diff options
author | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-22 17:00:40 +0100 |
---|---|---|
committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-22 17:00:40 +0100 |
commit | 7c27de2ef1979a4f955d53bf4dd3c683590367fa (patch) | |
tree | 5286aee4cc5e94baf240ae6a338b783b85833d39 /games/games.tex | |
parent | b43712ffae063a93b37efb9a42c62cbf70cc63da (diff) | |
download | papers-7c27de2ef1979a4f955d53bf4dd3c683590367fa.tar.gz papers-7c27de2ef1979a4f955d53bf4dd3c683590367fa.tar.bz2 papers-7c27de2ef1979a4f955d53bf4dd3c683590367fa.zip |
Revert "Experement with _X notation for oracles"
This reverts commit b43712ffae063a93b37efb9a42c62cbf70cc63da.
Diffstat (limited to 'games/games.tex')
-rw-r--r-- | games/games.tex | 71 |
1 files changed, 31 insertions, 40 deletions
diff --git a/games/games.tex b/games/games.tex index bc39709..3628a44 100644 --- a/games/games.tex +++ b/games/games.tex @@ -95,41 +95,34 @@ We define the following oracles: \begin{itemize} \item $\ora{AddClient}()$: Creates a new client, sets $countWithdraw$ for the client to $0$, sets $wallet[pkClient] := \{\}$. - Returns the reserve public key of the client. + Returns the public key of the client. - \item $\ora{Withdraw}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$: - Do a withdraw from the perspective of either the wallet ($\mathrm{W}$) - or the exchange ($\mathrm{E}$), meaning the adversary controls the user's - wallet and the simulator controls the exchange, or via versa respectively. + \item $\ora{WithdrawAsUser}(pkClient)$: Do a withdraw from the perspective of a user. The adversary + controls the user, the simulator the exchange. - \item $\ora{Refresh}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$: - Do a withdraw from the perspective of either the wallet ($\mathrm{W}$) - or the exchange ($\mathrm{E}$), meaning the adversary controls the user's - wallet and the simulator controls the exchange, or via versa respectively. + \item $\ora{WithdrawAsExchange}(pkClient)$: Do a withdraw from the perspective of a exchange. The adversary + controls the exchange, the user is simulated. + + \item $\ora{RefreshAsUser}$ Do a withdraw from the perspective of a user, i.e. the adversary sends messages that the user would send. + + The adversary obtains the protocol transcript from the \algo{Refresh} protocol. + + \item $\ora{RefreshAsExchange}$ Do a withdraw from the perspective of the exchange, i.e. the adversary sends messages that the exchange would send. + + The adversary obtains the protocol transcript from the \algo{Refresh} protocol. \item $\ora{Spend}(contractHash, pkSpender, pkCoin, pkReceiver)$ Make a customer sign a deposit permission. Returns the deposit permission on success, or $\bot$ if the $skSpender$ does not have enough coins. \item $\ora{Share}(pkSender, pkReceiver)$: + Shares one random, previously unshared coin in the wallet of $pkSender$ with $pkReceiver$. - \comment{Is random sufficent here?} \item $\ora{CorruptClient}(pkClient)$: - Used by the adversary to corrupt a client. Marks the client as - corrupted and gives the adversary the client's private key, wallet - signed contract hashes, and protocol transcripts. -\end{itemize} - -As usual, the adversary obtains the protocol transcript from the parties it controls. -\comment{What does the wallet refresh oracle do with a non-corrupt user?} - -For $X \in \{\mathrm{W},\mathrm{E}\}$, -we let $\oraSet{X}$ denote access to the oracles -\ora{AddClient}, \ora{Withdraw}_X, \ora{Refresh}_X, -\ora{Spend}, \ora{Share}, and \ora{CorruptClient}. - - + Used by the adversary to corrupt a client. Marks the client as corrupted and gives the adversary the + client's private key, wallet and signed contract hashes. +\end{itemize} \begin{mdframed} The difference between algorithms and interactive protocols @@ -160,6 +153,8 @@ since it does not give the adversary any additional power. \subsection{Anonymity} Anonymity game with adversary $\cal A$. +Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, +\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} \bigskip \noindent $\mathit{Exp}_{\cal A}^{anon}(1^\lambda, \kappa)$: @@ -170,7 +165,7 @@ Anonymity game with adversary $\cal A$. Our adversary controls the exchange and a merchant. \comment{Note that this only means that $\cal A$ has the exchange secret key, it does not automatically receive transcripts and it does not have access to any exchange data structures \textit{unless} indicated by the