fairness proof with explicit challenge

1 files changed, 15 insertions, 5 deletions

diff --git a/games/games.tex b/games/games.tex
index 3df3a95..00401f2 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -733,14 +733,24 @@ Let $G \in \mathbb{E}$ be the generator of the Ed25519 curve (with Edwards coord
 \subsection{Fairness}
 
 \begin{theorem}
-Assuming unforgeability of signatures (EUF-CMA), Taler
-satisfies {Fairness}.
+Assuming unforgeability of signatures (EUF-CMA) and an adversary that makes at most $q$ queries
+to \ora{Withdraw} or \ora{Refresh}, Taler satisfies Fairness.
 \end{theorem}
 
 \begin{proof}
-We replace coin public keys with signing public keys from the EUF-CMA
-challenger, unless the coins are withdrawn by corrupted users.
-Signature operations with these public keys are replaced with calls to the signing \ora{Sign} oracle of the EUF-CMA challenger.
+
+% FIXME: argue that reduction is tight when you have malleability
+
+We construct an adversary against EUF-CMA from an adversary $\mathcal{A}$
+against Fairness.
+
+Our goal is to embed the EUF-CMA challenge into one of the coins obtained via
+\ora{Withdraw} or \ora{Refresh} from uncorrupted users.  We adjust \ora{Withdraw} and \ora{Refresh}
+so that the challenge is used as public key for the coin with probability
+$1/q$, but only if the user is uncorrupted and until the challenge has been embedded once.
+
+The oracles \ora{Spend} and \ora{Refresh} are adjusted so that the signing oracle \ora{Sign} of the EUF-CMA challenger
+is used for the coin with the embedded challenge.
 
 If the adversary wins in step 6.1, there must be a valid deposit permission over a contract not signed by the user,
 and thus not send to \ora{Sign}.   If the adversary wins in step 6.2, there must be a refresh request not signed