Make it more like a game hop

1 files changed, 9 insertions, 6 deletions

diff --git a/games/games.tex b/games/games.tex
index a48ac01..abea14c 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -536,6 +536,15 @@ RSA-KTI cannot be hard by \cite[Theorem 12]{RSA-FDH-KTIvCTI}.
 \subsection{Income Transparency}
 
 \begin{proof}[Proof-sketch]
+In our actual refresh operation, our commitment phase sends only the
+hash of the planchets to reduce bandwidth.  We could however commit
+to the full planchets without damaging anything else, including
+unforgeability.  We may transform our our adversary $\cal A$ into
+any adversary for the protocol that commits to full planchets by
+rewinding $\cal A$ to try each $\gamma \in 1,\ldots,\kappa$ during
+each refresh operation to obtain all planchets.  We observe a hash 
+collision if this fails to provide the correct coins. 
+
 We consider the refresh operations in which $\cal A$ in which
 $\cal A$ submits a false planchets for some choice of $\gamma$. 
 In these, we may assume $\cal A$ submits a false planchet for at most
@@ -550,12 +559,6 @@ As our $\gamma$ are chosen randomly, any given refresh with a false
 planchet has a $1-{1\over\kappa}$ chance of contributing to $b$,
 so $E[{b \over f}] = 1-{1\over\kappa}$.  It follows that 
 $P[{b \over \ell-w} \ge (1-{1\over\kappa})] = 1/2 > {1\over\kappa}$.
-
-At this point, we would be done if the refresh commitment contained
-full planchets, but we commit only to the hash of the planchets to
-reduce bandwidth though.  We may discover any hash collision employed
-by $\cal A$ through rewinding though, so any non-negligible advantage
-for $\cal A$ yields a non-negligible advantage for hash collisions.
 \end{proof}
 
 % injectivity of the ECDH operation seems like a red herring???