $\{ C_0, C_1, C_2 \}$ were
-created together, where $C_0$ is an unrelated third coin.
+The {\em linking problem} for blind signature is,
+if given coin creation transcrips and possibly fewer
+coin deposit transcripts for coins from the creation transcripts,
+then produce a corresponding creation and deposit transcript.
 
-% TODO: Compare this definition with some from the literature
+We say a probabilistic polynomial time (PPT) adversary $A$
+{\em links} coins if it has a non-negligable advantage in
+solving the linking problem, when given the private keys
+of the exchange.
 
-.. reference literate about withdrawal ..
+In Taler, there are two forms of coin creation transcrips,
+withdrawal and refresh.
 
-\begin{proposition}
-If two coins created by refresh are linkable, then some 
-probabilistic polynomial time adversary has a non-negligible
-advantage in determining that their seeds ...
-...
-\end{proposition}
+\begin{lemma}
+If there are no refresh operations, any adversary with an
+advantage in linking coins is polynomially equivelent to an
+advantage with the same advantage in recognizing blinding factors.
+\end{lemma}
 
 \begin{proof}
-... random oracle ..
+Let $n$ denote the RSA modulous of the denomination key.
+Also let $d$ and $e$ denote the private and public exponents, respectively.
+In effect, coin withdrawal transcripts consist of numbers
+$b m^d \mod n$ where $m$ is the FDH of the coin's public key
+and $b$ is the blinding factor, while coin deposits transcripts
+consist of only $m^d \mon n$. 
+
+Of course, if the adversary can link coins then they can compute
+the blinding factors as $b m^d / m^d \mod n$.  Conversely, if the
+adversary can recognize blinding factors then they link coins after
+first computing $b_{i,j} = b_i m_i^d / m_j^d \mod n$ for all $i,j$.
 \end{proof}
 
+We now know the following because Taler used SHA512 adopted to be
+ a FDH to breat the blinding factor.
+
+\begin{corollary}
+Assuming no refresh opeeration, 
+any PPT adversary with an advantage for linking Taler coins gives
+rise to an adversary with an advantage for recognizing SHA512 output.
+\end{corollary}
+
+There was an earlier encryption-based version of the Taler protocol
+in which refresh operated consisted of $\kappa$ normal coin withdrawals
+encrypted using the secret $t^{(i)} C$ where $C = c G$ is the coin being
+refreshed and $T^{(i)} = t^{(i)} G$ is the transfer key.
+
+\begin{proposition}
+Assuming the encryption used is ??? secure, and that
+ the independence of $c$, $t$, and the new coins key materials, then
+any PPT adversary with an advantage for linking Taler coins gives
+rise to an adversary with an advantage for recognizing SHA512 output.
+\end{proposition}
+
+We now apply \cite[??]{??} to deduce : 
+
+\begin{theorem}
+In the random oracle model, any PPT adversary with an advantage
+in linking Taler coins has an advantage in breaking elliptic curve
+Diffie-Hellman key exchange on curve25519.
+\end{theorem}
 
 
 \end{document}

-- 
To stop receiving notification emails like this one, please contact
address@hidden