aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeffrey Burdges <burdges@gnunet.org>2017-05-16 01:02:48 +0200
committerJeffrey Burdges <burdges@gnunet.org>2017-05-16 01:02:48 +0200
commit709e53be6edfc4ad6d9a44a93204e55abd00d712 (patch)
tree531b8319c3dd27e574129d0513b8685692d83011
parent1a2facbd2b7536379277bb746c5853186cc673cb (diff)
Add a suitable argument for KDF under the random oracle model.
-rw-r--r--doc/paper/taler.tex30
1 files changed, 28 insertions, 2 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 70378d4f2..71657fc02 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -1498,7 +1498,33 @@ any PPT adversary with an advantage for linking Taler coins gives
rise to an adversary with an advantage for recognizing SHA512 output.
\end{proposition}
-We now apply \cite[??]{??} to deduce :
+% TODO: Is independence here too strong?
+
+We may now remove the encrpytion by appealing to the random oracle model
+\cite{BR-RandomOracles}.
+
+\begin{lemma}[\cite[??]{??}]
+Consider a protocol that commits to random data by encrypting it
+using a secret derived from a Diffe-Hellman key exchange.
+In the random oracle model, we may replace this encryption with
+a hash function derives the random data by applying hash functions
+to the same secret.
+\end{lemma}
+
+\begin{proof}
+We work with the usual instantiation of the random oracle model as
+returning a random string and placing it into a database for future
+queries.
+
+We take the random number generator that drives this random oracle
+to be the random number generator used to produce the random data
+that we encrypt in the old encryption based version of Taler.
+Now our random oracle scheme gives the same result as our scheme
+that encrypts random data, so the encryption becomes superfluous
+and may be omitted.
+\end{proof}
+
+We may now conclude that Taler remains unlinkable even with the refresh protocol.
\begin{theorem}
In the random oracle model, any PPT adversary with an advantage
@@ -1512,7 +1538,7 @@ proves that out linking protocol \S\ref{subsec:linking} does not
degrade privacy.
-
+\end{document}