From 0e2bc31185e1402fa34ad9ffa25ea2143919fa1a Mon Sep 17 00:00:00 2001 From: Jeff Burdges Date: Tue, 25 Sep 2018 02:45:42 -0400 Subject: improve income transperency --- taler-fc19/paper.tex | 56 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 22 deletions(-) (limited to 'taler-fc19') diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex index 4ca94e0..2b6fa63 100644 --- a/taler-fc19/paper.tex +++ b/taler-fc19/paper.tex @@ -1259,31 +1259,43 @@ Our instantiation satisfies {weak income transparency}. %can trivially be replaced by an adversary against the protocol with hash %commitments. - We consider the directed forest on coins induced by the refresh protocol. It - follows from unforgeability that any coin must originate from some customer's - withdraw in this graph. Let $F$ be the set of ``final'' refresh operations - in this graph, where each refresh $R_i \in F$ either results in a coin in - exclusive control of the adversary after step \ref{game:income:spend}, or the - refresh operation does not result in a coin at all. - %TODO: The preceeding paragraph is still basically nonsense. - % We need to resurect correct construction of F from games.tex - - During each $R_i \in F$, the adversary must have submitted a blinded coin - and transfer public key for which the linking protocol fails to produce the - resulting coin correctly, otherwise the coin would have been spent in step - \ref{game:income:spend}. In this case, either + We consider the directed forest on coins induced by the refresh protocol. + It follows from unforgeability that any coin must originate from some + customer's withdraw in this graph. + We may assume that all $\V{coin}_1, \dots, \V{coin}_l$ originate from + non-corrupted users, for some $l \leq \ell$. % So $\ell \leq w + |X|$. + + For any $i \leq l$, there is a final refresh operation $R_i$ in which + a non-corrupted user could obtain the coin $C'$ consumed in the refresh + via the linking protocol, but no non-corrupted user could obtain the + coin provided by the refresh, as otherwise $\V{coin}_i$ gets marked as + spent in step step \ref{game:income:spend}. + Set $F := \{ R_i \mid i \leq l \}$. %TODO: Not ellegant, clean up below. + + During each $R_i \in F$, our adversary must have submitted a blinded + coin and transfer public key for which the linking protocol fails to + produce the resulting coin correctly, otherwise the coin would have + been spent in step \ref{game:income:spend}. In this case, we consider + several non-exclusive cases \begin{enumerate} - \item the execution of the refresh protocol is incomplete - \item the commitment for the $\gamma$-th blinded coin and transfer public - key was wrong - \item a commitment for a blinded coin and transfer public key other than the $\gamma$-th was wrong - \item the exchange's verification of the commitment passes, but customers - are unable to re-compute the new coin from the old coin + \item the execution of the refresh protocol is incomplete, + \item the commitment for the $\gamma$-th blinded coin and transfer + public key was wrong, + \item a commitment for a blinded coin and transfer public key other + than the $\gamma$-th was wrong, \end{enumerate} - The last case can be excluded, because it would violate the key exchange - completeness assumption. - % TODO: Still wrong because we need to talk about honest key generation somewhere + We show these to be exhaustive by assuming their converses all hold: + As the commitment is signed, our our honest key generation assumption + of $\textsc{CoinSignKx}$ applies to the coin public key. + We assumed the $\gamma$-th transfer public key is honest too, so + our key exchange completeness assumption of $\textsc{CoinSignKx}$ + yields $t C' \neq c' T$ where $T = t G$ is the transfer key, + so the customer obtains the correct transfer secret. + We assumed the refresh concluded and all submissions besides the + $\gamma$-th were honest, so the exchange correctly reveals the signed + blinded coin. We assumed the $\gamma$-th blinded coin is correct too, + so customer now re-compute the new coin correctly, violating $R_i \in F$. We shall prove \begin{equation}\label{eq:income-transparency-proof} -- cgit v1.2.3