From 4c302efdf16280b0eb0e12e25fbb1447d9f726cb Mon Sep 17 00:00:00 2001
From: Jeff Burdges <burdges@gnunet.org>
Date: Fri, 20 Apr 2018 22:12:10 +0200
Subject: iMinor C comments

---
 games/games.tex | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'games')

diff --git a/games/games.tex b/games/games.tex
index 74ce648..7eadd91 100644
--- a/games/games.tex
+++ b/games/games.tex
@@ -94,20 +94,22 @@ Every denomination has an associated financial value; this mapping is not
 chosen by the adversary but is a system parameter.  We mostly ignore the
 denomination values here, including their impact on both bandwidth and
 anonymity, in keeping with existing literature.  For anonymity, we believe this
-amounts to assuming that all users have siimilar financial behavior.  
+amounts to assuming that all users have similar financial behavior.  
 We note logarithmic bandwidth demands denominations distributed by at least 
 powers of a fixed constant, like two.  
 
 We do not include fees taken by the exchange in our model.  Reserves are also
 omitted, conceptually every user has exactly one bank account that they
 withdraw from, the bank account balance starts at zero and can go negative
-without any limit. 
+without any limit.  
+% TODO: Say roughly: In the real world Taler depends on account balances being only positive,
+% but this model simplifies our games and security arguments.  ??? 
 
 Coins can be partially spent by specifying a fraction $f \in \mathbb{Q}$. 
 Our refresh protocol cannot then give change below the smallest denomination 
 though. % so doing this either looses money or requires the exchange permit users to break their anonymity for small transactions.
 
-The spending of multiple coins is modeled non-atomically: to spend multipe coins,
+The spending of multiple coins is modeled non-atomically: to spend multiple coins,
 they must be spent one-by-one.  The individual spend/deposit operations are correlated
 by a unique identifier for the transaction.  In practice this identifier is the hash
 of a nonce and the contract terms that merchant and customer agreed upon.
@@ -527,7 +529,7 @@ Let \oraSet{Income} stand for access to the oracles
   \item $(C_1, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Income}}(pkExchange)$
   \item Augment the wallets of all non-corrupted users with their
     transitive closure using the \algo{Link} protocol.
-    Mark all remaining value on coins in wallets of non-corrupted users as spent (with \algo{Deposit}).
+    Spend all remaining value on coins in wallets of non-corrupted users with \algo{Deposit}.\footnote{If \algo{Deposit} can only be run once per coin, then run a similar alggorithm that ignores this check.} 
   \item Let $L$ be the sum of unspent value for valid coins in $C_1, \dots\, C_\ell$, after
     accounting for the previous spending step.
   \item Let $w$ be the sum of coins withdrawn by non-corrupted users,
@@ -535,6 +537,7 @@ Let \oraSet{Income} stand for access to the oracles
     by non-corrupted users.
     Our adversary wins if $L - w' > 0$.
   \item Return $(L, w, w', s)$
+  \comment{Big stile break so split into two games.  Return ratio.  Two expectations is wrong. }
 \end{enumerate}
 
 The adversary is said to win the Income Transparency game if $L - w' > 0$.
@@ -574,7 +577,7 @@ each other and from the coin.  An endorsement allows the implementation of fair
 (where either both goods are exchanged and a payment is made or neither) without giving up
 anonymity.
 
-Taler trivially supports a similar concept of endorsements via the coin public key, deposit permissions and the
+Taler supports a similar concept of endorsements via the coin public key, deposit permissions and the
 refresh protocol.  The deposit permission (augmented with some additional data) can be viewed as an endorsement
 that enables fair exchange.  Unlinkability is guaranteed by the Refresh protocol.
 
@@ -583,7 +586,7 @@ that enables fair exchange.  Unlinkability is guaranteed by the Refresh protocol
 \begin{definition}[Anonymity]
 We say that an e-cash scheme satisfies \emph{Anonymity} if
 the success probability $\Prb{b \randsel \{0,1\}: \mathit{Exp}_{\cal A}^{anon}(1^\lambda, 1^\kappa, b) = 1}$
-if the anonymity game is neglegible for any polynomial time adversary $\mathcal{A}$.
+of the anonymity game is neglegible for any polynomial time adversary $\mathcal{A}$.
 \end{definition}
 
 \begin{definition}[Strong Income Transparency]
@@ -601,14 +604,14 @@ game satisfy $E[w - s] \ge \kappa \cdot E[L - w']$.
 \begin{definition}[Unforgeability]
 We say that an e-cash scheme satisfies \emph{Unforgeability} if
 the success probability $\Prb{\mathit{Exp}_{\cal A}^{forge}(1^\lambda, 1^\kappa) = 1}$
-if the unforgeability game is neglegible for any polynomial time adversary $\mathcal{A}$.
+of the unforgeability game is neglegible for any polynomial time adversary $\mathcal{A}$.
 \end{definition}
 
 
 \begin{definition}[Fairness]
 We say that an e-cash scheme satisfies \emph{Fairness} if
 the success probability $\Prb{\mathit{Exp}_{\cal A}^{fair}(1^\lambda, 1^\kappa) = 1}$
-if the fairness game is neglegible for any polynomial time adversary $\mathcal{A}$.
+of the fairness game is neglegible for any polynomial time adversary $\mathcal{A}$.
 \end{definition}
 
 \section{Instantiation}
@@ -618,6 +621,8 @@ if the fairness game is neglegible for any polynomial time adversary $\mathcal{A
 
   Protocol transcripts are a mess, currently mostly there to show which values the adversary sees,
   and to check that after our hops they are all independent uniform random.
+
+  Christian agrees with Jeff on using an abstract key exchange.
 \end{mdframed}
 
 Let $G \in \mathbb{E}$ be the generator of the Ed25519 curve (with Edwards coordinates).  
-- 
cgit v1.2.3