oracles} - \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\ + \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\ Our adversary creates two users and two contract, along with some coins open which it calls oracles freely. \item Return 0 either if $\V{pkU}_1$ or $\V{pkU}_2$ are not distinct @@ -193,14 +188,14 @@ Anonymity game with adversary $\cal A$. \item $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_1))$, \\ $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_2))$ \\ Deposit these two coins with the adversary controlled merchant. - \item $b' \leftarrow {\cal A}^{\oraSet{W}}()$ + \item $b' \leftarrow {\cal A}^{\oraSet{Anon}}()$ \comment{Ask adversary to find out mapping between users and contracts as determined by $b$} \item Let $\cal U \supseteq \{ \V{pkU}_1, \V{pkU}_2 \}$ consist of the users who know, or could learn through linking, either $\V{skC}_0$ or $\V{skC}_1$, aka these coin's {\em ownership set}. Return 0 if $\cal U$ contains either any user corrupted by $\cal A$ or any user who ran the linking protocol. - \comment{TODO: Add linking protocol to \oraSet{W}, but simplify this text if the linking protocol can be restricted to corrupted users} + \comment{TODO: Add linking protocol to \oraSet{Anon}, but simplify this text if the linking protocol can be restricted to corrupted users} \item if $b = b'$ return 1, otherwise return 0 \end{enumerate} @@ -215,7 +210,7 @@ We prove the stronger anonymity game that replaces lines 2,3, and 5 with these two lines. \begin{enumerate} \setlength\itemsep{0em} - \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\ + \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\ Our adversary invokes oracles to create users, as well as create and manipulate their coins. It singles out two coin creating invokations, either withdrawals @@ -269,10 +264,8 @@ allowing them to talk to themselves does not make sense. \subsection{Fairness} Intuition: Adversary wins if a non-corrupted user can't obtain a proof-of-spending or unlinkable change. -Let \oraSet{Fair} stand for access to the oracles .. -% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend}, -% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} - +Let \oraSet{Fair} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, +\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} \bigskip \noindent $\mathit{Exp}_{\cal A}^{fair}(1^\lambda, \kappa)$: @@ -296,9 +289,8 @@ Let \oraSet{Fair} stand for access to the oracles .. \subsection{Unforgability} % Exculpability? -% Let \oraSet{Forge} stand for access to the oracles -% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend}, -% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} ??? +Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, +\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} ??? \bigskip \noindent $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, \kappa)$: @@ -306,7 +298,7 @@ Let \oraSet{Fair} stand for access to the oracles .. \begin{enumerate} \setlength\itemsep{0em} \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ - \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$ + \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Forge}}(pkExchange)$ \item Our adversary wins if they made at most $\ell$ withdrawals but $C_0, \dots, C_\ell$ are all distinct valid unspent coins. \end{enumerate} @@ -316,9 +308,8 @@ Let \oraSet{Fair} stand for access to the oracles .. \subsection{Income Transparency} Intuition: Adversary wins if money is in exclusive control of corrupted players but the exchange has no record of withdrawal or spending for it. -% Let \oraSet{Income} stand for access to the oracles -% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend}, -% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} +Let \oraSet{Income} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, +\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} \bigskip \noindent $\mathit{Exp}_{\cal A}^{income}(1^\lambda, \kappa)$: @@ -326,7 +317,7 @@ Intuition: Adversary wins if money is in exclusive control of corrupted players \begin{enumerate} \setlength\itemsep{0em} \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ - \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$ + \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Income}}(pkExchange)$ \item Augment the wallets of all non-corrupted users with their transitive closure using the \algo{Link} protocol. Mark all coins in wallets of non-corrupted users as spent. |