diff options
| author | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-18 02:51:48 +0100 |
|---|---|---|
| committer | Jeffrey Burdges <burdges@gnunet.org> | 2017-11-18 02:51:48 +0100 |
| commit | 3801ccda9af6954fdc075b7a439bc159e0c04e04 (patch) | |
| tree | eba7c32b58d2b8199de6f9d0b2cbb6f684367552 /games | |
| parent | 82a6c2279c5d636893dbcecc2ebb249cc59eac25 (diff) | |
| download | papers-3801ccda9af6954fdc075b7a439bc159e0c04e04.tar.gz papers-3801ccda9af6954fdc075b7a439bc159e0c04e04.tar.bz2 papers-3801ccda9af6954fdc075b7a439bc159e0c04e04.zip | |
Fairness proof
Diffstat (limited to 'games')
| -rw-r--r-- | games/games.tex | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/games/games.tex b/games/games.tex index e705649..2250f3f 100644 --- a/games/games.tex +++ b/games/games.tex @@ -435,11 +435,38 @@ could see in a game has the same probability, and he must win with probability $ \subsection{Fairness} -\paragraph{``Proof sketch''.} We enumerate all things that can lead to a failure in the refresh step. -\begin{itemize} - \item double-spending with different contract hash $\Rightarrow$ merchant can forge/modify deposit permission - \item double-spending with refresh $\Rightarrow$ linking protocol must be broken -\end{itemize} + +\begin{proof}[Proof-sketch] +We required that any refresh operations were run to conclusion, +which makes sense with our adversary $\prt{A}$ being a merchant +unable to control either the customer or exchagne. It follows +that $\prt{A}$ never called the refresh oracle on $C_n$. + +As the refresh $R$ must fail, $\prt{A}$ must have the custoemr +spend $C_n$, and then either deposit $C_n$, refresh $C_n$, or +spend $C_n$ with another merchant. +In any case, $\prt{A}$ must not return the correct receipt to +the customer, doing so concludes the transaction honestly. + +If $\prt{A}$ deposits $C_n$, then the customer would also obtain +the correct receipt from exchange by doing a refresh, so the +adversary must distract them with signed message from the exchange +indicating double spending or previous refresh. In either subcase, +$\prt{A}$ provides signatures by both $C_n$ and $\V{pkE}$. + +If $\prt{A}$ either refreshes or spends $C_n$, then they provide +a signature by $C_n$ too. + +TODO: Anything more about signature reduction? +\end{proof} + +We have stated the game and theorem with $\prt{A}$ controlling only +the merchant, but even if they control the exchagne as well they +cannot forge the signature by $C_n$. An exchange can however +take actions like droping the refresh connection. Attacks like +these can only be thwarted with the aid of authorities who can +witness the attack, like our auditor. + \subsection{Income Transparency} To win the game, the adversary must produce enough coins that are not in the wallet of any non-corrupted user, but withdraw little |