improve income transperency

1 files changed, 34 insertions, 22 deletions

diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex
index 4ca94e0..2b6fa63 100644
--- a/taler-fc19/paper.tex
+++ b/taler-fc19/paper.tex
@@ -1259,31 +1259,43 @@ Our instantiation satisfies {weak income transparency}.
 %can trivially be replaced by an adversary against the protocol with hash

 %commitments.

 

-  We consider the directed forest on coins induced by the refresh protocol.  It

-  follows from unforgeability that any coin must originate from some customer's

-  withdraw in this graph.  Let $F$ be the set of ``final'' refresh operations

-  in this graph, where each refresh $R_i \in F$ either results in a coin in

-  exclusive control of the adversary after step \ref{game:income:spend}, or the

-  refresh operation does not result in a coin at all.

-  %TODO: The preceeding paragraph is still basically nonsense.  

-  % We need to resurect correct construction of F from games.tex

-

-  During each $R_i \in F$, the adversary  must have submitted a blinded coin

-  and transfer public key for which the linking protocol fails to produce the

-  resulting coin correctly, otherwise the coin would have been spent in step

-  \ref{game:income:spend}.  In this case, either

+  We consider the directed forest on coins induced by the refresh protocol.  

+  It follows from unforgeability that any coin must originate from some

+  customer's withdraw in this graph.

+  We may assume that all $\V{coin}_1, \dots, \V{coin}_l$ originate from

+  non-corrupted users, for some $l \leq \ell$.  % So $\ell \leq w + |X|$. 

+

+  For any $i \leq l$, there is a final refresh operation $R_i$ in which

+  a non-corrupted user could obtain the coin $C'$ consumed in the refresh

+  via the linking protocol, but no non-corrupted user could obtain the 

+  coin provided by the refresh, as otherwise $\V{coin}_i$ gets marked as 

+  spent in step step \ref{game:income:spend}.  

+  Set $F := \{ R_i \mid i \leq l \}$.  %TODO: Not ellegant, clean up below.

+

+  During each $R_i \in F$, our adversary  must have submitted a blinded

+  coin and transfer public key for which the linking protocol fails to

+  produce the resulting coin correctly, otherwise the coin would have 

+  been spent in step \ref{game:income:spend}.  In this case, we consider

+  several non-exclusive cases

   \begin{enumerate}

-    \item the execution of the refresh protocol is incomplete

-    \item the commitment for the $\gamma$-th blinded coin and transfer public

-      key was wrong

-    \item a commitment for a blinded coin and transfer public key other than the $\gamma$-th was wrong

-    \item the exchange's verification of the commitment passes, but customers

-      are unable to re-compute the new coin from the old coin

+    \item the execution of the refresh protocol is incomplete,

+    \item the commitment for the $\gamma$-th blinded coin and transfer 

+      public key was wrong,

+    \item a commitment for a blinded coin and transfer public key other

+	  than the $\gamma$-th was wrong,

   \end{enumerate}

 

-  The last case can be excluded, because it would violate the key exchange

-  completeness assumption.

-  % TODO: Still wrong because we need to talk about honest key generation somewhere

+  We show these to be exhaustive by assuming their converses all hold:

+  As the commitment is signed, our our honest key generation assumption

+  of $\textsc{CoinSignKx}$ applies to the coin public key.

+  We assumed the $\gamma$-th transfer public key is honest too, so 

+  our key exchange completeness assumption of $\textsc{CoinSignKx}$

+  yields $t C' \neq c' T$ where $T = t G$ is the transfer key,

+  so the customer obtains the correct transfer secret.

+  We assumed the refresh concluded and all submissions besides the

+  $\gamma$-th were honest, so the exchange correctly reveals the signed

+  blinded coin.  We assumed the $\gamma$-th blinded coin is correct too,

+  so customer now re-compute the new coin correctly, violating $R_i \in F$.

 

   We shall prove

   \begin{equation}\label{eq:income-transparency-proof}