Minor paper updates

paper/iacr.tex

@@ -319,7 +319,8 @@ \section{Security}
 \mathcal{R}' \equiv \Bigg\{ \{M_k\}_{k=0}^{N-1},\{P_k\}_{k=0}^{N-1},\{J^{(u)}\}_{u=0}^{w-1},\{Q_j\}_{j=0}^{T-1} \subset \G \: ; \: \left( \{l^{(u)}\}_{u=0}^{w-1}, \{r^{(u)}\}_{u=0}^{w-1}, y \right) : \\
 \sumu \mu_{l^{(u)}} M_{l^{(u)}} = \sumu \mu_{l^{(u)}} r^{(u)}G \text{ and } \sumu \mu_{l^{(u)}} r^{(u)}J^{(u)} = \sumu \mu_{l^{(u)}} U \text{ and } \sum_{u=0}^{w-1} P_{l^{(u)}} - \sum_{j=0}^{T-1} Q_j = yG \Bigg\}
 \end{multline*}
-Observe that if we assume that the dual-target discrete logarithm problem is hard in $\G$, extraction of a witness for $\mathcal{R}'$ implies knowledge of a corresponding witness for $\mathcal{R}$; this in turn provides the desired soundness.
+Observe that if we assume that the dual-target discrete logarithm problem is hard in $\G$ and $\hs$ is modeled as a random oracle, a witness for $\mathcal{R}'$ produced by the extractor must also be a witness for $\mathcal{R}$ using the same statement.
+This means that extraction of a witness for $\mathcal{R}'$ is sufficient to establish the desired soundness.
 
 Suppose that for a given statement, we have a set of $(m+1)$ distinct verifier challenges $\{\xi_e\}_{e=0}^m$ corresponding to distinct valid responses of this form:
 $$\left\{ \{{}_ef^{(u)}_{j,i}\}, \{{}_ez^{(u)}_R\}, {}_ez_S \right\}_{e=0}^m$$
@@ -372,13 +373,14 @@ \section{Transaction model}
 Because the transaction value must balance, the following must hold: $$\sum_{u=0}^{w-1} a_{l^{(u)}} = \sum_{j=0}^{T-1} b_j$$
 Note that there is no anonymity set for outputs generated by the transaction.
 
-These terms are used to form a statement using the relation $\mathcal{R}$.
+These terms are used to form a statement tuple for the relation $\mathcal{R}$:
+$$\left( \{M_i\}_{i=0}^{N-1}, \{P_i\}_{i=0}^{N-1}, \{(r^{(u)})^{-1}U\}_{u=0}^{w-1}, \{Q_j\}_{j=0}^{T-1} \: ; \: \left( \{l^{(u)}\}_{u=0}^{w-1}, \{r^{(u)}\}_{u=0}^{w-1}, \sumu a_{l^{(u)}} - \sum_{j=0}^{T-1} b_j \right) \right)$$
 The user generates a proof showing the validity of this statement with the corresponding secret values as a witness set; the proof demonstrates knowledge of the signing keys $\{r^{(u)}\}_{u=0}^{w-1}$, and the witness $y$ formed by the commitment differences demonstrates that the input and output values balance.
 Provided the commitment scheme used for value representation is (at least computationally) binding, the user cannot produce such a value $y$ unless the values balance correctly; in our case, Pedersen commitments satisfy this requirement.
 
 We call the elements of the set $\{J^{(u)}\}_{u=0}^{w-1}$ the \textit{linking tags} for the transaction.
 Similar to their use in linkable ring signatures, they are used by the verifier to detect attempts to sign with a secret key multiple times, either within the same transaction or between multiple transactions.
-The construction $J^{(u)} = (r^{(u)})^{-1}U$ is an injective one-way verifiable random function \cite{dodis} using the secret key $r^{(u)}$; if the verifier sees the same linking tag used elsewhere, it knows that the (unknown) secret key was used again.
+The map $r^{(u)} \mapsto J^{(u)} \equiv (r^{(u)})^{-1}U$ is an injective one-way pseudorandom function \cite{dodis}; if the verifier sees the same linking tag used elsewhere, it knows that the (unknown) secret key was used again.
 In our confidential transaction model, this corresponds to an attempt to double-spend funds that would be rejected by the verifier.
 
 Since the sigma protocol is special honest-verifier zero knowledge, it is witness indistinguishable \cite{cramer}.