use L^{(i)} to be consistent about cut-and-choose index notation

1 files changed, 13 insertions, 13 deletions

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 54e4c0e13..0e00cf48b 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -801,11 +801,11 @@ In the protocol, $\kappa \ge 2$ is a security parameter for the
 cut-and-choose part of the protocol.  $\kappa = 3$ is actually
 perfectly sufficient in most cases in practice, as the cut-and-choose
 protocol does not need to provide cryptographic security: If the
-maximum applicable tax is less than $\frac{2}{3}$, then detecting
-$\kappa = 3$ ensures that cheating results in a negative return on
-average as $\kappa - 1$ out of $\kappa$ attempts to cheat are
-detected.  This makes the use of cut-and-choose practical and
-efficient in this context.
+maximum applicable tax is less than $\frac{2}{3}$, then $\kappa = 3$
+ensures that cheating results in a negative financial return on
+average as $\kappa - 1$ out of $\kappa$ attempts to hide from taxation
+are detected and penalized by a total loss.  This makes the use of
+cut-and-choose practical and efficient in this context.
 
 % FIXME: I'm explicit about the rounds in postquantum.tex
 
@@ -815,16 +815,16 @@ efficient in this context.
     a transfer private key $t^{(i)}_s$ and computes
     \begin{itemize}
     \item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
-    \item the new coin secret seed $L_i := H(c'_s T_p^{(i)})$.
+    \item the new coin secret seed $L^{(i)} := H(c'_s T_p^{(i)})$.
     \end{itemize}
     We have computed $L_i$ as a Diffie-Hellman shared secret between
     the transfer key pair $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$
     and old coin key pair $C' := \left(c_s', C_p'\right)$;
-    as a result, $L_i = H(t^{(i)}_s C'_p)$ also holds.
-    Now the customer applies key derivation functions $\KDF_?$ to $L_i$ to generate
+    as a result, $L^{(i)} = H(t^{(i)}_s C'_p)$ also holds.
+    Now the customer applies key derivation functions $\KDF_{\textrm{blinding}}$ and $\KDF_{\textrm{Ed25519}}$ to $L^{(i)}$ to generate
     \begin{itemize}
-      \item a blinding factor $b^{(i)} = \FDH_K(\KDF_{\textrm{blinding}}(L_i))$.
-      \item $c_s^{(i)} = \KDF_{\textrm{Ed25519}}(L_i)$
+      \item a blinding factor $b^{(i)} = \FDH_K(\KDF_{\textrm{blinding}}(L^{(i)}))$.
+      \item $c_s^{(i)} = \KDF_{\textrm{Ed25519}}(L^{(i)})$
     \end{itemize}
     Now the customer can compute her new coin key pair
      $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$
@@ -1251,13 +1251,13 @@ data being committed to disk are represented in between $\langle\rangle$.
   \item[$\vec{b}$]{Vector of $b^{(i)}$}
   \item[$B^{(i)}$]{Blinding of $C_p^{(i)}$}
   \item[$\vec{B}$]{Vector of $B^{(i)}$}
-  \item[$L_i$]{Link secret derived from ECDH operation via hashing}
-%  \item[$E_{L_i}()$]{Symmetric encryption using key $L_i$}
+  \item[$L^{(i)}$]{Link secret derived from ECDH operation via hashing}
+%  \item[$E_{L^{(i)}}()$]{Symmetric encryption using key $L^{(i)}$}
 %  \item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$}
 %  \item[$\vec{E}$]{Vector of $E^{(i)}$}
   \item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol,
     where the vectors exclude the selected index $\gamma$}
-  \item[$\overline{L_i}$]{Link secrets derived by the verifier from DH}
+  \item[$\overline{L^{(i)}}$]{Link secrets derived by the verifier from DH}
   \item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier}
   \item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys}
   \item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier}