summaryrefslogtreecommitdiff
path: root/taler-fc19/paper.tex
diff options
context:
space:
mode:
authorJeff Burdges <burdges@gnunet.org>2018-09-25 02:47:00 -0400
committerJeff Burdges <burdges@gnunet.org>2018-09-25 02:47:00 -0400
commit55f661c0a3b9e1936858761b26376f2036eb10ef (patch)
treed8651bf7bc90aaba9df17cd04bbad5b97cc1cabb /taler-fc19/paper.tex
parent0e2bc31185e1402fa34ad9ffa25ea2143919fa1a (diff)
downloadpapers-55f661c0a3b9e1936858761b26376f2036eb10ef.tar.gz
papers-55f661c0a3b9e1936858761b26376f2036eb10ef.tar.bz2
papers-55f661c0a3b9e1936858761b26376f2036eb10ef.zip
Uncomment initial part of Income Transparency proof
Diffstat (limited to 'taler-fc19/paper.tex')
-rw-r--r--taler-fc19/paper.tex28
1 files changed, 14 insertions, 14 deletions
diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex
index 2b6fa63..baecc52 100644
--- a/taler-fc19/paper.tex
+++ b/taler-fc19/paper.tex
@@ -1244,20 +1244,20 @@ Our instantiation satisfies {weak income transparency}.
\end{theorem}
\begin{proof}
-%In our refresh operation, the commitment phase sends only the hash of blinded
-%coins and transfer public keys to reduce bandwidth. We therefore first
-%convert our adversary $\mathcal{A}$ into an adversary for a variant protocol
-%in which these commitments contain the full values: We rewind $\mathcal{A}$
-%to try two distinct $\gamma \in 1,\dots,\kappa$ during each refresh
-%operation, so that we obtain all values. We need only try two choices
-%because the adversary reveals all but one planchet in each run. We now
-%witness a hash collision if the transfer secret the adversary reveals does not
-%yield the correct coins.
-%
-%If Taler satisfies unforgeability then this variant protocol does so too,
-%because an adversary against the protocol with commitment to full planchets
-%can trivially be replaced by an adversary against the protocol with hash
-%commitments.
+In our refresh operation, the commitment phase sends only the hash of blinded
+coins and transfer public keys to reduce bandwidth. We therefore first
+convert our adversary $\mathcal{A}$ into an adversary for a variant protocol
+in which these commitments contain the full values: We rewind $\mathcal{A}$
+to try two distinct $\gamma \in 1,\dots,\kappa$ during each refresh
+operation, so that we obtain all values. We need only try two choices
+because the adversary reveals all but one planchet in each run. We now
+witness a hash collision if the transfer secret the adversary reveals does not
+yield the correct coins.
+
+If Taler satisfies unforgeability then this variant protocol does so too,
+because an adversary against the protocol with commitment to full planchets
+can trivially be replaced by an adversary against the protocol with hash
+commitments.
We consider the directed forest on coins induced by the refresh protocol.
It follows from unforgeability that any coin must originate from some