public commitment key

1 files changed, 8 insertions, 8 deletions

diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex
index 2241039..8363133 100644
--- a/taler-fc19/paper.tex
+++ b/taler-fc19/paper.tex
@@ -827,9 +827,9 @@ We require the following security properties to hold for $\textsc{CoinSignKx}$:
 Let $\textsc{Sign} = (\algo{KeyGen}_{S}, \algo{Sign}_{S}, \algo{Verify}_{S})$ be a signature

 scheme that satisfies selective unforgeability under chosen message attacks (SUF-CMA).

 

-Let $(\algo{Setup}, H_{pk})$ be a computationally hiding and binding

+Let $(\algo{Setup}, H_{pck})$ be a computationally hiding and binding

 commitment scheme, where $\algo{Setup}$ generates the public commitment key

-$pk$ and $H_{pk} : \{0,1\}^* \rightarrow \{0,1\}^\lambda$ deterministically commits to a

+$pk$ and $H_{pck} : \{0,1\}^* \rightarrow \{0,1\}^\lambda$ deterministically commits to a

 bit-string.

 

 Let $\V{PRF}$ be a pseudo-random function family.

@@ -840,7 +840,7 @@ Using these primitives, we now instantiate the syntax:
   \item $\algo{ExchangeKeygen}(1^{\lambda}, 1^{\kappa}, \mathfrak{D})$:

 

     Generate the exchange's signing key pair $\V{skESign} \leftarrow \algo{KeyGen}_{S}(1^\lambda)$ and public

-    commitment key $\V{CK} \leftarrow \algo{Setup}(1^\lambda)$.

+    commitment key $\V{pck} \leftarrow \algo{Setup}(1^\lambda)$.

 

     For each element in the sequence $\mathfrak{D} = d_1,\dots,d_n$, generate

     denomination key pair $(\V{skD}_i, \V{pkD}_i) \leftarrow \algo{KeyGen}_{BS}(1^\lambda)$.

@@ -926,9 +926,9 @@ Using these primitives, we now instantiate the syntax:
     Now, the customer's wallet sends the commitment $\pi_1 = (\V{pkCoin}_0, \V{pkD}_u, h_C)$ together with signature $\V{sig}_1

     \leftarrow \algo{Sign}_{CSK}(\V{skCoin}_0, \pi_1)$ to the exchange, where

     \begin{align*}

-      h_T &:= H_{pk}(T_1, \dots, T_\kappa)\\

+      h_T &:= H_{pck}(T_1, \dots, T_\kappa)\\

       h_{\overline{m}} &:= H_{pk}(\overline{m}_1, \dots, \overline{m}_\kappa)\\

-      h_C &:= H_{pk}(h_T \Vert h_{\overline{m}})

+      h_C &:= H_{pck}(h_T \Vert h_{\overline{m}})

     \end{align*}

 

     The exchange checks the signature $\V{sig}_1$, and aborts if invalid.  Otherwise,

@@ -961,7 +961,7 @@ Using these primitives, we now instantiate the syntax:
       x_i' &\leftarrow \algo{Kx}(t_i, \V{pkCoin}_0)\\

       (\V{skCoin}_i', \V{pkCoin}_i') &\leftarrow

               \algo{KeyGen}^*_{CSK}(x_i', 1^\lambda) \\

-      h_T' &:= H_{pk}(T'_1, \dots, T_{\gamma-1}, T_\gamma, T_{\gamma+1}', \dots, T_\kappa')

+      h_T' &:= H_{pck}(T'_1, \dots, T_{\gamma-1}, T_\gamma, T_{\gamma+1}', \dots, T_\kappa')

     \end{align*}

     and simulates the blinding protocol with recorded transcripts (without signing each message,

     as indicated by the dot ($\cdot$) instead of a signing secret key), obtaining

@@ -971,8 +971,8 @@ Using these primitives, we now instantiate the syntax:
     \end{align*}

     and finally

     \begin{align*}

-      h_{\overline{m}}' &:= H_{pk}(\overline{m}_1', \dots, \overline{m}_\gamma, \dots, \overline{m}_\kappa')\\

-      h_C &:= H_{pk}(h_T' \Vert h_{\overline{m}}').

+      h_{\overline{m}}' &:= H_{pck}(\overline{m}_1', \dots, \overline{m}_\gamma, \dots, \overline{m}_\kappa')\\

+      h_C &:= H_{pck}(h_T' \Vert h_{\overline{m}}').

     \end{align*}

 

     For each $i \ne \gamma$, the exchange computes