From e325d4bbd80a3f6efb37c2bad2d2d63e08f64f51 Mon Sep 17 00:00:00 2001 From: Jeff Burdges Date: Tue, 18 Sep 2018 20:10:10 +0200 Subject: Add mor TODOs for proofs section --- taler-fc19/paper.tex | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'taler-fc19') diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex index e98a8ed..89684d6 100644 --- a/taler-fc19/paper.tex +++ b/taler-fc19/paper.tex @@ -1078,6 +1078,7 @@ with the generic instantiation. \begin{theorem} In the random oracle model, our instantiation satisfies anonymity. \end{theorem} +% TODO: PRF suffices \begin{proof} We give a proof via a sequence of games $\mathbb{G}_0(b), \mathbb{G}_1(b), @@ -1159,6 +1160,7 @@ with the generic instantiation. \V{pkCoin}_\gamma)$ and the execution of the blinding protocol is equivalent under the randeom oracle to using the non-determinized algorithms $\algo{KeyGen}_{CSK}$ and $\algo{Blind}_{BS}$. + % TODO: PRF suffices By the blindness of the $\textsc{BlindSign}$ scheme, the adversary is not able to distinguish blinded values from randomness. Thus, the adversary is @@ -1218,15 +1220,15 @@ Our instantiation satisfies {unforgeability}. \end{theorem} \begin{proof} -The adversary must have produced at least one coin that was not blindly signed -by the exchange. In order to carry out a reduction from this adversary to a -blind signature forgery, we inject the challenger's public key into one -randomly chosen denomination. Since we do not have access to the -corresponding secret key of the challenger, signing operations for this -denomination are replaced with calls to the challenger's signing oracle in -\ora{WithdrawPickup} and \ora{RefreshPickup}. For $n$ denominations, an -adversary against the unforgeability game would produce a blind signature -forgery with probability $1/n$. +The adversary must have produced at least one coin that was not blindly +signed by the exchange. %TODO: Way too fasty here, resurect the chain +In order to carry out a reduction from this adversary to a blind signature +forgery, we inject the challenger's public key into one randomly chosen +denomination. Since we do not have access to the corresponding secret key +of the challenger, signing operations for this denomination are replaced +with calls to the challenger's signing oracle in \ora{WithdrawPickup} and +\ora{RefreshPickup}. For $n$ denominations, an adversary against the +unforgeability game would produce a blind signature forgery with probability $1/n$. \end{proof} @@ -1257,6 +1259,8 @@ Our instantiation satisfies {weak income transparency}. in this graph, where each refresh $R_i \in F$ either results in a coin in exclusive control of the adversary after step \ref{game:income:spend}, or the refresh operation does not result in a coin at all. + %TODO: The preceeding paragraph is basically nonsense. We need to resurect + % correct construction of F from games.tex During each $R_i \in F$, the adversary must have submitted a blinded coin and transfer public key for which the linking protocol fails to produce the -- cgit v1.2.3