Revert "Experement with _X notation for oracles"

This reverts commit b43712ffae063a93b37efb9a42c62cbf70cc63da.

1 files changed, 31 insertions, 40 deletions

diff --git a/games/games.tex b/games/games.tex
index bc39709..3628a44 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -95,41 +95,34 @@ We define the following oracles:
 \begin{itemize}
   \item $\ora{AddClient}()$:
     Creates a new client, sets $countWithdraw$ for the client to $0$, sets $wallet[pkClient] := \{\}$.
-    Returns the reserve public key of the client.
+    Returns the public key of the client.
 
-  \item $\ora{Withdraw}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$:
-    Do a withdraw from the perspective of either the wallet ($\mathrm{W}$)
-    or the exchange ($\mathrm{E}$), meaning the adversary controls the user's
-    wallet and the simulator controls the exchange, or via versa respectively.
+  \item $\ora{WithdrawAsUser}(pkClient)$:  Do a withdraw from the perspective of a user.  The adversary
+    controls the user, the simulator the exchange.
 
-  \item $\ora{Refresh}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$:
-    Do a withdraw from the perspective of either the wallet ($\mathrm{W}$)
-    or the exchange ($\mathrm{E}$), meaning the adversary controls the user's
-    wallet and the simulator controls the exchange, or via versa respectively.
+  \item $\ora{WithdrawAsExchange}(pkClient)$:  Do a withdraw from the perspective of a exchange.  The adversary
+    controls the exchange, the user is simulated.
+
+  \item $\ora{RefreshAsUser}$  Do a withdraw from the perspective of a user, i.e. the adversary sends messages that the user would send.
+
+    The adversary obtains the protocol transcript from the \algo{Refresh} protocol.
+
+  \item $\ora{RefreshAsExchange}$  Do a withdraw from the perspective of the exchange, i.e. the adversary sends messages that the exchange would send.
+
+    The adversary obtains the protocol transcript from the \algo{Refresh} protocol.
 
   \item $\ora{Spend}(contractHash, pkSpender, pkCoin, pkReceiver)$
     Make a customer sign a deposit permission.  Returns the deposit permission on success, or $\bot$ if the $skSpender$ does not have enough coins.
 
   \item $\ora{Share}(pkSender, pkReceiver)$:
+
     Shares one random, previously unshared coin in the wallet of $pkSender$ with $pkReceiver$.
-    \comment{Is random sufficent here?}
 
   \item $\ora{CorruptClient}(pkClient)$:
-    Used by the adversary to corrupt a client.  Marks the client as
-    corrupted and gives the adversary the client's private key, wallet
-    signed contract hashes, and protocol transcripts.
-\end{itemize}
-
-As usual, the adversary obtains the protocol transcript from the parties it controls.
-\comment{What does the wallet refresh oracle do with a non-corrupt user?}
-
-For $X \in \{\mathrm{W},\mathrm{E}\}$,
-we let $\oraSet{X}$ denote access to the oracles
-\ora{AddClient}, \ora{Withdraw}_X, \ora{Refresh}_X, 
-\ora{Spend}, \ora{Share}, and \ora{CorruptClient}.
-
-
 
+    Used by the adversary to corrupt a client.  Marks the client as corrupted and gives the adversary the
+    client's private key, wallet and signed contract hashes.
+\end{itemize}
 
 \begin{mdframed}
 The difference between algorithms and interactive protocols
@@ -160,6 +153,8 @@ since it does not give the adversary any additional power.
 
