Anonymity game fixes

1 files changed, 36 insertions, 5 deletions

diff --git a/games/games.tex b/games/games.tex
index 8e3ac77..e3b48b4 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -176,10 +176,13 @@ Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{Withdraw
   \item $b \randsel{} \{0,1\}$
     \comment{Random bit selected by challenger}
   \item Select unspent coins $\V{pkC}_0$ and $\V{pkC}_1$ from
-    the wallets of $\V{pkU}_0, \V{pkU}_1$, respectively.  Return 0
-    if either $\V{pkU}_0$ or $\V{pkU}_1$ has no unspent coin.
-  \item $\V{dp_1} \leftarrow \algo{Spend}(\V{contract}_b, \V{pkU}_b, \V{pkC}_b, \V{pkM})$, \\
-        $\V{dp_2} \leftarrow \algo{Spend}(\V{contract}_{(1-b)}, \V{pkU}_{(1-b)}, \V{pkC}_{(1-b)}, \V{pkM})$ \\
+    the wallets of $\V{pkU}_0, \V{pkU}_1$, respectively.
+    \footnote{Unspent always means that spending and refresh were never
+    attempted with the coin.  We say spent but undeposited for coins
+    the user can reclaim with the refresh protocol.}
+    Return 0 if either $\V{pkU}_0$ or $\V{pkU}_1$ has no unspent coin.
+  \item $\V{dp_1} \leftarrow \algo{Spend}(\V{contract}_b, \V{pkU}_0, \V{pkC}_0, \V{pkM})$, \\
+        $\V{dp_2} \leftarrow \algo{Spend}(\V{contract}_{(1-b)}, \V{pkU}_1, \V{pkC}_1, \V{pkM})$ \\
     Spend these two coins without revealing the customer's identity to the adversary.
   \item $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), \prt{A}(dp_1))$, \\
         $\algo{Deposit}(\prt{E}(\V{skE}, \V{pkE}), \prt{A}(dp_2))$ \\
@@ -191,10 +194,38 @@ Let \oraSet{Anon} stand for access to the oracles \ora{AddClient}, \ora{Withdraw
     $\V{skC}_0$ or $\V{skC}_1$, aka these coin's {\em ownership set}.
     Return 0 if $\cal U$ contains either any user corrupted by \prt{A}
     or any user who ran the linking protocol.
-    \comment{TODO: Add linking protocol to \oraSet{Anon}, but simplify this text if the linking protocol can be restrited to corrupted users}
+    \comment{TODO: Add linking protocol to \oraSet{Anon}, but simplify this text if the linking protocol can be restricted to corrupted users}
   \item if $b = b'$ return 1, otherwise return 0
 \end{enumerate}
 
+We have stated this game in terms of the anonymity of users to match
+existing ecash literature, but actually any user based formulation is
+insufficient for any ecash schemes' purposes because one users needs
+unlinkability their .  Instead of the two users $\V{pkU}_0$ and $\V{pkU}_1$,
+the adversary $\prt{A}$ must supply a opaque withdrawal event handle.  
+
+In our case, planchets work well for this, but they do not exist in all scheme.
+We prove the stronger anonymity game that replaces lines 2,3, and 5
+with these two lines.
+\begin{enumerate}
+  \setlength\itemsep{0em}
+  \item[2] $(P_0, P_1, \V{contract}_0, \V{contract}_1) \leftarrow \prt{A}^{\oraSet{Anon}}()$ \\
+    Our creates invokes oracles to create users and give them coins.
+    It returns two planchets $P_0$ and $P_1$ and two contracts
+    $\V{contract}_0$ and $\V{contract}_1$.
+    Our adversary creates two users and two contract,
+    along with some coins open which it calls oracles freely.
+  \item[3]
+    We demand that valid unspent coins $\V{pkC}_0$ and $\V{pkC}_1$ to
+    have been created from the planchets $P_0$ and $P_1$ respectively.
+    Also let $\V{pkU}_1$ and $\V{pkU}_2$ denote the refistered users
+    who withdrew these respective coins, not necessarily distinct.
+    Return 0 either if any of these do not exist, including
+    if $\V{pkC}_0$ or $\V{pkC}_1$ were spent.
+  % \item[5] 
+\end{enumerate}
+
+
 
 \paragraph{Intuition:}  Users are anonymous if there is no adversary that can win this game,
 since then two users can spend money, but the adversary is not able to say who purchased what.