14:33:53 <sarang> Hello all
14:34:17 <sarang> Reviewing some code and a paper from Aram (cryptographer with Zcoin) relating to Lelantus and Triptych today
14:35:05 <sarang> When suraeNoether arrives, hopefully we can discuss the key image oracle for CLSAG linkable anonymity and its relationship to the OMDDH problem
14:35:13 <sarang> (looks like OMCDH doesn't apply)
14:40:30 <suraeNoether> Technically there are three flavors of one-more DDH, sometimes named OMDDH, DTOMDDH, and DDHP1, respectively.
14:40:39 <suraeNoether> These are ascending in terms of strength of an attacker.
14:41:06 <sarang> Yeah, relating to when the group elements are supplied to the player IIRC
14:41:21 <sarang> ?
14:41:23 <suraeNoether> However, the games listed above all are static or one-sided (despite the names) in the sense that players are asked to decide on DH pairs where one of the keys is fixed from the very beginning. I.e. a challenge point X is fixed and the player gets a bunch of other challenges Y and has to decide if some Z is a random point or xY for one of the Ys
14:41:40 <suraeNoether> Not just when but how many and order matters
14:42:43 <suraeNoether> I want to modify the definition so a different X, namely X = Hp(Y), is used for each
14:43:03 <suraeNoether> I'm pondering the impact of the definition of security
14:50:30 <sarang> What's the downside to sticking with plain old DDH, but including some notion of a key image oracle?
14:50:43 <sarang> Then use random self-reducibility like the original proof does
14:51:21 <sarang> The oracle returns the (possible) DDH point from the tuple, and ensures that simulated signatures are consistent with them
14:52:46 <sarang> and then work this into a Backes-style LA definition where the corruption oracle is removed and replaced with this key image oracle
15:06:23 <sarang> ^ suraeNoether
15:29:15 <suraeNoether> The key image oracle is just a ddh oracle with specialized behavior given certain inputs... so I'm not sure I understand your question
15:29:33 <suraeNoether> If you are going to use ddh oracle access, you can't play the usual ddh game
15:29:39 <suraeNoether> Have to move up to 1mddh
15:33:50 <sarang> I'm wondering about what happens if you define a key image oracle that the LA player has access to, that operates such that the DDH player simply returns the R_{i,3} point in its tuple to the LA player
15:34:10 <sarang> (the DDH player never passes those key image queries along in its own DDH game)
15:34:33 <sarang> So the LA player has access to purported key images that can be made consistent with Sign oracle queries simulated by the DDH player
15:35:39 <sarang> With this method, I don't see why you'd need a DDH oracle... it's purely being simulated by the DDH player for the LA player
21:43:46 <suraeNoether> Brief clsag update, sarang is right about the DDH oracle, although I needed a walkthrough. The result is linkable anonymity once again reduces to vanilla DDH thanks to random self reducibility
22:26:59 <sarang> :)