diff options
author | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-19 15:02:20 +0100 |
---|---|---|
committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-19 15:02:20 +0100 |
commit | c1e8223228702ea9f0714809c7bafea3d2f4bf41 (patch) | |
tree | b963b436c645c4c045d17a924f9ac6346a74d035 /games/games.tex | |
parent | ac4acbba1e43fd8e56ce32ac54e2b5d27e114b7a (diff) | |
download | papers-c1e8223228702ea9f0714809c7bafea3d2f4bf41.tar.gz papers-c1e8223228702ea9f0714809c7bafea3d2f4bf41.tar.bz2 papers-c1e8223228702ea9f0714809c7bafea3d2f4bf41.zip |
Make it more like a game hop
Diffstat (limited to 'games/games.tex')
-rw-r--r-- | games/games.tex | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/games/games.tex b/games/games.tex index a48ac01..abea14c 100644 --- a/games/games.tex +++ b/games/games.tex @@ -536,6 +536,15 @@ RSA-KTI cannot be hard by \cite[Theorem 12]{RSA-FDH-KTIvCTI}. \subsection{Income Transparency} \begin{proof}[Proof-sketch] +In our actual refresh operation, our commitment phase sends only the +hash of the planchets to reduce bandwidth. We could however commit +to the full planchets without damaging anything else, including +unforgeability. We may transform our our adversary $\cal A$ into +any adversary for the protocol that commits to full planchets by +rewinding $\cal A$ to try each $\gamma \in 1,\ldots,\kappa$ during +each refresh operation to obtain all planchets. We observe a hash +collision if this fails to provide the correct coins. + We consider the refresh operations in which $\cal A$ in which $\cal A$ submits a false planchets for some choice of $\gamma$. In these, we may assume $\cal A$ submits a false planchet for at most @@ -550,12 +559,6 @@ As our $\gamma$ are chosen randomly, any given refresh with a false planchet has a $1-{1\over\kappa}$ chance of contributing to $b$, so $E[{b \over f}] = 1-{1\over\kappa}$. It follows that $P[{b \over \ell-w} \ge (1-{1\over\kappa})] = 1/2 > {1\over\kappa}$. - -At this point, we would be done if the refresh commitment contained -full planchets, but we commit only to the hash of the planchets to -reduce bandwidth though. We may discover any hash collision employed -by $\cal A$ through rewinding though, so any non-negligible advantage -for $\cal A$ yields a non-negligible advantage for hash collisions. \end{proof} % injectivity of the ECDH operation seems like a red herring??? |