diff options
author | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-22 16:59:58 +0100 |
---|---|---|
committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-22 16:59:58 +0100 |
commit | b43712ffae063a93b37efb9a42c62cbf70cc63da (patch) | |
tree | 712371c22a4e229cc15aca3a2d52d70e86936a56 /games/games.tex | |
parent | 9429d7b4761cb7a079b80877d8f94006fc65070a (diff) | |
download | papers-b43712ffae063a93b37efb9a42c62cbf70cc63da.tar.gz papers-b43712ffae063a93b37efb9a42c62cbf70cc63da.tar.bz2 papers-b43712ffae063a93b37efb9a42c62cbf70cc63da.zip |
Experement with _X notation for oracles
Diffstat (limited to 'games/games.tex')
-rw-r--r-- | games/games.tex | 71 |
1 files changed, 40 insertions, 31 deletions
diff --git a/games/games.tex b/games/games.tex index 3628a44..bc39709 100644 --- a/games/games.tex +++ b/games/games.tex @@ -95,35 +95,42 @@ We define the following oracles: \begin{itemize} \item $\ora{AddClient}()$: Creates a new client, sets $countWithdraw$ for the client to $0$, sets $wallet[pkClient] := \{\}$. - Returns the public key of the client. + Returns the reserve public key of the client. - \item $\ora{WithdrawAsUser}(pkClient)$: Do a withdraw from the perspective of a user. The adversary - controls the user, the simulator the exchange. + \item $\ora{Withdraw}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$: + Do a withdraw from the perspective of either the wallet ($\mathrm{W}$) + or the exchange ($\mathrm{E}$), meaning the adversary controls the user's + wallet and the simulator controls the exchange, or via versa respectively. - \item $\ora{WithdrawAsExchange}(pkClient)$: Do a withdraw from the perspective of a exchange. The adversary - controls the exchange, the user is simulated. - - \item $\ora{RefreshAsUser}$ Do a withdraw from the perspective of a user, i.e. the adversary sends messages that the user would send. - - The adversary obtains the protocol transcript from the \algo{Refresh} protocol. - - \item $\ora{RefreshAsExchange}$ Do a withdraw from the perspective of the exchange, i.e. the adversary sends messages that the exchange would send. - - The adversary obtains the protocol transcript from the \algo{Refresh} protocol. + \item $\ora{Refresh}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$: + Do a withdraw from the perspective of either the wallet ($\mathrm{W}$) + or the exchange ($\mathrm{E}$), meaning the adversary controls the user's + wallet and the simulator controls the exchange, or via versa respectively. \item $\ora{Spend}(contractHash, pkSpender, pkCoin, pkReceiver)$ Make a customer sign a deposit permission. Returns the deposit permission on success, or $\bot$ if the $skSpender$ does not have enough coins. \item $\ora{Share}(pkSender, pkReceiver)$: - Shares one random, previously unshared coin in the wallet of $pkSender$ with $pkReceiver$. + \comment{Is random sufficent here?} \item $\ora{CorruptClient}(pkClient)$: - - Used by the adversary to corrupt a client. Marks the client as corrupted and gives the adversary the - client's private key, wallet and signed contract hashes. + Used by the adversary to corrupt a client. Marks the client as + corrupted and gives the adversary the client's private key, wallet + signed contract hashes, and protocol transcripts. \end{itemize} +As usual, the adversary obtains the protocol transcript from the parties it controls. +\comment{What does the wallet refresh oracle do with a non-corrupt user?} + +For $X \in \{\mathrm{W},\mathrm{E}\}$, +we let $\oraSet{X}$ denote access to the oracles +\ora{AddClient}, \ora{Withdraw}_X, \ora{Refresh}_X, +\ora{Spend}, \ora{Share}, and \ora{CorruptClient}. + + + + \begin{mdframed} The difference between algorithms and interactive protocols is that the ``pure'' algorithms only deal with data, while the interactive protocols @@ -153,8 +160,6 @@ since it does not give the adversary any additional power. \subsection{Anonymity} Anonymity game with adversary $\cal A$. -Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, -\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} \bigskip \noindent $\mathit{Exp}_{\cal A}^{anon}(1^\lambda, \kappa)$: @@ -165,7 +170,7 @@ Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{Withdraw Our adversary controls the exchange and a merchant. \comment{Note that this only means that $\cal A$ has the exchange secret key, it does not automatically receive transcripts and it does not have access to any exchange data structures \textit{unless} indicated by the