use L^{(i)} to be consistent about cut-and-choose index notation

This commit is contained in:
Christian Grothoff 2016-10-25 15:32:15 +02:00
parent 29fa45446b
commit 60a601eb94

View File

@ -801,11 +801,11 @@ In the protocol, $\kappa \ge 2$ is a security parameter for the
cut-and-choose part of the protocol. $\kappa = 3$ is actually cut-and-choose part of the protocol. $\kappa = 3$ is actually
perfectly sufficient in most cases in practice, as the cut-and-choose perfectly sufficient in most cases in practice, as the cut-and-choose
protocol does not need to provide cryptographic security: If the protocol does not need to provide cryptographic security: If the
maximum applicable tax is less than $\frac{2}{3}$, then detecting maximum applicable tax is less than $\frac{2}{3}$, then $\kappa = 3$
$\kappa = 3$ ensures that cheating results in a negative return on ensures that cheating results in a negative financial return on
average as $\kappa - 1$ out of $\kappa$ attempts to cheat are average as $\kappa - 1$ out of $\kappa$ attempts to hide from taxation
detected. This makes the use of cut-and-choose practical and are detected and penalized by a total loss. This makes the use of
efficient in this context. cut-and-choose practical and efficient in this context.
% FIXME: I'm explicit about the rounds in postquantum.tex % FIXME: I'm explicit about the rounds in postquantum.tex
@ -815,16 +815,16 @@ efficient in this context.
a transfer private key $t^{(i)}_s$ and computes a transfer private key $t^{(i)}_s$ and computes
\begin{itemize} \begin{itemize}
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and \item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
\item the new coin secret seed $L_i := H(c'_s T_p^{(i)})$. \item the new coin secret seed $L^{(i)} := H(c'_s T_p^{(i)})$.
\end{itemize} \end{itemize}
We have computed $L_i$ as a Diffie-Hellman shared secret between We have computed $L_i$ as a Diffie-Hellman shared secret between
the transfer key pair $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$ the transfer key pair $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$
and old coin key pair $C' := \left(c_s', C_p'\right)$; and old coin key pair $C' := \left(c_s', C_p'\right)$;
as a result, $L_i = H(t^{(i)}_s C'_p)$ also holds. as a result, $L^{(i)} = H(t^{(i)}_s C'_p)$ also holds.
Now the customer applies key derivation functions $\KDF_?$ to $L_i$ to generate Now the customer applies key derivation functions $\KDF_{\textrm{blinding}}$ and $\KDF_{\textrm{Ed25519}}$ to $L^{(i)}$ to generate
\begin{itemize} \begin{itemize}
\item a blinding factor $b^{(i)} = \FDH_K(\KDF_{\textrm{blinding}}(L_i))$. \item a blinding factor $b^{(i)} = \FDH_K(\KDF_{\textrm{blinding}}(L^{(i)}))$.
\item $c_s^{(i)} = \KDF_{\textrm{Ed25519}}(L_i)$ \item $c_s^{(i)} = \KDF_{\textrm{Ed25519}}(L^{(i)})$
\end{itemize} \end{itemize}
Now the customer can compute her new coin key pair Now the customer can compute her new coin key pair
$C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$ $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$
@ -1251,13 +1251,13 @@ data being committed to disk are represented in between $\langle\rangle$.
\item[$\vec{b}$]{Vector of $b^{(i)}$} \item[$\vec{b}$]{Vector of $b^{(i)}$}
\item[$B^{(i)}$]{Blinding of $C_p^{(i)}$} \item[$B^{(i)}$]{Blinding of $C_p^{(i)}$}
\item[$\vec{B}$]{Vector of $B^{(i)}$} \item[$\vec{B}$]{Vector of $B^{(i)}$}
\item[$L_i$]{Link secret derived from ECDH operation via hashing} \item[$L^{(i)}$]{Link secret derived from ECDH operation via hashing}
% \item[$E_{L_i}()$]{Symmetric encryption using key $L_i$} % \item[$E_{L^{(i)}}()$]{Symmetric encryption using key $L^{(i)}$}
% \item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$} % \item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$}
% \item[$\vec{E}$]{Vector of $E^{(i)}$} % \item[$\vec{E}$]{Vector of $E^{(i)}$}
\item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol, \item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol,
where the vectors exclude the selected index $\gamma$} where the vectors exclude the selected index $\gamma$}
\item[$\overline{L_i}$]{Link secrets derived by the verifier from DH} \item[$\overline{L^{(i)}}$]{Link secrets derived by the verifier from DH}
\item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier} \item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier}
\item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys} \item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys}
\item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier} \item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier}