-
sarang
Hello all
-
sarang
Reviewing some code and a paper from Aram (cryptographer with Zcoin) relating to Lelantus and Triptych today
-
sarang
When suraeNoether arrives, hopefully we can discuss the key image oracle for CLSAG linkable anonymity and its relationship to the OMDDH problem
-
sarang
(looks like OMCDH doesn't apply)
-
suraeNoether
Technically there are three flavors of one-more DDH, sometimes named OMDDH, DTOMDDH, and DDHP1, respectively.
-
suraeNoether
These are ascending in terms of strength of an attacker.
-
sarang
Yeah, relating to when the group elements are supplied to the player IIRC
-
sarang
?
-
suraeNoether
However, the games listed above all are static or one-sided (despite the names) in the sense that players are asked to decide on DH pairs where one of the keys is fixed from the very beginning. I.e. a challenge point X is fixed and the player gets a bunch of other challenges Y and has to decide if some Z is a random point or xY for one of the Ys
-
suraeNoether
Not just when but how many and order matters
-
suraeNoether
I want to modify the definition so a different X, namely X = Hp(Y), is used for each
-
suraeNoether
I'm pondering the impact of the definition of security
-
sarang
What's the downside to sticking with plain old DDH, but including some notion of a key image oracle?
-
sarang
Then use random self-reducibility like the original proof does
-
sarang
The oracle returns the (possible) DDH point from the tuple, and ensures that simulated signatures are consistent with them
-
sarang
and then work this into a Backes-style LA definition where the corruption oracle is removed and replaced with this key image oracle
-
sarang
^ suraeNoether
-
suraeNoether
The key image oracle is just a ddh oracle with specialized behavior given certain inputs... so I'm not sure I understand your question
-
suraeNoether
If you are going to use ddh oracle access, you can't play the usual ddh game
-
suraeNoether
Have to move up to 1mddh
-
sarang
I'm wondering about what happens if you define a key image oracle that the LA player has access to, that operates such that the DDH player simply returns the R_{i,3} point in its tuple to the LA player
-
sarang
(the DDH player never passes those key image queries along in its own DDH game)
-
sarang
So the LA player has access to purported key images that can be made consistent with Sign oracle queries simulated by the DDH player
-
sarang
With this method, I don't see why you'd need a DDH oracle... it's purely being simulated by the DDH player for the LA player
-
suraeNoether
Brief clsag update, sarang is right about the DDH oracle, although I needed a walkthrough. The result is linkable anonymity once again reduces to vanilla DDH thanks to random self reducibility
-
sarang
:)