oracles} - \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\ + \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\ Our adversary creates two users and two contract, along with some coins open which it calls oracles freely. \item Return 0 either if $\V{pkU}_1$ or $\V{pkU}_2$ are not distinct @@ -188,14 +193,14 @@ Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{Withdraw \item $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_1))$, \\ $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_2))$ \\ Deposit these two coins with the adversary controlled merchant. - \item $b' \leftarrow {\cal A}^{\oraSet{Anon}}()$ + \item $b' \leftarrow {\cal A}^{\oraSet{W}}()$ \comment{Ask adversary to find out mapping between users and contracts as determined by $b$} \item Let $\cal U \supseteq \{ \V{pkU}_1, \V{pkU}_2 \}$ consist of the users who know, or could learn through linking, either $\V{skC}_0$ or $\V{skC}_1$, aka these coin's {\em ownership set}. Return 0 if $\cal U$ contains either any user corrupted by $\cal A$ or any user who ran the linking protocol. - \comment{TODO: Add linking protocol to \oraSet{Anon}, but simplify this text if the linking protocol can be restricted to corrupted users} + \comment{TODO: Add linking protocol to \oraSet{W}, but simplify this text if the linking protocol can be restricted to corrupted users} \item if $b = b'$ return 1, otherwise return 0 \end{enumerate} @@ -210,7 +215,7 @@ We prove the stronger anonymity game that replaces lines 2,3, and 5 with these two lines. \begin{enumerate} \setlength\itemsep{0em} - \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\ + \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\ Our adversary invokes oracles to create users, as well as create and manipulate their coins. It singles out two coin creating invokations, either withdrawals @@ -264,8 +269,10 @@ allowing them to talk to themselves does not make sense. \subsection{Fairness} Intuition: Adversary wins if a non-corrupted user can't obtain a proof-of-spending or unlinkable change. -Let \oraSet{Fair} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, -\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} +Let \oraSet{Fair} stand for access to the oracles .. +% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend}, +% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} + \bigskip \noindent $\mathit{Exp}_{\cal A}^{fair}(1^\lambda, \kappa)$: @@ -289,8 +296,9 @@ Let \oraSet{Fair} stand for access to the oracles \ora{AddClient}, \ora{Withdraw \subsection{Unforgability} % Exculpability? -Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, -\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} ??? +% Let \oraSet{Forge} stand for access to the oracles +% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend}, +% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} ??? \bigskip \noindent $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, \kappa)$: @@ -298,7 +306,7 @@ Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{Withdra \begin{enumerate} \setlength\itemsep{0em} \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ - \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Forge}}(pkExchange)$ + \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$ \item Our adversary wins if they made at most $\ell$ withdrawals but $C_0, \dots, C_\ell$ are all distinct valid unspent coins. \end{enumerate} @@ -308,8 +316,9 @@ Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{Withdra \subsection{Income Transparency} Intuition: Adversary wins if money is in exclusive control of corrupted players but the exchange has no record of withdrawal or spending for it. -Let \oraSet{Income} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend}, -\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} +% Let \oraSet{Income} stand for access to the oracles +% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend}, +% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} \bigskip \noindent $\mathit{Exp}_{\cal A}^{income}(1^\lambda, \kappa)$: @@ -317,7 +326,7 @@ Let \oraSet{Income} stand for access to the oracles \ora{AddClient}, \ora{Withdr \begin{enumerate} \setlength\itemsep{0em} \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ - \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Income}}(pkExchange)$ + \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$ \item Augment the wallets of all non-corrupted users with their transitive closure using the \algo{Link} protocol. Mark all coins in wallets of non-corrupted users as spent. |