[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] Re: request for comments on Mixnet Reputationspaper

On Wed, 13 Dec 2000, David Hopwood wrote:

>    Note that it would not be correct to assume that "To N_j: foo"
>    has appeared on the ledger before, because there are many other
>    possible ciphertexts that can decrypt to (I_{j+1}, bar).

This means life would be much simpler if we had a PKCS which was
ciphertext collision resistant if public keys are allowed to vary, it
seems. Anna Lysyanskaya suggested Cramer-Shoup; we hadn't pursued it
because we thought we could get by with fixed-key ciphertext collision

I don't think we'll put together a proof that CS is ciphertext collisin
resisant in the next few hours (we might come up with a counterexample,
but that's unlikely since we have to respond to this in the paper now. :) 
Even so, this may motivate mentioning it as an open problem in the paper. 

Thanks again,