Experement with _X notation for oracles

1 files changed, 40 insertions, 31 deletions

diff --git a/games/games.tex b/games/games.tex
index 3628a44..bc39709 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -95,35 +95,42 @@ We define the following oracles:
 \begin{itemize}
   \item $\ora{AddClient}()$:
     Creates a new client, sets $countWithdraw$ for the client to $0$, sets $wallet[pkClient] := \{\}$.
-    Returns the public key of the client.
+    Returns the reserve public key of the client.
 
-  \item $\ora{WithdrawAsUser}(pkClient)$:  Do a withdraw from the perspective of a user.  The adversary
-    controls the user, the simulator the exchange.
+  \item $\ora{Withdraw}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$:
+    Do a withdraw from the perspective of either the wallet ($\mathrm{W}$)
+    or the exchange ($\mathrm{E}$), meaning the adversary controls the user's
+    wallet and the simulator controls the exchange, or via versa respectively.
 
-  \item $\ora{WithdrawAsExchange}(pkClient)$:  Do a withdraw from the perspective of a exchange.  The adversary
-    controls the exchange, the user is simulated.
-
-  \item $\ora{RefreshAsUser}$  Do a withdraw from the perspective of a user, i.e. the adversary sends messages that the user would send.
-
-    The adversary obtains the protocol transcript from the \algo{Refresh} protocol.
-
-  \item $\ora{RefreshAsExchange}$  Do a withdraw from the perspective of the exchange, i.e. the adversary sends messages that the exchange would send.
-
-    The adversary obtains the protocol transcript from the \algo{Refresh} protocol.
+  \item $\ora{Refresh}_X(pkClient)$ for $X \in \{\mathrm{W},\mathrm{E}\}$:
+    Do a withdraw from the perspective of either the wallet ($\mathrm{W}$)
+    or the exchange ($\mathrm{E}$), meaning the adversary controls the user's
+    wallet and the simulator controls the exchange, or via versa respectively.
 
   \item $\ora{Spend}(contractHash, pkSpender, pkCoin, pkReceiver)$
     Make a customer sign a deposit permission.  Returns the deposit permission on success, or $\bot$ if the $skSpender$ does not have enough coins.
 
   \item $\ora{Share}(pkSender, pkReceiver)$:
-
     Shares one random, previously unshared coin in the wallet of $pkSender$ with $pkReceiver$.
+    \comment{Is random sufficent here?}
 
   \item $\ora{CorruptClient}(pkClient)$:
-
-    Used by the adversary to corrupt a client.  Marks the client as corrupted and gives the adversary the
-    client's private key, wallet and signed contract hashes.
+    Used by the adversary to corrupt a client.  Marks the client as
+    corrupted and gives the adversary the client's private key, wallet
+    signed contract hashes, and protocol transcripts.
 \end{itemize}
 
+As usual, the adversary obtains the protocol transcript from the parties it controls.
+\comment{What does the wallet refresh oracle do with a non-corrupt user?}
+
+For $X \in \{\mathrm{W},\mathrm{E}\}$,
+we let $\oraSet{X}$ denote access to the oracles
+\ora{AddClient}, \ora{Withdraw}_X, \ora{Refresh}_X, 
+\ora{Spend}, \ora{Share}, and \ora{CorruptClient}.
+
+
+
+
 \begin{mdframed}
 The difference between algorithms and interactive protocols
 is that the ``pure'' algorithms only deal with data, while the interactive protocols
@@ -153,8 +160,6 @@ since it does not give the adversary any additional power.
 