 \subsection{Anonymity}
 Anonymity game with adversary $\cal A$.
+Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
+\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient}
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{anon}(1^\lambda, \kappa)$:
@@ -170,7 +165,7 @@ Anonymity game with adversary $\cal A$.
     Our adversary controls the exchange and a merchant.
     \comment{Note that this only means that $\cal A$ has the exchange secret key, it
     does not automatically receive transcripts and it does not have access to any exchange data structures \textit{unless} indicated by the oracles}
-  \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\
+  \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\
     Our adversary creates two users and two contract,
     along with some coins open which it calls oracles freely.
   \item Return 0 either if $\V{pkU}_1$ or $\V{pkU}_2$ are not distinct
@@ -193,14 +188,14 @@ Anonymity game with adversary $\cal A$.
   \item $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_1))$, \\
         $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_2))$ \\
     Deposit these two coins with the adversary controlled merchant.
-  \item $b' \leftarrow {\cal A}^{\oraSet{W}}()$
+  \item $b' \leftarrow {\cal A}^{\oraSet{Anon}}()$
     \comment{Ask adversary to find out mapping between users and contracts as determined by $b$}
   \item Let $\cal U \supseteq \{ \V{pkU}_1, \V{pkU}_2 \}$ consist
     of the users who know, or could learn through linking, either
     $\V{skC}_0$ or $\V{skC}_1$, aka these coin's {\em ownership set}.
     Return 0 if $\cal U$ contains either any user corrupted by $\cal A$
     or any user who ran the linking protocol.
-    \comment{TODO: Add linking protocol to \oraSet{W}, but simplify this text if the linking protocol can be restricted to corrupted users}
+    \comment{TODO: Add linking protocol to \oraSet{Anon}, but simplify this text if the linking protocol can be restricted to corrupted users}
   \item if $b = b'$ return 1, otherwise return 0
 \end{enumerate}
 
@@ -215,7 +210,7 @@ We prove the stronger anonymity game that replaces lines 2,3, and 5
 with these two lines.
 \begin{enumerate}
   \setlength\itemsep{0em}
-  \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\
+  \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\
     Our adversary invokes oracles to create users, as well as
     create and manipulate their coins.
     It singles out two coin creating invokations, either withdrawals
@@ -269,10 +264,8 @@ allowing them to talk to themselves does not make sense.
 \subsection{Fairness}
 Intuition: Adversary wins if a non-corrupted user can't obtain a proof-of-spending or unlinkable change.
 
-Let \oraSet{Fair} stand for access to  the oracles ..
-% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend},
-% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient}
-
+Let \oraSet{Fair} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
+\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient}
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{fair}(1^\lambda, \kappa)$:
@@ -296,9 +289,8 @@ Let \oraSet{Fair} stand for access to  the oracles ..
 
 \subsection{Unforgability} % Exculpability?
 
-% Let \oraSet{Forge} stand for access to the oracles
-% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend},
-% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} ???
+Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
+\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} ???
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, \kappa)$:
@@ -306,7 +298,7 @@ Let \oraSet{Fair} stand for access to  the oracles ..
 \begin{enumerate}
   \setlength\itemsep{0em}
   \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ 
-  \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$
+  \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Forge}}(pkExchange)$
   \item Our adversary wins if they made at most $\ell$ withdrawals
     but $C_0, \dots, C_\ell$ are all distinct valid unspent coins.
 \end{enumerate}
@@ -316,9 +308,8 @@ Let \oraSet{Fair} stand for access to  the oracles ..
 \subsection{Income Transparency}
 Intuition: Adversary wins if money is in exclusive control of corrupted players but the exchange has no record of withdrawal or spending for it.
 
-% Let \oraSet{Income} stand for access to the oracles
-% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend},
-% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient}
+Let \oraSet{Income} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
+\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient}
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{income}(1^\lambda, \kappa)$:
@@ -326,7 +317,7 @@ Intuition: Adversary wins if money is in exclusive control of corrupted players
 \begin{enumerate}
   \setlength\itemsep{0em}
   \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ 
-  \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$
+  \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Income}}(pkExchange)$
   \item Augment the wallets of all non-corrupted users with their
     transitive closure using the \algo{Link} protocol.
     Mark all coins in wallets of non-corrupted users as spent.