diff options
author | Jeff Burdges <burdges@gnunet.org> | 2018-04-24 22:23:52 +0200 |
---|---|---|
committer | Jeff Burdges <burdges@gnunet.org> | 2018-04-24 22:23:52 +0200 |
commit | 745b5a51ce854d7dba1c4a38584761e6160042d0 (patch) | |
tree | f535eb9a7e9197169e8921fba2b0641acc6cba5b /games | |
parent | 8d861622af8ea10f2a36b30f40a6919357424928 (diff) | |
download | papers-745b5a51ce854d7dba1c4a38584761e6160042d0.tar.gz papers-745b5a51ce854d7dba1c4a38584761e6160042d0.tar.bz2 papers-745b5a51ce854d7dba1c4a38584761e6160042d0.zip |
iFix beginning of income transperence and start doing the end
Diffstat (limited to 'games')
-rw-r--r-- | games/games.tex | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/games/games.tex b/games/games.tex index dfe9527..402f4ad 100644 --- a/games/games.tex +++ b/games/games.tex @@ -860,15 +860,20 @@ Then Taler satisfies {weak income transparency}. \begin{proof} In our actual refresh operation, our commitment phase sends only the -hash of the planchets to reduce bandwidth. We could however commit -to the full planchets without damaging anything else, including -unforgeability. We may thus transform our our adversary $\cal A$ into -any adversary for the protocol that commits to full planchets by -rewinding $\cal A$ to try each $\gamma \in 1,\ldots,\kappa$ during -each refresh operation to obtain all planchets. We observe a hash -collision if this fails to provide the correct coins. - -We consider the directed tree on coins induced by the refresh protocol. +hash of the planchets to reduce bandwidth. We therefore first convert +our adversary $\cal A$ into an adversary for a variant protocol in which +these commitments contain the full planchets: We rewind $\cal A$ to +try two distinct $\gamma \in 1,\ldots,\kappa$ during each refresh operation, +so that we obtain all planchets. We need only try two choices because +the adversary reveals all but one planchet in each run. +We now witness a hash collision if transfer secrete the adversary reveals +does not yield the correct coins. + +If Taler satisfies unforgeability then this variant protocol does so too +because an adversary who reveals full planchets can trivially be replaced + by an adversary who do hash commitments. + +We next consider the directed forest on coins induced by the refresh protocol. It follows from unforgeability that any coin must originate from some user's withdraw in this graph. Let $X$ denote the coins from $\{C_1,\ldots,C_\ell\}$ that originate @@ -884,24 +889,35 @@ linking protocol fails to produce $C$ correctly. In this case, either \begin{enumerate} \item the planchet must be false outright, meaning either $C$ itself or the blinding factor does not arise form $t C'$, or else -\item the exchange would compute the planchet correctly, but not +\item the exchange would compute the planchet correctly, but not users employing the linking protocol, meaning $t C' \neq c' T$ where $T = t G$ is the transfer key. \end{enumerate} -We may assume the first case that $\cal A$ provides a false planchet outright - because we produce a key exchange failure in the second case. -We may also assume $\cal A$ submits a false planchet for at most one choice of $\gamma$, -as otherwise the refresh always fails. +We may assume the first case that $\cal A$ provides a false planchet +outright because we produce a key exchange failure in the second case. +We may also assume $\cal A$ submits a false planchet for at most one +choice of $\gamma$, as otherwise the refresh always fails. As our $\gamma$ are chosen randomly, any given refresh with one false planchet has only a $1\over\kappa$ chance of succeeding. -If such a malicious refresh is detected, the coin is unspendable, and - contributes to the lost coins $b := w - s$ instead of the winnings $p := L - w'$ aka $|X|$. - +If such a malicious refresh is detected, the coin becomes unspendable, + and contributes to the lost coins $b := w - s$ + instead of the winnings $p := L - w'$ aka $|X|$. We observe $b + p$ gives the value of refreshes attempted with false planchets. -If we sequentially group runs of the game according to the simulator's random choice of $\gamma$, -then we conclude that $E({p \over b + p}) = {1\over\kappa}$, as desired. + +We shall now prove $E({p \over b + p}) = {1\over\kappa}$ (\dag) + by grouping games identical up to an $R_C$ + according to the simulator's random choice of $\gamma$. +We obtain a valid game by terminating a game early, so + we construct the desire grouping by induction on the length of the game. +Of course $b = 0$ if no $R_C$ occur. +We defined $R_C$ to be an anti-chain in the refresh forest, but +we emphasize that an adversary who wins an $R_C$ need not gamble again, +while an an adversary who looses an $R_C$ looses $C$. +It follows that each $R_C$ contributes ${1\over\kappa}$ towards the total expectation. +{RETHINK WHAT HAPPENS HERE AND ABOVE} +We conclude that $E({p \over b + p}) = {1\over\kappa}$, as desired. \end{proof} %%% $L - w' \over (L - w') + (w - s)$ % $E(b/p) + 1 = E(b/p + p/p) = E((b + p)/p) = \kappa$ |