1 files changed, 27 insertions, 21 deletions

diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex
index 947f3e1..ba4cd28 100644
--- a/taler-fc19/paper.tex
+++ b/taler-fc19/paper.tex
@@ -818,7 +818,16 @@ We require the following security properties to hold for $\textsc{CoinSignKx}$:
 \end{itemize}

 

 Let $\textsc{Sign} = (\algo{KeyGen}_{S}, \algo{Sign}_{S}, \algo{Verify}_{S})$ be a signature

+<<<<<<< HEAD

+scheme that satisfies SUF-CMA.

+

+Let $(\algo{Setup}_C, H_{pk})$ be a computationally binding commitment

+scheme, where $\algo{Setup}$ generates the public commitment key $pk$

+and $H_{pk} : \{0,1\}^* \rightarrow \{0,1\}^\lambda$ deterministically

+commits to a bit-string.

+=======

 scheme that satisfies selective unforgeability under chosen message attacks (SUF-CMA).

+>>>>>>> 534bdbc8e54e678e799cdfb96cfb534fe52f8998

 

 Let $\V{PRF}$ be a pseudo-random function family and $H : \{0,1\}^* \rightarrow \{0,1\}^\lambda$

 a collision-resistant hash function.

@@ -828,8 +837,15 @@ Using these primitives, we now instantiate the syntax of our income-transparent
 \begin{itemize}

   \item $\algo{ExchangeKeygen}(1^{\lambda}, 1^{\kappa}, \mathfrak{D})$:

 

+<<<<<<< HEAD

+    Generate the exchange's signing key pair

+	$\V{skESign} \leftarrow \algo{KeyGen}_{S}(1^\lambda)$ and

+	public commitment key $\V{CK} \leftarrow \algo{Setup}_C(1^\lambda)$.

+    

+=======

     Generate the exchange's signing key pair $\V{skESign} \leftarrow \algo{KeyGen}_{S}(1^\lambda)$.

 

+>>>>>>> 534bdbc8e54e678e799cdfb96cfb534fe52f8998

     For each element in the sequence $\mathfrak{D} = d_1,\dots,d_n$, generate

     denomination key pair $(\V{skD}_i, \V{pkD}_i) \leftarrow \algo{KeyGen}_{BS}(1^\lambda)$.

   \item $\algo{CustomerKeygen}(1^\lambda,1^\kappa)$:

@@ -1213,21 +1229,6 @@ Our instantiation satisfies {weak income transparency}.
 \end{theorem}

 

 \begin{proof}

-%In our refresh operation, the commitment phase sends only the hash

-%of blinded coins and transfer public keys to reduce bandwidth.

-%We therefore first convert our adversary into an adversary for a

-%variant protocol in which these commitments contain the full values:

-%We rewind the adversary to try two distinct $\gamma \in 1,\dots,\kappa$

-%during each refresh operation, so that we obtain all values.

-%We need  only try two choices because the adversary reveals all but

-%one planchet in each run.  We now witness a hash collision if the

-%transfer secret the adversary reveals does not yield the correct coins.

-%

-%If Taler satisfies unforgeability then this variant protocol does so too,

-%because an adversary against the protocol with commitment to full planchets

-%can trivially be replaced by an adversary against the protocol with hash

-%commitments.

-

   We consider the directed forest on coins induced by the refresh protocol.

   It follows from unforgeability that any coin must originate from some

   customer's withdraw in this graph.

@@ -1255,12 +1256,17 @@ Our instantiation satisfies {weak income transparency}.
   \end{enumerate}

 

   We show these to be exhaustive by assuming their converses all hold:

-  As the commitment is signed by $\V{skCoin}_0$, our our honest key generation assumption

-  of $\textsc{CoinSignKx}$ applies to the coin public key.

-  We assumed the $\gamma$-th transfer public key matches the commitment

-  too, so our key exchange completeness assumption of $\textsc{CoinSignKx}$

-  yields $\algo{Kex}_{CSK}(t,C') = \algo{Kex}_{CSK}(c',T)$ where $T = \algo{KeyGenPub}_{CSK}(t)$ is the transfer key, so the customer

-  obtains the correct transfer secret.

+  As the commitment is signed by $\V{skCoin}_0$, our honest key generation

+  assumption of $\textsc{CoinSignKx}$ applies to the coin public key.

+  Any commitments that match were computed honestly, thanks to our 

+  commitment scheme $(\algo{Setup}_C, H_{pk})$ being computationally

+  binding.

+  We assumed the $\gamma$-th transfer public key is honest, so 

+  our key exchange completeness assumption of $\textsc{CoinSignKx}$

+  yields $\algo{Kex}_{CSK}(t,C') = \algo{Kex}_{CSK}(c',T)$ where

+  $T = \algo{KeyGenPub}_{CSK}(t)$ is the transfer key.

+  It follows our customer obtains the correct transfer secret and

+  derives the correct coins.

   We assumed the refresh concluded and all submissions besides the

   $\gamma$-th were honest, so the exchange correctly reveals the signed

   blinded coin.  We assumed the $\gamma$-th blinded coin is correct too,