summaryrefslogtreecommitdiff
path: root/games
diff options
context:
space:
mode:
authorJeff Burdges <burdges@gnunet.org>2018-04-24 22:23:52 +0200
committerJeff Burdges <burdges@gnunet.org>2018-04-24 22:23:52 +0200
commit745b5a51ce854d7dba1c4a38584761e6160042d0 (patch)
treef535eb9a7e9197169e8921fba2b0641acc6cba5b /games
parent8d861622af8ea10f2a36b30f40a6919357424928 (diff)
downloadpapers-745b5a51ce854d7dba1c4a38584761e6160042d0.tar.gz
papers-745b5a51ce854d7dba1c4a38584761e6160042d0.tar.bz2
papers-745b5a51ce854d7dba1c4a38584761e6160042d0.zip
iFix beginning of income transperence and start doing the end
Diffstat (limited to 'games')
-rw-r--r--games/games.tex54
1 files changed, 35 insertions, 19 deletions
diff --git a/games/games.tex b/games/games.tex
index dfe9527..402f4ad 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -860,15 +860,20 @@ Then Taler satisfies {weak income transparency}.
\begin{proof}
In our actual refresh operation, our commitment phase sends only the
-hash of the planchets to reduce bandwidth. We could however commit
-to the full planchets without damaging anything else, including
-unforgeability. We may thus transform our our adversary $\cal A$ into
-any adversary for the protocol that commits to full planchets by
-rewinding $\cal A$ to try each $\gamma \in 1,\ldots,\kappa$ during
-each refresh operation to obtain all planchets. We observe a hash
-collision if this fails to provide the correct coins.
-
-We consider the directed tree on coins induced by the refresh protocol.
+hash of the planchets to reduce bandwidth. We therefore first convert
+our adversary $\cal A$ into an adversary for a variant protocol in which
+these commitments contain the full planchets: We rewind $\cal A$ to
+try two distinct $\gamma \in 1,\ldots,\kappa$ during each refresh operation,
+so that we obtain all planchets. We need only try two choices because
+the adversary reveals all but one planchet in each run.
+We now witness a hash collision if transfer secrete the adversary reveals
+does not yield the correct coins.
+
+If Taler satisfies unforgeability then this variant protocol does so too
+because an adversary who reveals full planchets can trivially be replaced
+ by an adversary who do hash commitments.
+
+We next consider the directed forest on coins induced by the refresh protocol.
It follows from unforgeability that any coin must originate from
some user's withdraw in this graph.
Let $X$ denote the coins from $\{C_1,\ldots,C_\ell\}$ that originate
@@ -884,24 +889,35 @@ linking protocol fails to produce $C$ correctly. In this case, either
\begin{enumerate}
\item the planchet must be false outright, meaning either $C$ itself
or the blinding factor does not arise form $t C'$, or else
-\item the exchange would compute the planchet correctly, but not
+\item the exchange would compute the planchet correctly, but not
users employing the linking protocol, meaning
$t C' \neq c' T$ where $T = t G$ is the transfer key.
\end{enumerate}
-We may assume the first case that $\cal A$ provides a false planchet outright
- because we produce a key exchange failure in the second case.
-We may also assume $\cal A$ submits a false planchet for at most one choice of $\gamma$,
-as otherwise the refresh always fails.
+We may assume the first case that $\cal A$ provides a false planchet
+outright because we produce a key exchange failure in the second case.
+We may also assume $\cal A$ submits a false planchet for at most one
+choice of $\gamma$, as otherwise the refresh always fails.
As our $\gamma$ are chosen randomly, any given refresh with one
false planchet has only a $1\over\kappa$ chance of succeeding.
-If such a malicious refresh is detected, the coin is unspendable, and
- contributes to the lost coins $b := w - s$ instead of the winnings $p := L - w'$ aka $|X|$.
-
+If such a malicious refresh is detected, the coin becomes unspendable,
+ and contributes to the lost coins $b := w - s$
+ instead of the winnings $p := L - w'$ aka $|X|$.
We observe $b + p$ gives the value of refreshes attempted with false planchets.
-If we sequentially group runs of the game according to the simulator's random choice of $\gamma$,
-then we conclude that $E({p \over b + p}) = {1\over\kappa}$, as desired.
+
+We shall now prove $E({p \over b + p}) = {1\over\kappa}$ (\dag)
+ by grouping games identical up to an $R_C$
+ according to the simulator's random choice of $\gamma$.
+We obtain a valid game by terminating a game early, so
+ we construct the desire grouping by induction on the length of the game.
+Of course $b = 0$ if no $R_C$ occur.
+We defined $R_C$ to be an anti-chain in the refresh forest, but
+we emphasize that an adversary who wins an $R_C$ need not gamble again,
+while an an adversary who looses an $R_C$ looses $C$.
+It follows that each $R_C$ contributes ${1\over\kappa}$ towards the total expectation.
+{RETHINK WHAT HAPPENS HERE AND ABOVE}
+We conclude that $E({p \over b + p}) = {1\over\kappa}$, as desired.
\end{proof}
%%% $L - w' \over (L - w') + (w - s)$
% $E(b/p) + 1 = E(b/p + p/p) = E((b + p)/p) = \kappa$