Just some trash

1 files changed, 90 insertions, 0 deletions

diff --git a/doc/paper/trash b/doc/paper/trash
new file mode 100644
index 000000000..ced86833a
--- /dev/null
+++ b/doc/paper/trash
@@ -0,0 +1,90 @@
+
+
+
+\begin{proposition}
+If there are no refresh operations, then any adversary who links
+coins can recognize blinding factors.
+\end{proposition}
+
+\begin{proof}
+In effect, coin withdrawal transcripts consist of numbers $b m^d \mod n$
+
+The blinding factor is created with a full domain hash 
+\end{proof}
+
+
+We say a blind signature 
+linkable if some probabilistic polynomial 
+time (PPT) adversary has a non-negligible advantage indentifying
+the 
+
+
+, given some withdrawal and refresh
+transcripts
+
+ 
+
+
+
+We say a coin $C_0$ is {\em linkable} to the withdrawal or refresh
+operation in which it was created if some probabilistic polynomial 
+time (PPT) adversary has a non-negligible advantage in guessing
+which of $\{ C_0, C_1 \}$ were created in that operation,
+ where $C_1$ is an unrelated third coin.
+
+% TODO: Compare this definition with some from the literature
+% TODO: Should this definition be broadened?
+
+.. reference literate about withdrawal ..
+
+\begin{proposition}
+In the random oracle model, 
+if a coin created by refresh is linkable to the refresh operation
+that created it, then some PPT adversary has a non-negligible
+advantage in determining the shared secret of an eliptic curve 
+Diffie-Hellman key exchange on curve25519.
+\end{proposition}
+
+% Intuitively this follows from \cite{Rudich88}[Theorem 4.1], but
+% we provide slightly more formality.
+
+\begin{proof}
+Assume a PPT adversary $A$ has a non-negligible advantage in solving
+the linking problem.
+
+We have two curve points $C = c G$ and $T = t G$ for which
+we wish to compute the shared secret $c t G$.
+
+We make $C$ into a coin by singing it with a denomination key
+invented for this purpose.  We let $T^{(1)}$ denote $T$ and
+invent $\kappa-1$ linking keys $T^{(2)},\ldots,T^{(\kappa)}$.
+
+We shall extract the shared secret by constructing an algorithm
+that runs the refresh protocol and then runs $A$ using the natural
+simulation of a random oracle, namely answering new queries with
+random bits, yet recording the answers in a database so as to
+provide idendical answers to identical queries.
+
+We may take $\gamma=1$ by restarting the exchange with a clean
+database.  As a result, the exchange never checks the commitment
+covering $T^{(1)}$, but this alone does not suffice to discount
+the any information contained in the commitment.  
+
+Instead, we observe that our commitments consist of random oracle
+queries distinct from anything else in the protocol, so they contain
+no information of use to $A$, and can safely be omitted.
+
+We do not know $c t G$ so our simulation cannot run the KDF to
+derive the new coin that $A$ can link.  
+
+
+... random oracle ..
+\end{proof}
+
+In principle, one might worry if coins created in the same withdrawal
+or refresh opeartion might be linkable to one another without being
+linkable to the operation, but addressing this concern would take us
+somewhat far afield and require similar methods.
+
+
+