From 71b679b1062a122bb5f4e6c80963486a285a87b1 Mon Sep 17 00:00:00 2001
From: Florian Dold <florian.dold@gmail.com>
Date: Mon, 23 Apr 2018 13:57:04 +0200
Subject: remove 'junk' and properly conclude proof

---
 games/games.tex | 48 +++---------------------------------------------
 1 file changed, 3 insertions(+), 45 deletions(-)

diff --git a/games/games.tex b/games/games.tex
index fa8b423..a277255 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -646,51 +646,6 @@ Let $G \in \mathbb{E}$ be the generator of the Ed25519 curve (with Edwards coord
 
 \subsection{Anonymity}
 
-
-BEGIN JUNK 
-
-We first describe a simple RSA blindness game for an RSA key pair $(n,e,d)$ and
-generators $M(\cdot)$ and $B(\cdot)$ for elements of $\Z/n\Z$ whose
-parameters we need not specify: 
-We take $m_0,m_1$ from $M$ and $b_0,b_1$ from $B$ and give our adversary
-$\cal A$ the unordered pairs of withdrawals $\{ m_0^d b_0, m_1^d b_1 \}$
-and deposits $\{ m_0^d, m_1^d \}$.  $\cal A$ wins if it can correctly
-match the withdrawals and deposits.
-
-\begin{proposition}
-Any probabilistic polynomial-time adversary $\cal A$ with
- an advantage in this RSA blindness game for some $M$ and $B$
-yields a probabilistic polynomial-time adversary $\cal A'$ for
- distinguishing $B(z)$ from $M(x)/M(y)$.
- either $M$ or $B$ from a uniform distribution on $Z/nZ$.
-\end{proposition}
-
-\begin{proof}
-$\cal A'$ plays the blinding game with $\cal A$ taking $M$ to be $M_0$
-and $B$ to be $X$.  $\cal A$ either guesses correctly or incorrectly.
-If $\cal A$ guesses correctly, then $\cal A'$ guesses that yes $X$ is
-$B_0$.
-
-If $X$ is $B_0$ then $\cal A$ guesses correctly with advantage $\epsilon$, meaning
-  $P[ \textrm{$\cal A$ correct} | X=B_0 ] = 1/2+\epsilon$
-and
-  $P[ \textrm{$\cal A$ correct} | X=U ] = 1/2$.
-We imagine A' is given uniform trials to guess X=F vs X=U, so that
-  $P[X=F] = 1/2$ too,
-and 
-  $P[\textrm{$\cal A$ correct}] = 1/2 + \epsilon/2$.
-Now $\cal A'$ has an advantage in guessing if $X$ is $B_0$ or uniform correctly by
-Bays rule
-  $P[ \textrm{$\cal A$ correct} | X=B_0 ] P[X=B_0] = P[ X=B_0 | \textrm{$\cal A$ correct} ] P[A correct]$
-so
-  $P[ X=F | \textrm{$\cal A$ correct} ]
-  = 1/2 (1/2+\epsilon) / (1/2 + \epsilon/2)
-  = (1/2+\epsilon) / (1+\epsilon)
-  = 1 - 1/2 / (1+\epsilon)$.
-\end{proof}
-
-END JUNK 
-
 \begin{theorem}
 If Taler's refresh is instantiated with a PRF, a key exchange satisfying DDH,
   and a collision-resistant hash function,
@@ -773,6 +728,9 @@ computational Diffie-Hellman assumption.
   \comment{The DDH game we use here is non-standard (stream of values to decide on instead of one, so maybe we need to use the number of refresh oracle invocations
   as a factor in front of $\epsilon_{DDH}$?}
 
+  This concludes the proof, since we observe in $\mathbb{G}_3$ all blinding factors and coin private keys are independent and uniformly random.
+  Thus the blinding is information-theoretically secure in $\mathbb{G}_3$.
+
 \end{proof}
 
 
-- 
cgit v1.2.3