use L^{(i)} to be consistent about cut-and-choose index notation
This commit is contained in:
parent
29fa45446b
commit
60a601eb94
@ -801,11 +801,11 @@ In the protocol, $\kappa \ge 2$ is a security parameter for the
|
|||||||
cut-and-choose part of the protocol. $\kappa = 3$ is actually
|
cut-and-choose part of the protocol. $\kappa = 3$ is actually
|
||||||
perfectly sufficient in most cases in practice, as the cut-and-choose
|
perfectly sufficient in most cases in practice, as the cut-and-choose
|
||||||
protocol does not need to provide cryptographic security: If the
|
protocol does not need to provide cryptographic security: If the
|
||||||
maximum applicable tax is less than $\frac{2}{3}$, then detecting
|
maximum applicable tax is less than $\frac{2}{3}$, then $\kappa = 3$
|
||||||
$\kappa = 3$ ensures that cheating results in a negative return on
|
ensures that cheating results in a negative financial return on
|
||||||
average as $\kappa - 1$ out of $\kappa$ attempts to cheat are
|
average as $\kappa - 1$ out of $\kappa$ attempts to hide from taxation
|
||||||
detected. This makes the use of cut-and-choose practical and
|
are detected and penalized by a total loss. This makes the use of
|
||||||
efficient in this context.
|
cut-and-choose practical and efficient in this context.
|
||||||
|
|
||||||
% FIXME: I'm explicit about the rounds in postquantum.tex
|
% FIXME: I'm explicit about the rounds in postquantum.tex
|
||||||
|
|
||||||
@ -815,16 +815,16 @@ efficient in this context.
|
|||||||
a transfer private key $t^{(i)}_s$ and computes
|
a transfer private key $t^{(i)}_s$ and computes
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
|
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
|
||||||
\item the new coin secret seed $L_i := H(c'_s T_p^{(i)})$.
|
\item the new coin secret seed $L^{(i)} := H(c'_s T_p^{(i)})$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
We have computed $L_i$ as a Diffie-Hellman shared secret between
|
We have computed $L_i$ as a Diffie-Hellman shared secret between
|
||||||
the transfer key pair $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$
|
the transfer key pair $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$
|
||||||
and old coin key pair $C' := \left(c_s', C_p'\right)$;
|
and old coin key pair $C' := \left(c_s', C_p'\right)$;
|
||||||
as a result, $L_i = H(t^{(i)}_s C'_p)$ also holds.
|
as a result, $L^{(i)} = H(t^{(i)}_s C'_p)$ also holds.
|
||||||
Now the customer applies key derivation functions $\KDF_?$ to $L_i$ to generate
|
Now the customer applies key derivation functions $\KDF_{\textrm{blinding}}$ and $\KDF_{\textrm{Ed25519}}$ to $L^{(i)}$ to generate
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item a blinding factor $b^{(i)} = \FDH_K(\KDF_{\textrm{blinding}}(L_i))$.
|
\item a blinding factor $b^{(i)} = \FDH_K(\KDF_{\textrm{blinding}}(L^{(i)}))$.
|
||||||
\item $c_s^{(i)} = \KDF_{\textrm{Ed25519}}(L_i)$
|
\item $c_s^{(i)} = \KDF_{\textrm{Ed25519}}(L^{(i)})$
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
Now the customer can compute her new coin key pair
|
Now the customer can compute her new coin key pair
|
||||||
$C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$
|
$C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$
|
||||||
@ -1251,13 +1251,13 @@ data being committed to disk are represented in between $\langle\rangle$.
|
|||||||
\item[$\vec{b}$]{Vector of $b^{(i)}$}
|
\item[$\vec{b}$]{Vector of $b^{(i)}$}
|
||||||
\item[$B^{(i)}$]{Blinding of $C_p^{(i)}$}
|
\item[$B^{(i)}$]{Blinding of $C_p^{(i)}$}
|
||||||
\item[$\vec{B}$]{Vector of $B^{(i)}$}
|
\item[$\vec{B}$]{Vector of $B^{(i)}$}
|
||||||
\item[$L_i$]{Link secret derived from ECDH operation via hashing}
|
\item[$L^{(i)}$]{Link secret derived from ECDH operation via hashing}
|
||||||
% \item[$E_{L_i}()$]{Symmetric encryption using key $L_i$}
|
% \item[$E_{L^{(i)}}()$]{Symmetric encryption using key $L^{(i)}$}
|
||||||
% \item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$}
|
% \item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$}
|
||||||
% \item[$\vec{E}$]{Vector of $E^{(i)}$}
|
% \item[$\vec{E}$]{Vector of $E^{(i)}$}
|
||||||
\item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol,
|
\item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol,
|
||||||
where the vectors exclude the selected index $\gamma$}
|
where the vectors exclude the selected index $\gamma$}
|
||||||
\item[$\overline{L_i}$]{Link secrets derived by the verifier from DH}
|
\item[$\overline{L^{(i)}}$]{Link secrets derived by the verifier from DH}
|
||||||
\item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier}
|
\item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier}
|
||||||
\item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys}
|
\item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys}
|
||||||
\item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier}
|
\item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier}
|
||||||
|
Loading…
Reference in New Issue
Block a user