Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [P1619-2] P1619.2 Recirculation Ballot has now started

> Shai, any chance you can redefine this to be M(i-1) not M1 without
> compromising the security proof???

Very good question, I don't really know the answer.

I remember that there was some reason that made it easier to prove
security when using M1 everywhere. (I think that this is used in
Claim 14 on page 30 of the ePrint version, not 100% sure about it.)

I was never sure about this being really necessary (i.e., I don't know
of any attack that would be possible otherwise), but using M(i-1) would
mean adding a new bunch of special cases to consider in the proof. It
is certainly plausible that one can analyze these new special cases and
verify that none of them cause a problem. It is also plausible that
one of them will turn out to be an attack.

I'm guessing that it would be easier to add a comment saying "yes we
really mean M1", than to change the mode.

-- Shai