From 810948feaf7f900ef3a6d18f3b38eaa9d9a7662a Mon Sep 17 00:00:00 2001
From: Jeff Burdges <burdges@gnunet.org>
Date: Tue, 1 May 2018 10:03:41 +0200
Subject: Address twists better

---
 games/games.tex | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/games/games.tex b/games/games.tex
index 75ece2d..1f0f57f 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -877,10 +877,7 @@ $(\V{sk}_i,\V{pk}_i) \leftarrow \V{gen}_i$ honestly.
 
 In Taler's refresh, we prove honest key generation of the old coin $C$
 by requiring a signature by $C$ on the initial commitment, which
- proves that either Alice or Bob knows $c$ where $C = c G$,
-and hence that $C$ lies on the Ed25519 curve, not its quadratic twist.
-% https://en.wikipedia.org/wiki/EdDSA
-% https://safecurves.cr.yp.to/twist.html
+ proves that either Alice or Bob knows $c$ where $C = c G$.
 We emphasize that naively adding another non-signing key to $C$
  breaks honest key generation though.
 
@@ -897,6 +894,15 @@ variant of the refresh during withdrawal, but we feel the user's commitment
 to buy from a particular merchant would prove constraining enough to
 limit applicability.}
 
+Also Ed25519 verification must already checks that $C$ lies on the
+Ed25519 curve, not some quadratic twist.  
+% https://en.wikipedia.org/wiki/EdDSA
+% https://safecurves.cr.yp.to/twist.html
+If signature verification permitted using points on the twist, like
+key exchanges frequently do, ala X25519, then the exchange might
+compute a point on the twist while the customer would compute
+a point on the original curve.
+
 \begin{definition}
 A {\em key exchange failure} consists of two honest key pairs
 $(\V{sk}_i,V{pk}_i)$ with $i \in \{ \textrm{Alice}, \textrm{Bob} \}$
@@ -908,8 +914,9 @@ there is no probabilistic polynomial time algorithm with non-negligible
 advantage for producing a failure.
 \end{definition}
 
-In Taler's refresh, we avoid key exchange failures entirely because
-the Edwards addition law is complete abelian group operation on the curve.
+In Taler's refresh, we avoid key exchange failures entirely because the
+Edwards addition law is complete abelian group operation on the curve,
+and the signature scheme verifies that $C$ lies on the curve.
 % https://safecurves.cr.yp.to/refs.html#2007/bernstein-newelliptic
 % https://safecurves.cr.yp.to/complete.html
 We warn however that Weierstrass curves have incomplete addition formulas
-- 
cgit v1.2.3