diff options
author | Jeff Burdges <burdges@gnunet.org> | 2018-09-25 02:47:00 -0400 |
---|---|---|
committer | Jeff Burdges <burdges@gnunet.org> | 2018-09-25 02:47:00 -0400 |
commit | 55f661c0a3b9e1936858761b26376f2036eb10ef (patch) | |
tree | d8651bf7bc90aaba9df17cd04bbad5b97cc1cabb /taler-fc19/paper.tex | |
parent | 0e2bc31185e1402fa34ad9ffa25ea2143919fa1a (diff) | |
download | papers-55f661c0a3b9e1936858761b26376f2036eb10ef.tar.gz papers-55f661c0a3b9e1936858761b26376f2036eb10ef.tar.bz2 papers-55f661c0a3b9e1936858761b26376f2036eb10ef.zip |
Uncomment initial part of Income Transparency proof
Diffstat (limited to 'taler-fc19/paper.tex')
-rw-r--r-- | taler-fc19/paper.tex | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex index 2b6fa63..baecc52 100644 --- a/taler-fc19/paper.tex +++ b/taler-fc19/paper.tex @@ -1244,20 +1244,20 @@ Our instantiation satisfies {weak income transparency}. \end{theorem}
\begin{proof}
-%In our refresh operation, the commitment phase sends only the hash of blinded
-%coins and transfer public keys to reduce bandwidth. We therefore first
-%convert our adversary $\mathcal{A}$ into an adversary for a variant protocol
-%in which these commitments contain the full values: We rewind $\mathcal{A}$
-%to try two distinct $\gamma \in 1,\dots,\kappa$ during each refresh
-%operation, so that we obtain all values. We need only try two choices
-%because the adversary reveals all but one planchet in each run. We now
-%witness a hash collision if the transfer secret the adversary reveals does not
-%yield the correct coins.
-%
-%If Taler satisfies unforgeability then this variant protocol does so too,
-%because an adversary against the protocol with commitment to full planchets
-%can trivially be replaced by an adversary against the protocol with hash
-%commitments.
+In our refresh operation, the commitment phase sends only the hash of blinded
+coins and transfer public keys to reduce bandwidth. We therefore first
+convert our adversary $\mathcal{A}$ into an adversary for a variant protocol
+in which these commitments contain the full values: We rewind $\mathcal{A}$
+to try two distinct $\gamma \in 1,\dots,\kappa$ during each refresh
+operation, so that we obtain all values. We need only try two choices
+because the adversary reveals all but one planchet in each run. We now
+witness a hash collision if the transfer secret the adversary reveals does not
+yield the correct coins.
+
+If Taler satisfies unforgeability then this variant protocol does so too,
+because an adversary against the protocol with commitment to full planchets
+can trivially be replaced by an adversary against the protocol with hash
+commitments.
We consider the directed forest on coins induced by the refresh protocol.
It follows from unforgeability that any coin must originate from some
|