 \subsection{Anonymity}
 Anonymity game with adversary $\cal A$.
-Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
-\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient}
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{anon}(1^\lambda, \kappa)$:
@@ -165,7 +170,7 @@ Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{Withdraw
     Our adversary controls the exchange and a merchant.
     \comment{Note that this only means that $\cal A$ has the exchange secret key, it
     does not automatically receive transcripts and it does not have access to any exchange data structures \textit{unless} indicated by the oracles}
-  \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\
+  \item $(\V{pkU}_0, \V{pkU}_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\
     Our adversary creates two users and two contract,
     along with some coins open which it calls oracles freely.
   \item Return 0 either if $\V{pkU}_1$ or $\V{pkU}_2$ are not distinct
@@ -188,14 +193,14 @@ Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{Withdraw
   \item $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_1))$, \\
         $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), {\cal A}(dp_2))$ \\
     Deposit these two coins with the adversary controlled merchant.
-  \item $b' \leftarrow {\cal A}^{\oraSet{Anon}}()$
+  \item $b' \leftarrow {\cal A}^{\oraSet{W}}()$
     \comment{Ask adversary to find out mapping between users and contracts as determined by $b$}
   \item Let $\cal U \supseteq \{ \V{pkU}_1, \V{pkU}_2 \}$ consist
     of the users who know, or could learn through linking, either
     $\V{skC}_0$ or $\V{skC}_1$, aka these coin's {\em ownership set}.
     Return 0 if $\cal U$ contains either any user corrupted by $\cal A$
     or any user who ran the linking protocol.
-    \comment{TODO: Add linking protocol to \oraSet{Anon}, but simplify this text if the linking protocol can be restricted to corrupted users}
+    \comment{TODO: Add linking protocol to \oraSet{W}, but simplify this text if the linking protocol can be restricted to corrupted users}
   \item if $b = b'$ return 1, otherwise return 0
 \end{enumerate}
 
@@ -210,7 +215,7 @@ We prove the stronger anonymity game that replaces lines 2,3, and 5
 with these two lines.
 \begin{enumerate}
   \setlength\itemsep{0em}
-  \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{Anon}}()$ \\
+  \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow {\cal A}^{\oraSet{W}}()$ \\
     Our adversary invokes oracles to create users, as well as
     create and manipulate their coins.
     It singles out two coin creating invokations, either withdrawals
@@ -264,8 +269,10 @@ allowing them to talk to themselves does not make sense.
 \subsection{Fairness}
 Intuition: Adversary wins if a non-corrupted user can't obtain a proof-of-spending or unlinkable change.
 
-Let \oraSet{Fair} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
-\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient}
+Let \oraSet{Fair} stand for access to  the oracles ..
+% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend},
+% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient}
+
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{fair}(1^\lambda, \kappa)$:
@@ -289,8 +296,9 @@ Let \oraSet{Fair} stand for access to the oracles \ora{AddClient}, \ora{Withdraw
 
 \subsection{Unforgability} % Exculpability?
 
-Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
-\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient} ???
+% Let \oraSet{Forge} stand for access to the oracles
+% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend},
+% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient} ???
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, \kappa)$:
@@ -298,7 +306,7 @@ Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{Withdra
 \begin{enumerate}
   \setlength\itemsep{0em}
   \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ 
-  \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Forge}}(pkExchange)$
+  \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$
   \item Our adversary wins if they made at most $\ell$ withdrawals
     but $C_0, \dots, C_\ell$ are all distinct valid unspent coins.
 \end{enumerate}
@@ -308,8 +316,9 @@ Let \oraSet{Forge} stand for access to the oracles \ora{AddClient}, \ora{Withdra
 \subsection{Income Transparency}
 Intuition: Adversary wins if money is in exclusive control of corrupted players but the exchange has no record of withdrawal or spending for it.
 
-Let \oraSet{Income} stand for access to the oracles \ora{AddClient}, \ora{WithdrawAsExchange}, \ora{Spend},
-\ora{RefreshAsExchange}, \ora{Share}, \ora{CorruptClient}
+% Let \oraSet{Income} stand for access to the oracles
+% \ora{AddClient}, \ora{Withdraw}_{\mathrm{W}}, \ora{Spend},
+% \ora{Refresh}_{\mathrm{W}}, \ora{Share}, \ora{CorruptClient}
 
 \bigskip
 \noindent $\mathit{Exp}_{\cal A}^{income}(1^\lambda, \kappa)$:
@@ -317,7 +326,7 @@ Let \oraSet{Income} stand for access to the oracles \ora{AddClient}, \ora{Withdr
 \begin{enumerate}
   \setlength\itemsep{0em}
   \item $(skE, pkE) \leftarrow \mathrm{EKeygen}()$ 
-  \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Income}}(pkExchange)$
+  \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{W?}}(pkExchange)$
   \item Augment the wallets of all non-corrupted users with their
     transitive closure using the \algo{Link} protocol.
     Mark all coins in wallets of non-corrupted users as spent.