diff options
| author | Jeff Burdges <burdges@gnunet.org> | 2018-09-18 20:10:10 +0200 |
|---|---|---|
| committer | Jeff Burdges <burdges@gnunet.org> | 2018-09-18 20:10:10 +0200 |
| commit | e325d4bbd80a3f6efb37c2bad2d2d63e08f64f51 (patch) | |
| tree | eeb348b60fd3eed697445f2230904c90710a0a6e | |
| parent | 2bdeab9f99fd70a18e7581a8f85d371e1529c64c (diff) | |
| download | papers-e325d4bbd80a3f6efb37c2bad2d2d63e08f64f51.tar.gz papers-e325d4bbd80a3f6efb37c2bad2d2d63e08f64f51.tar.bz2 papers-e325d4bbd80a3f6efb37c2bad2d2d63e08f64f51.zip | |
Add mor TODOs for proofs section
| -rw-r--r-- | taler-fc19/paper.tex | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex index e98a8ed..89684d6 100644 --- a/taler-fc19/paper.tex +++ b/taler-fc19/paper.tex @@ -1078,6 +1078,7 @@ with the generic instantiation. \begin{theorem}
In the random oracle model, our instantiation satisfies anonymity.
\end{theorem}
+% TODO: PRF suffices
\begin{proof}
We give a proof via a sequence of games $\mathbb{G}_0(b), \mathbb{G}_1(b),
@@ -1159,6 +1160,7 @@ with the generic instantiation. \V{pkCoin}_\gamma)$ and the execution of the blinding protocol is equivalent
under the randeom oracle to using the non-determinized algorithms
$\algo{KeyGen}_{CSK}$ and $\algo{Blind}_{BS}$.
+ % TODO: PRF suffices
By the blindness of the $\textsc{BlindSign}$ scheme, the adversary is not
able to distinguish blinded values from randomness. Thus, the adversary is
@@ -1218,15 +1220,15 @@ Our instantiation satisfies {unforgeability}. \end{theorem}
\begin{proof}
-The adversary must have produced at least one coin that was not blindly signed
-by the exchange. In order to carry out a reduction from this adversary to a
-blind signature forgery, we inject the challenger's public key into one
-randomly chosen denomination. Since we do not have access to the
-corresponding secret key of the challenger, signing operations for this
-denomination are replaced with calls to the challenger's signing oracle in
-\ora{WithdrawPickup} and \ora{RefreshPickup}. For $n$ denominations, an
-adversary against the unforgeability game would produce a blind signature
-forgery with probability $1/n$.
+The adversary must have produced at least one coin that was not blindly
+signed by the exchange. %TODO: Way too fasty here, resurect the chain
+In order to carry out a reduction from this adversary to a blind signature
+forgery, we inject the challenger's public key into one randomly chosen
+denomination. Since we do not have access to the corresponding secret key
+of the challenger, signing operations for this denomination are replaced
+with calls to the challenger's signing oracle in \ora{WithdrawPickup} and
+\ora{RefreshPickup}. For $n$ denominations, an adversary against the
+unforgeability game would produce a blind signature forgery with probability $1/n$.
\end{proof}
@@ -1257,6 +1259,8 @@ Our instantiation satisfies {weak income transparency}. in this graph, where each refresh $R_i \in F$ either results in a coin in
exclusive control of the adversary after step \ref{game:income:spend}, or the
refresh operation does not result in a coin at all.
+ %TODO: The preceeding paragraph is basically nonsense. We need to resurect
+ % correct construction of F from games.tex
During each $R_i \in F$, the adversary must have submitted a blinded coin
and transfer public key for which the linking protocol fails to produce the
|