aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/paper/rom.bib18
-rw-r--r--doc/paper/taler.tex11
2 files changed, 28 insertions, 1 deletions
diff --git a/doc/paper/rom.bib b/doc/paper/rom.bib
index d85b2e891..cd4105218 100644
--- a/doc/paper/rom.bib
+++ b/doc/paper/rom.bib
@@ -72,3 +72,21 @@
}
+
+
+@Inbook{Abdalla2000,
+ author="Abdalla, Michel and Bellare, Mihir",
+ editor="Okamoto, Tatsuaki",
+ title="Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques",
+ bookTitle="Advances in Cryptology --- ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3--7, 2000 Proceedings",
+ year="2000",
+ publisher="Springer Berlin Heidelberg",
+ address="Berlin, Heidelberg",
+ pages="546--559",
+ isbn="978-3-540-44448-0",
+ doi="10.1007/3-540-44448-3_42",
+ doi_url="http://dx.doi.org/10.1007/3-540-44448-3_42",
+ url="https://link.springer.com/chapter/10.1007/3-540-44448-3_42"
+}
+
+
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 488f01d06..bdc60e15b 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -1335,7 +1335,7 @@ exchange can even invent coins whole cloth.
We may now remove the encrpytion by appealing to the random oracle
model~\cite{BR-RandomOracles}.
-\begin{lemma}[\cite{??}]
+\begin{lemma}%[\cite{??}]
Consider a protocol that commits to random data by encrypting it
using a secret derived from a Diffe-Hellman key exchange.
In the random oracle model, we may replace this encryption with
@@ -1345,6 +1345,11 @@ functions to the same secret.
% TODO: Too general probably?
% TODO: IND-CPA again?
+Indeed, we expect doing so to increase practical security as in
+\cite{Abdalla2000}, and adding the random oracle assumption need not
+reduce security if it focuses more attention on the usage of hash
+functions throughout the protocol.
+
\begin{proof}
We work with the usual instantiation of the random oracle model as
returning a random string and placing it into a database for future
@@ -1356,6 +1361,10 @@ that we encrypt in the old encryption based version of Taler.
Now our random oracle scheme with $R$ gives the same result as our
scheme that encrypts random data, so the encryption becomes
superfluous and may be omitted.
+
+We require the security of the original encryption operation reduced
+to the security of the Diffe-Hellman key exchange, which remains a
+requirement of the derived protocol.
\end{proof}
We may now conclude that Taler remains unlinkable even with the refresh protocol.