From c56507447c8a550d4fedc926e8504f172a9f92a4 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 26 Sep 2016 17:24:55 +0100 Subject: [PATCH] Clarify a note about SU-CMA security for signatures. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index a3963916..2b1e9f41 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1298,10 +1298,10 @@ pair without access to the signing key. In fact the instantiation of $\JoinSplitSig$ uses a scheme designed for security under adaptive attack even when multiple signatures are signed under the same key. - \item SU-CMA security requires it to be infeasible for the adversary to - forge a distinct signature on a previously seen message. That is, - \joinSplitSignatures are intended to be nonmalleable in the sense of - \cite{BIP-62}. + \item SU-CMA security requires it to be infeasible for the adversary, not + knowing the private key, to forge a distinct signature on a previously + seen message. That is, \joinSplitSignatures are intended to be + nonmalleable in the sense of \cite{BIP-62}. \end{pnotes} @@ -3558,6 +3558,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in \item Update the section on encoding of \transparent addresses. (The precise prefixes are not decided yet.) \item Clarify why $\Blake{\ell}$ is different from truncated $\Blake{512}$. + \item Clarify a note about SU-CMA security for signatures. \item Add a paragraph about key length in \crossref{inbandrationale}. \item Add acknowledgements for John Tromp, Paige Peterson, Maureen Walsh, Jay Graber, and Jack Gavigan.